Deploy Wordpress on Debian 11

This tutorial is for manually deploying wordpress on an Debian 11 server. Alternatively, you could deploy wordpress through docker.

Install MariaDB

sudo apt-get install mariadb-server -y

Now log into the database

sudo mysql

Create the wordpress database, and then create a wordpress user that will have access to it. Be sure to change the passwordHere text.

CREATE database wordpress;
GRANT ALL ON `wordpress`.* to wordpress@localhost identified by 'passwordHere';

Add Ondrej Sury PHP Repository

Debian 11 comes with PHP 7.4 by default, but PHP 8.1 is already out, and security support for PHP 7.4 comes to an end on the 28th of Nov 2022 (less than a month away), so we are going to upgrade to PHP 8.1 with the help of Ondřej Surý's very popular PHP repository.

sudo apt update \
  && sudo apt install -y apt-transport-https lsb-release ca-certificates gnupg2

# Add Ondrej's GPG key to tell Debian you trust his packages.
wget -q https://packages.sury.org/php/apt.gpg -O- | sudo apt-key add -

# Now add Ondrej's PHP packages to your sources.
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list

# Update your package list so you can install what you want later (doesn't update your packages themselves).
sudo apt update && sudo apt dist-upgrade -y

Install Apache and PHP

sudo apt-get install -y \
  apache2 libapache2-mod-php8.1 \
  php8.1-cli php8.1-mysql

Download Wordpress

wget https://wordpress.org/latest.zip

Optional - Create Wordpress SSH User

I use SSH to update my wordpress instances, and wish to use a non-sudo user to do this. Thus I will create a wordpress user at this point.

sudo adduser wordpress

Install Wordpress

sudo apt-get install unzip -y \
  && unzip latest.zip \
  && sudo mkdir -p /var/www/wordpress \
  && sudo mv wordpress /var/www/wordpress/public_html \
  && sudo chown --recursive wordpress:www-data /var/www/wordpress \
  && sudo chmod 750 --recursive /var/www/wordpress

Set Umask and Add to Group

Let's add the www-data user to the wordpress group so that Apache can access the files even if they are group owned by the wordpress user.

sudo adduser www-data wordpress

Now let's set the umask so that if the wordpress user creates a file, the Apache server can still read them.

su wordpress \
  && cd /var/www/wordpress \
  && umask 027

Using umask of 027 means that new files will have 740 (-rwxr-----) permissions, but new directories will have 750 (-rwxr-x---).

Configure Apache

We now need to configure apache to load the wordpress folder as a site. If you use vim as your editor of choice, you may wish to fix the pasting issue, and syntax highlighting, if this is a fresh install of Debian.

sudo editor /etc/apache2/sites-available/000-default.conf

Replace it with:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/wordpress/public_html
    <Directory /var/www/wordpress/public_html/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

This assumes this webserver is dedicated to just serving up the wordpress site. E.g. a VPS.

Restart apache for the changes to take effect

sudo service apache2 restart

Enable URL Rewrite And Create Htaccess File

sudo a2enmod rewrite
sudo service apache2 restart

Create a .htaccess file for routing.

editor /var/www/wordpress/public_html

Give it the following content:

RewriteEngine On

# Don't redirect if matches file
RewriteCond %{REQUEST_FILENAME} !-f

# Don't redirect if matches directory
RewriteCond %{REQUEST_FILENAME} !-d

# Redirect everything else to index.php
RewriteRule ^ index.php [QSA,L]

Create WP Config File

Move the example wp-config.php file into place

mv -i \
  /var/www/wordpress/public_html/wp-config.sample \
  /var/www/wordpress/wp-config.php

Database Credentials

Fill in the database credentials in the config file:

editor /var/www/wordpress/wp-config.php

Define Salts

Navigate to https://api.wordpress.org/secret-key/1.1/salt/ to generate a set of salts to update your wp-config.php file with.

Extra Steps For Those Using A Reverse Proxy

If you are using a reverse proxy, that terminates the TLS connection, and only forwards a plain HTTP connection to the underlying wordpress site, then we need to add the following to your wp-config.php file:

define( 'WP_HOME', 'https://wordpress.mydomain.com' );
define( 'WP_SITEURL', 'https://wordpress.mydomain.com' );

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}

Update the values as appropriate to your domain name.

Web Installation

Now go to your servers IP or hostname and perform the web based installation steps, before then going through the tutorial on securing wordpress.