Prerequisites for Installing WordPress on Ubuntu with LAMP Stack
Running WordPress on Ubuntu requires a properly configured LAMP stack. This means Linux as the operating system, Apache as the web server, MySQL for the database, and PHP to process dynamic content. Before installing WordPress, each component must be in place and working correctly.
Ubuntu ships with PHP 7.4 or higher on newer releases, which meets the minimum requirements for modern WordPress and most plugins. You need Apache and MySQL running, and you should be able to serve a basic HTML page from your server before proceeding. If you are starting from a fresh Ubuntu installation, set up the LAMP stack first.
A domain name pointed to your server's IP address is essential for production use. While it is possible to access WordPress via IP address during testing, a domain allows you to set up SSL certificates properly and avoid mixed content warnings. Setting up free SSL with Let's Encrypt on Ubuntu is straightforward once you have a domain configured.
Creating the WordPress Database
WordPress stores all posts, pages, user accounts, settings, and plugin data in MySQL. Create a dedicated database and user for WordPress rather than using the root account. This follows the principle of least privilege and keeps your setup more secure.
Log into MySQL with your root credentials:
mysql -u root -pAt the MySQL prompt, create the database using utf8mb4 encoding, which supports the full Unicode character set including emojis and special characters:
CREATE DATABASE wordpress_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;Create a database user with a strong password. Replace your_strong_password with an actual secure password:
CREATE USER 'wordpress_user'@'localhost' IDENTIFIED BY 'your_strong_password';
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wordpress_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;Record the database name, username, and password somewhere secure. You will need these values during the WordPress configuration step. If you prefer a graphical interface for managing your database, you can install and configure phpMyAdmin on Ubuntu to handle this task through a web browser.
Installing PHP Extensions WordPress Requires
WordPress and many popular plugins require specific PHP extensions to function correctly. Install them all in one command:
sudo apt install php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip -yAfter installation, restart Apache to load the new extensions:
sudo systemctl restart apache2Verify the extensions are loaded by running:
php -m | grep -E "curl|gd|mbstring|xml|soap|intl|zip"Each extension serves a purpose. PHP-Curl handles remote API requests. PHP-GD processes images for thumbnails and resizing. PHP-Mbstring enables proper character encoding for multilingual sites. PHP-XML supports RSS feeds and site navigation structures.
Downloading and Extracting WordPress
Download the latest WordPress from the official site using curl. Always use the official WordPress archive rather than third-party sources, which may contain modified or compromised code:
cd /tmp
curl -O https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gzMove the extracted files to your web root. Adjust the path to match your domain:
sudo mv wordpress /var/www/html/yourdomain.co.uk
sudo chown -R www-data:www-data /var/www/html/yourdomain.co.uk
sudo chmod -R 755 /var/www/html/yourdomain.co.ukThe www-data user and group is the Apache web server user on Ubuntu and Debian systems. Apache must own the files to write to them for plugin installations, theme updates, and media uploads.
Configuring Apache for WordPress
WordPress uses clean URLs (the /sample-post/ format instead of /?p=123) which requires the Apache mod_rewrite module. Enable it and check your Virtual Host configuration:
sudo a2enmod rewrite
sudo nano /etc/apache2/sites-available/yourdomain.co.uk.confEnsure the Directory block allows .htaccess overrides, which WordPress needs for permalinks and other configuration:
<Directory /var/www/html/yourdomain.co.uk>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>The AllowOverride All setting is critical. It tells Apache to read the .htaccess file in the WordPress directory, which contains the rewrite rules for clean URLs.
Test the Apache configuration for syntax errors and reload the service:
sudo apache2ctl configtest
sudo systemctl reload apache2Configuring the wp-config.php File
WordPress stores its core configuration in wp-config.php. Navigate to your WordPress directory and locate the sample configuration file:
cd /var/www/html/yourdomain.co.uk
ls -laYou should see wp-config-sample.php. Copy it to wp-config.php and open it for editing:
cp wp-config-sample.php wp-config.php
nano wp-config.phpFind the database settings section and enter the values you recorded earlier:
define('DB_NAME', 'wordpress_db');
define('DB_USER', 'wordpress_user');
define('DB_PASSWORD', 'your_strong_password');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', 'utf8mb4_unicode_ci');Add security-related constants that are not present in the default config but should exist on any production WordPress installation. These are the authentication salt keys:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');Use the WordPress Salt Generator to generate proper random values. Visit https://api.wordpress.org/secret-key/1.1/salt/ in your browser and copy the values it returns into your configuration.
Change the database table prefix from the default wp_ to something unique. This makes SQL injection attacks more difficult:
$table_prefix = 'wpx7_';Use a prefix that is difficult to guess, such as a random character combination followed by an underscore.
Force HTTPS if your server has an SSL certificate installed:
define('WP_HOME', 'https://yourdomain.co.uk');
define('WP_SITEURL', 'https://yourdomain.co.uk');
define('FORCE_SSL_ADMIN', true);Setting up free SSL with Let's Encrypt on Ubuntu is a practical step that many administrators take when configuring a new server. The process integrates well with Apache and can be automated for renewal.
Setting Correct File Permissions
WordPress needs to write to specific directories for plugins, themes, and media uploads. Set permissions carefully so WordPress can write where needed but Apache cannot overwrite core files:
sudo chown -R www-data:www-data /var/www/html/yourdomain.co.uk
sudo find /var/www/html/yourdomain.co.uk -type d -exec chmod 755 {} \;
sudo find /var/www/html/yourdomain.co.uk -type f -exec chmod 644 {} \;
sudo chmod 640 /var/www/html/yourdomain.co.uk/wp-config.phpThe wp-config.php file should not be world-readable since it contains your database credentials. Setting permissions to 640 restricts it to the owner and group only, both of which are www-data.
Running the WordPress Installation
Visit your domain in a browser. You should see the WordPress installation wizard. If you see a 403 or 404 error instead, the Apache Virtual Host or .htaccess configuration needs review.
The installation wizard asks for several pieces of information:
- Site title: The name of your website, which appears in browsers and search results.
- Username: Choose something other than admin, which is the username most automated attack tools try first.
- Password: Use the strong password WordPress generates or create your own equally strong one.
- Email address: WordPress uses this for notifications and password recovery.
WordPress logs you in automatically after installation completes. Change the password immediately if you used the generated one, since it is shown only once on screen.
Essential Post-Installation Hardening
After installation, take steps to improve your site's security posture.
Remove the WordPress Version Number
Edit your theme's functions.php file to remove the WordPress version number from the HTML source. This information helps attackers target known vulnerabilities in specific versions:
remove_action('wp_head', 'wp_generator');Disable XML-RPC If Not Needed
XML-RPC is a common attack vector. If you do not use Jetpack, the WordPress mobile app, or trackback/pingback features, disable it by adding this to your .htaccess file:
sudo nano /var/www/html/yourdomain.co.uk/.htaccessAdd at the end:
<FilesMatch "\.(xmlrpc\.php)$">
Order Allow,Deny
Deny from all
</FilesMatch>Set Up a Backup Strategy
Before adding real content, establish a backup routine. WordPress backups should include both files and the database. Several established plugins handle this: UpdraftPlus, BackWPup, and WPBackItUp are well-regarded options with free tiers.
If you plan to sell products through your WordPress site, you may want to install WooCommerce after your initial setup is stable. Understanding how to install WooCommerce and set up your first shop gives you a foundation for adding e-commerce functionality later.
Next Steps After Installation
With WordPress installed and basic hardening complete, consider these additional steps depending on your needs.
Install a caching plugin to improve page load times. WordPress pages are generated dynamically on each request, and caching reduces server load and improves the visitor experience.
Set up a maintenance mode page if you plan to make significant changes. Visitors should not see a broken site while you work on custom booking systems or other features.
Configure your permalink structure from the WordPress admin dashboard under Settings, Permalinks. The Post name option (/sample-post/) is generally the best choice for SEO and usability.
Consider installing a security plugin to monitor login attempts, scan for malware, and enforce strong passwords for all user accounts.
Getting Help With Your WordPress Setup
Installing WordPress on Ubuntu with LAMP involves several components, and it is common to encounter configuration issues along the way. If you run into problems with database connections, Apache configuration errors, or need help hardening a production site, you can get in touch with details of what you are trying to achieve and the specific issue you are facing.
Preparing information such as your server OS version, any error messages you see, and what steps you have already tried helps when asking for technical assistance. A clear description of the expected versus actual behaviour speeds up troubleshooting considerably.