Over 60 million people choose WordPress to power their websites and blogs. Born out of a desire for an elegant personal publishing system built on PHP and MySQL, its potential has evolved to a full content management system.

In addition to the package installation, the One-Click also:

• Enables the UFW firewall to allow only SSH (port 22, rate limited), HTTP (port 80), and HTTPS (port 443) access.
• Sets the MySQL root password, runs mysql_secure_installation, and creates a wordpress user with the necessary permissions. Note, the Droplet root user will not be prompted for the MySQL password.
• Sets up the debian-sys-maint user in MySQL so the system’s init scripts for MySQL will work without requiring the MySQL root user password.
• Creates the initial WordPress configuration file to set up salt keys and allow the WordPress instance to connect to the database.
• Disables XML-RPC to help prevent DDoS and other brute force attacks. 
• Modifies some of PHP’s settings to increase the maximum filesize and execution time.
• Enables the Apache rewrite module so the WordPress permalink feature will work.
• Configures Apache with UseCanonicalName On to mitigate CVE-2017-8295.You need a fully qualified domain name (FQDN) to use this One-Click, which you can purchase from any domain registrar. You do not have to manage your domain with DigitalOcean DNS.

After you create a WordPress One-Click Droplet, you’ll need to log into the Droplet via SSH to finish the WordPress setup. This prevents the setup wizard from being visible to the internet until you’re ready to complete it. If you try to visit the Droplet’s IP address before logging into the Droplet, you’ll see a DigitalOcean landing page.

From a terminal on your local computer, connect to the Droplet as root. Make sure to substitute the Droplet’s public IPv4 address.

ssh root@your_droplet_public_ipv4

If you did not add an SSH key when you created the Droplet, you’ll first be prompted to reset your root password.

Then, the interactive script that runs will first prompt you for your domain or subdomain (Tip: for testing purpose, you can enter the IP address of the Droplet, if you don't have a domain setup yet):

Connecting to a database

If you'd like to use a DigitalOcean managed MySQL database, make sure to hit Ctrl+C at this stage to cancel the default set up to take the additional steps outlined below. If you would prefer the default MySQL database that runs on your droplet, feel free to skip down to continue installation and it will be set up for you without additional configuration.

1. Create a MySQL cluster

   • Recommended: restrict access to your MySQL cluster to a "trusted source". You will see this option when setting up the cluster and you can select your new Wordpress droplet from the dropdown.
   • Download the cluster's CA certificate (you'll also see this option while setting it up).
   • Once the cluster is up and running, create a new database called wordpress.

2. Move the CA cert you downloaded onto your Wordpress droplet and into your certificates folder. You can use secure copy for this if you'd like.

scp /path/to/cert/ca-certificate.crt root@{MYSQL_DROPLET_IP}:/usr/local/share/ca-certificates

3. ssh into your Wordpress droplet and press Ctrl+C right away to exit the Wordpress set up once again.
4. The last step is making some updates to your Wordpress config:

sudo vim /var/www/html/wp-config.php

Update the following define statements with the connection details for your new database:

define( 'DB_USER', 'managed_database_username' );
define( 'DB_PASSWORD', 'managed_database_password' );`
define( 'DB_HOST', 'managed_database_host:managed_database_port' );

Add this define statement, as is, to enable SSL.

/** Connect to MySQL cluster over SSL **/
define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL );

Now you can go ahead and run a sudo reboot on your droplet. When you are back up and running, continue below through the rest of the instructions.

Continue Installation

To cancel setup, press Ctrl+C.  This script will run again on your next login
--------------------------------------------------
Enter the domain name for your new WordPress site.
(ex. example.org or test.example.org) do not include www or http/s
--------------------------------------------------
Domain/Subdomain name:

The next prompt asks if you want to use SSL for your website via Let’s Encrypt, which we recommend:

Next, you have the option of configuring LetsEncrypt to secure your new site.  Before doing this, be sure that you have pointed your domain or subdomain to this server's IP address.  You can also run LetsEncrypt certbot later with the command 'certbot --apache'

Would you like to use LetsEncrypt (certbot) to configure SSL(https) for your new site? (y/n):

After you respond to these two prompts, you’ll see a confirmation message:

WordPress has been enabled at http://example.org  Please open this URL in a browser to complete the setup of your site.

At this point, you should visit the Droplet’s IP address in your browser to finish the WordPress installation through the web interface.

Once the installation is complete, you can use the WordPress administration dashboard to further customize the new site. For reference:

• The MySQL root password is in /root/.digitalocean_password. Note, the Droplet root user will not be prompted for the MySQL password.
• The web root is /var/www/html, and the WordPress configuration file is /var/www/html/wp-config.php.
• You can get information about the PHP installation by logging into the Droplet and running php -i.In addition, there are a few customized setup steps that we recommend you take.

Creating an Apache virtual hosts file for each site maintains the default configuration as the fallback, as intended, and makes it easier to manage changes when hosting multiple sites.

To do so, you’ll need to create two things for each domain: a new directory in /var/www for that domain’s content, and a new virtual host file in /etc/apache2/sites-available for that domain’s configuration. For a detailed walkthrough, you can follow How to Set Up Apache Virtual Hosts.

If you didn’t enable HTTPS during the initial setup script, you can enable it manually at any time after the fact.

Setting up an SSL certificate enables HTTPS on the web server, which secures the traffic between the server and the clients connecting to it. Certbot is a free and automated way to set up SSL certificates on a server. It’s included as part of the WordPress One-Click to make securing the Droplet easier.

To use Certbot, you’ll need a registered domain name and two DNS records:

• An A record from the domain (e.g., example.com) to the server’s IP address
• An A record from the domain prefaced with www (e.g., www.example.com) to the server’s IP addressAdditionally, if you’re using a virtual hosts file, you’ll need to make sure the server name directive in the VirtualHost block (e.g., ServerName example.com) is correctly set to the domain.

Once the DNS records and, optionally, the virtual hosts files are set up, you can generate the SSL certificate. Make sure to substitute the domain in the command.

certbot --apache -d example.com -d www.example.com

HTTPS traffic on port 443 is already allowed through the firewall. After you set up HTTPS, you can optionally deny HTTP traffic on port 80:

ufw delete allow 80/tcp

For a more detailed walkthrough, you can follow How to Secure Apache with Let’s Encrypt or view Certbot’s official documentation.

You can serve files from the web server by adding them to the web root (/var/www/html) using SFTP or other tools.