Overview

You will choose a provider and plan that fit your goals and budget. You will learn how to read CPU models, core counts, frequency, storage, and network specs so you can pick with confidence. By the end you will have a fresh server online and reachable over SSH.

You will put safe defaults in place from day one. You will create a non-root user, tune SSH and sudo, install and configure fail2ban to reduce brute force attempts, and enable a simple firewall that allows only required services. You will also enable unattended security updates and configure logrotate.

You will install Nginx and PHP, and configure the FastCGI service. You’ll fine tune the number of PHP and Nginx workers, configure sane memory and file size limits, execution time and more. You will map a domain to your server, hide your HTTP service behind Cloudflare, and make sure no alternative route is possible.

You will install a MariaDB server and right-size it to your server specs. You will create a database user for your future WordPress application. You will enable and test the MariaDB slow query log for future performance troubleshooting.

You will download and install WP-CLI management utility. You will then use it to install the latest WordPress core version, create a configuration file, run the installation. You will update the Nginx configuration to support WordPress permalinks. You will also configure the server cron service to run the WordPress Cron.

You will install Postfix and configure it to relay email through an SMTP service of your choice. You will then make sure PHP is configured to relay mail through the postdrop service. You will verify delivery and health of a test email from wp_mail().

You will install and configure Redis for object caching in WordPress. You will also install a page caching plugin of your choice. You will also ensure you can measure response times, and easily find the slowest requests from your server logs. You will run some load test against your application.

You will configure fail2ban for bruteforce protection against common attack vectors in WordPress: including application passwords, XML-RPC and wp-login.php. You will update your Nginx configuration to ensure sensitive files remain private and enable rate limiting. You will write some helper scripts to determine and quickly ban bad actors from server logs.

You will determine everything that needs to be backed up. You will create scheduled jobs to perform on-site backups, and ship them to an off-site location. You will configure a retention policy to delete old backups. You will also learn how to quickly make on-demand backups and explore existing backups.

You will ensure all your services can survive a server reboot. You will create alerts for various system resources and spikes in errors, high response times, slow queries, email delivery errors and more. You will also set up a third-party uptime monitor.

You will learn how to schedule core, theme and plugin updates. You will also write and test a helper script to roll back updates when things break. You will learn how to put your site into maintenance mode to perform PHP and MariaDB upgrades.