If you’re spinning up a new server for WordPress, slow down for a second. Jumping straight into the famous 5-minute install might be tempting, but skipping the prep work can set you up for headaches later.
Before WordPress ever touches your server, there are a few things you must do to lock it down, speed it up, and make future maintenance easier.
Here are 7 things to do before installing WordPress on your server.
1. Update Everything
Before anything else, bring your server up to date.
sudo apt update && sudo apt upgrade -yOr if you’re on a different flavor (like CentOS or Rocky):
sudo yum update -yWhy? Security patches. Performance improvements. Dependency compatibility. Don’t start building on outdated software.
2. Set Up a Non-Root User with sudo
Never run your WordPress site as the root user. That’s just asking for trouble.
adduser yourusername
usermod -aG sudo yourusernameThen log in with the new user and lock down root access if you’re feeling bold.
3. Configure a Firewall
Use UFW (or firewalld, or whatever your distro prefers) to limit traffic only to the ports you need:
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enableDon’t wait until your server gets scanned 5,000 times an hour. Lock it down from the start.
4. Install Fail2Ban
Fail2Ban scans logs for brute-force attempts and bans bad IPs automatically. It’s a quick win for security.
sudo apt install fail2banThe default settings already protect SSH. You can later extend it to cover your WordPress login page.
5. Set Up a Swap File (If Needed)
If you’re on a small VPS with limited RAM (1GB or less), create a swap file. WordPress, PHP, and MySQL will eat memory, and without swap, your server might crash under load.
sudo fallocate -l 1G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfileDon’t forget to make it permanent in /etc/fstab.
6. Install and Configure Your Web Stack
Choose your stack: LEMP (Linux, Nginx, MySQL/MariaDB, PHP) or LAMP (Apache instead of Nginx). Make sure it’s production-ready:
- PHP: Install supported versions (WordPress recommends PHP 8.3).
- MySQL/MariaDB: Secure it with
mysql_secure_installation. - Nginx/Apache: Test your config, set up server blocks or virtual hosts, and prepare for HTTPS.
You’re building the foundation, don’t slap it together.
7. Secure with SSL (Even Before WP)
Set up HTTPS from the start using Let’s Encrypt and Certbot:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginxWordPress will detect HTTPS during setup. Don’t wait until after; forcing a switch later is messy.
Bonus: Set Up Backups and Monitoring
Even before WP is installed, set up server-level monitoring (like UptimeRobot or Netdata) and configure automated backups with something like rsync, or snapshots from your VPS provider.
You’ll thank yourself when something breaks.
Final Thoughts
Installing WordPress is the easy part. But if you treat your server like a second thought, you’ll spend more time fighting fires than publishing content. Get the foundation right, then build.