Blog

You are currently viewing The Ultimate Beginner’s Guide to a Super-Secure WordPress Site on Ubuntu

The Ultimate Beginner’s Guide to a Super-Secure WordPress Site on Ubuntu

Building a website is exciting, but in today’s world, just getting it online isn’t enough. You need to build a fortress. A standard WordPress site can be a target for hackers and bots, but don’t worry. Real security isn’t some complicated add-on you tack on at the end; it’s built right into the foundation of your server from the very beginning.

This guide will walk you through, step-by-step, not just how to install WordPress, but how to do it the right way. We’ll create a secure and resilient digital home for your website on your own Linux Virtual Private Server (VPS). We’ll go through four main phases: locking down your server, installing the necessary software securely, setting up WordPress itself, and adding the final layers of protection.

Each step will explain what we’re doing and, more importantly, why it’s a critical piece of your website’s security puzzle. By the end, you’ll have a WordPress site that’s built to last and built to be safe.

Part 1: Building the Foundation Walls

Before we even think about WordPress, we need to make sure the server itself is a secure place. Think of this as building the strong outer walls of your castle. Skipping these first steps is like leaving the front gate wide open.

Step 1.1: Your First Trip to the Server with PuTTY

When you first get your new server, you’ll be given an IP address (a string of numbers like 198.51.100.10) and a password for the root account. The root account is the all-powerful super-administrator of your server, so we want to use it as little as possible.

Since you’re on a Windows computer, the best tool for the job is a free program called PuTTY. If you don’t have it, you can download it from the official website.

  1. Download and Install PuTTY: Go to the PuTTY website and download the installer for your version of Windows (most modern computers are 64-bit). Install it like any other program.
  2. Open PuTTY: Find PuTTY in your Start Menu and open it. You’ll see the configuration window.
  3. Connect to Your Server: In the “Host Name (or IP address)” box, type your server’s IP address. For this guide, we’ll pretend our IP is 198.51.100.10. Make sure the “Port” is 22 and the “Connection type” is “SSH”. Click “Open”.
  4. Security Alert: The very first time you connect, PuTTY will show a security alert. This is normal. It’s just PuTTY seeing the server for the first time. Click “Accept”.
  5. Log In: A black terminal window will appear, asking you to login as:. Type root and press Enter. It will then ask for the root password. Type or paste the password your hosting provider gave you and press Enter. Note: You won’t see the password as you type. This is a security feature!

Now that you’re in, the very first thing to do is update all the server’s software to patch any known security holes.

 

apt update && apt upgrade -y

Step 1.2: Creating a Day-to-Day Manager Account

Running your server as the root user all the time is risky; a single typo can cause major problems. We’re going to create a new, less powerful user for our everyday work. This is our first step in applying a key security idea: the Principle of Least Privilege, which just means no one should have more power than they absolutely need to do their job.

Let’s create a new user called blogadmin.

 

adduser blogadmin

The server will ask you to create and confirm a new password for this user. Make it strong! You can press Enter to skip the other questions about full name, etc.

Next, we’ll give this new user the ability to perform administrative tasks when needed by adding them to the sudo group.

 

usermod -aG sudo blogadmin

Now, let’s switch to our new user and make sure everything works.

 

su – blogadmin

From now on, we’ll log in and work as blogadmin.

Step 1.3: Swapping Your Password for a Super-Secure Key

Passwords can be guessed or stolen. A much safer way to log in is with SSH keys. Think of it like replacing a simple door key with a high-tech, un-copyable key card. You’ll have a private key that you keep secret on your Windows computer and a public key that you put on your server, which acts as the lock.

  1. Open PuTTYgen: On your Windows computer, open the Start Menu and find PuTTYgen. This tool was installed along with PuTTY.
  2. Generate the Keys: Make sure “RSA” is selected at the bottom, and change the number of bits to 4096 for extra security. Click the “Generate” button. You’ll need to move your mouse randomly over the blank area to create the key.
  3. Save Your Keys:
    • Once the key is generated, copy the entire block of text from the top box (the public key) and paste it into a Notepad file for now. We’ll need it in a moment.
    • It’s a very good idea to add a “Key passphrase”. This is like a password for your key file itself, adding another layer of security.
    • Click “Save private key”. Name it something like my-blog-key.ppk and save it somewhere safe on your computer. Never share this private key file with anyone!
  4. Put the Lock on the Server: Now, we need to put the public key (the lock) onto your server.
    • Connect to your server with PuTTY again, this time logging in as your new blogadmin user with the password you created.
    • Once you’re logged in, run these commands one by one to create a special folder for the key and set its permissions so only you can access it.

 

mkdir ~/.ssh

chmod 700 ~/.ssh

    • Now, create the file that will hold your public key. We’ll use a simple text editor called nano.

 

nano ~/.ssh/authorized_keys

    • Go back to the Notepad file where you pasted your public key from PuTTYgen. Copy the entire text. In the PuTTY terminal window, right-click your mouse once to paste the key. It should be one long line of text.
    • Press Ctrl+X to exit, then Y to save, and finally Enter to confirm the filename.
    • Lastly, set the permissions for this file so only you can read and write to it.

 

chmod 600 ~/.ssh/authorized_keys

Step 1.4: Locking the Gates for Good

Now that your key is set up, we can disable password logins entirely. This is a huge security boost!

  1. Configure PuTTY for Key Login:
    • Close your current PuTTY connection and open PuTTY again.
    • On the left side, go to Connection -> SSH -> Auth.
    • Under “Private key file for authentication”, click “Browse…” and select the my-blog-key.ppk file you saved earlier.
    • Go back to the Session category on the left. Click on “Default Settings” and then click “Save”. This tells PuTTY to always use your key for future connections.
  2. Log In with Your Key: Click “Open” to connect. It should now log you in automatically (or ask for your key’s passphrase if you set one) instead of your user password.
  3. Disable Password Logins: Now that you’re logged in with your key, let’s edit the main SSH configuration file.

 

sudo nano /etc/ssh/sshd_config

Find these two lines and change their values to no :

PermitRootLogin no

PasswordAuthentication no

This stops the root user from logging in directly and turns off all password-based logins. Press Ctrl+X, Y, and Enter to save.

  1. Apply the Changes: Restart the SSH service to make your new settings active.

 

sudo systemctl restart ssh

Step 1.5: Raising the Digital Drawbridge (Firewall)

A firewall is like a digital bouncer for your server. It decides what traffic is allowed in and what gets blocked. We’ll use Ubuntu’s Uncomplicated Firewall (UFW) to set up some basic rules. The plan is to block everything by default, then specifically allow only what we need.

First, let’s tell it to deny all incoming traffic and allow all outgoing traffic.

 

sudo ufw default deny incoming

sudo ufw default allow outgoing

Crucially, we must allow SSH traffic, otherwise we’ll lock ourselves out!

 

sudo ufw allow OpenSSH

Now, turn the firewall on.

 

sudo ufw enable

You can check its status anytime with sudo ufw status. You’ll see that only OpenSSH (your connection) is allowed in.

Part 2: Assembling Your Website’s Software Team

With the server’s foundation secure, it’s time to install the software team that will run your WordPress site. This is often called a “LAMP” stack, which stands for Linux, Apache, MySQL, and PHP.

Step 2.1: Installing Apache, the Web Host

Apache is the web server software. Think of it as the friendly host that greets your visitors and serves them your website’s pages.

 

sudo apt install apache2 -y

Now we need to tell our firewall bouncer to let web visitors in. Apache has a handy profile for UFW that opens the right doors (ports 80 for regular HTTP and 443 for secure HTTPS).

 

sudo ufw allow ‘Apache Full’

Step 2.2: Installing MariaDB, the Filing Cabinet

WordPress needs a database to store everything: your posts, pages, comments, and settings. Think of it as a super-organized digital filing cabinet. We’ll use MariaDB, a popular and fast version of MySQL.

 

sudo apt install mariadb-server mariadb-client -y

Right after installation, the database is not secure. We need to run a security script that comes with it.

 

sudo mysql_secure_installation

This script will ask you a series of questions. For the best security, you should answer “Y” (for Yes) to all of them. This will set a strong password for the database’s main admin, remove insecure default settings, and lock things down.

Now, we’ll create a special database and a unique user just for WordPress. This is another example of the Principle of Least Privilege. If your WordPress site ever has a problem, the damage is contained only to its own database.

Log in to the MariaDB command line.

 

sudo mysql -u root

Now, run these commands one by one. We’ll create a database called my_blog_db and a user called blog_user with a strong password. Remember to replace ‘AVeryStrongP@ssw0rd!’ with your own unique, strong password.

SQL

CREATE DATABASE my_blog_db;

CREATE USER ‘blog_user’@’localhost’ IDENTIFIED BY ‘AVeryStrongP@ssw0rd!’;

GRANT ALL PRIVILEGES ON my_blog_db.* TO ‘blog_user’@’localhost’;

FLUSH PRIVILEGES;

EXIT;

Step 2.3: Installing PHP, the Brains of the Operation

PHP is the programming language that WordPress is built on. It’s the “brains” that processes everything in the background to make your site dynamic and interactive. We also need to install several PHP “extensions,” which are like special toolkits that WordPress needs to do things like process images and talk to the database.

 

sudo apt install php libapache2-mod-php php-mysql php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip php-imagick php-bcmath -y

This single command installs PHP and all the extensions WordPress recommends for a fully functional site.

Part 3: Putting WordPress in Its New Home

The server is prepped and the software is ready. Now it’s time to actually install WordPress.

Step 3.1: Giving Apache Directions to Your Website

Even if you only plan to have one website, it’s best to give Apache a specific set of instructions for it. This is called a “Virtual Host.” It tells Apache where to find your site’s files and how to handle requests for your domain.

First, let’s create the folder where our website’s files will live. We’ll use the fake domain my-awesome-blog.com for this guide.

 

sudo mkdir -p /var/www/my-awesome-blog.com

Now, create a new configuration file for our site using the nano editor.

 

sudo nano /etc/apache2/sites-available/my-awesome-blog.com.conf

Paste the following configuration into the file. This tells Apache that requests for my-awesome-blog.com should be served from the folder we just created.

Apache

<VirtualHost *:80>

ServerName my-awesome-blog.com

ServerAlias www.my-awesome-blog.com

ServerAdmin webmaster@localhost

DocumentRoot /var/www/my-awesome-blog.com

 

<Directory /var/www/my-awesome-blog.com>

AllowOverride All

</Directory>

 

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Save and close the file (Ctrl+X, Y, Enter). Now, let’s enable our new site configuration, enable a module WordPress needs for pretty web addresses (permalinks), and disable Apache’s default welcome page.

 

sudo a2ensite my-awesome-blog.com.conf

sudo a2enmod rewrite

sudo a2dissite 000-default.conf

Finally, let’s check our work for typos and restart Apache to make the changes live.

 

sudo apache2ctl configtest

sudo systemctl restart apache2

Step 3.2: Downloading and Placing the WordPress Files

Let’s go get the latest version of WordPress directly from the official source.

 

cd /tmp

curl -O https://wordpress.org/latest.tar.gz

Now, unpack the files and copy them into the website folder we created.

 

tar xzvf latest.tar.gz

sudo cp -r /tmp/wordpress/* /var/www/my-awesome-blog.com/

Step 3.3: Setting the House Rules (File Permissions)

This is a super important security step. File permissions are the rules that say who can read, change, or run your website’s files. Getting this wrong can either break your site or leave a huge security hole.

First, we’ll set the ownership of all the files. We’ll make our blogadmin user the owner, and the web server’s user (www-data) the group owner. This gives us full control while still allowing the web server to do its job.

 

sudo chown -R blogadmin:www-data /var/www/my-awesome-blog.com

Next, we’ll set the permissions. The standard secure permissions for WordPress are 755 for folders and 664 for files. These numbers are just a shorthand for read, write, and execute permissions for the owner, group, and everyone else.

 

sudo find /var/www/my-awesome-blog.com -type d -exec chmod 775 {} \;

sudo find /var/www/my-awesome-blog.com -type f -exec chmod 664 {} \;

Step 3.4: Creating the Master Instruction File (wp-config.php)

The wp-config.php file is the heart of your WordPress site. It holds the secret keys to your database and other critical settings. We need to create it from the sample file that comes with WordPress.

 

cd /var/www/my-awesome-blog.com

sudo cp wp-config-sample.php wp-config.php

Now, let’s edit the file and put in our database details.

 

sudo nano wp-config.php

Find these lines and replace the placeholders with the database name, user, and password you created earlier.

PHP

define( ‘DB_NAME’, ‘my_blog_db’ );

define( ‘DB_USER’, ‘blog_user’ );

define( ‘DB_PASSWORD’, ‘AVeryStrongP@ssw0rd!’ );

Next, scroll down until you see the “Authentication Unique Keys and Salts.” These are long, random strings that make your site’s login system much more secure. We can get a fresh set from a special WordPress web address.

Open a new browser tab and go to: https://api.wordpress.org/secret-key/1.1/salt/

Copy the entire block of text it gives you. Back in your PuTTY window, delete the placeholder salt section in the wp-config.php file and paste in the new set you just copied.

Save and close the file (Ctrl+X, Y, Enter). As a final security step, let’s make this file extra secure so the web server can’t change it.

 

sudo chmod 660 /var/www/my-awesome-blog.com/wp-config.php

Part 4: The Finishing Touches

We’re almost there! The last steps are to encrypt our website’s traffic and run the famous WordPress web installer.

Step 4.1: Adding the Padlock (Free SSL/TLS Certificate)

Running a website without the little padlock icon (HTTPS) is a big no-no. It means all data, including your login password, is sent in plain text. We’ll use a free and trusted service called Let’s Encrypt to get an SSL/TLS certificate, which enables HTTPS and encrypts all communication.

The best tool for this is Certbot. Let’s install it.

 

sudo apt install certbot python3-certbot-apache -y

Now, run Certbot. It will automatically detect your Apache configuration for my-awesome-blog.com, get a certificate, and set it up for you.

 

sudo certbot –apache -d my-awesome-blog.com -d www.my-awesome-blog.com

Certbot will ask for your email address (for renewal reminders) and for you to agree to the terms. It will also ask if you want to redirect all HTTP traffic to HTTPS. You should choose the redirect option for the best security.

Step 4.2: The Grand Opening!

Everything on the server is now ready. The final step is to complete the installation through your web browser.

Open your favorite browser and go to your domain, making sure to use https:

https://my-awesome-blog.com

You’ll see the WordPress installation screen. It will ask you for :

  • Site Title: The name of your new blog.
  • Username: The username for your main WordPress admin account. Do not use “admin”! Pick something unique.
  • Password: Create another strong, unique password.
  • Your Email: The email for site notifications.

Fill everything in and click “Install WordPress.” Congratulations! Your secure, hardened WordPress site is now live. You can log in to your dashboard at https://my-awesome-blog.com/wp-admin.

Conclusion: Your Fortress is Built, Now Maintain It

You’ve done more than just install WordPress; you’ve built a secure foundation from the ground up. Your server access is locked down with SSH keys, a firewall is standing guard, your database is hardened, and all your traffic is encrypted.

But security isn’t a one-time task. A fortress needs to be maintained. Remember these key practices:

  • Update Everything: This is the most important rule. Regularly update Ubuntu, WordPress itself, and all your themes and plugins. Most hacks happen through old software that has a known fix.
  • Use Strong Passwords: For your WordPress admin, your database, and everything else.
  • Be Smart About Plugins: Only install plugins from reputable sources.
  • Make Regular Backups: Set up an automated backup system that stores your files and database in a separate, safe location. This is your ultimate safety net.

By following this guide and keeping up with maintenance, you’ve given your website the best possible start in the digital world. You’ve built a fortress.

 

Visited 13 times, 1 visit(s) today
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply