Plesk Obsidian 18 on Ubuntu 20

Last Revised: October 2, 2021

This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.

In addition, you have the possibility to create your VPS with the WordPress image in one click.

PARTNERSHIP

This tutorial has been created in thanks to a Plesk license.

Get your Plesk licenses from their website or from your hosting provider.

COLLABORATION

Versions to install

Operating System: Ubuntu 20
Control Panel: Plesk Obsidian 18

In Clouding you have an option to select Plesk as a panel, so the installation will already be done and you can skip the first steps. When creating the VPS they will give you access to the panel.

Configuring the Operating System

Once the operating system is installed, the first thing we will configure will be the server time. In this case we will configure the Universal time zone.

timedatectl set-timezone 'UTC'
timedatectl set-ntp on

The next thing we will do is check the version of the operating system and, subsequently, make a complete update of it.

lsb_release -a
apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove

Installing Plesk

Once everything is updated, we will begin the installation of Plesk.

sh <(curl https://autoinstall.plesk.com/one-click-installer || wget -O - https://autoinstall.plesk.com/one-click-installer)

We will follow the basic questions and configurations you ask us. At the end of the installation it will provide us with a URL that can be accessed to its panel, where we will follow the configuration.

Initial configuration

When accessing the URL you provide, we fill in the name, email, password and add the license if applicable. There is a testing option in case you haven’t decided yet or just want to try.

Remember that to have full access to the advanced control panel, you have to change the Power User view to Service provider view. This can be done from the Change View section in the lower-left corner of the screen. Another possibility to have more control of the panel is to go to the mode Service provider view from the section Tools & Settings → Interface Management.

If the panel is not by default in Spanish, we can activate it in this or other languages by going to the section Tools & Settings → Interface Management → Languages and we will activate Spanish with Make Default.

To have the panel in Spanish immediately, we will go to the menu in the section of Profile and there we will save the session (we must appear the Spanish language by default in the selection part).

Plesk Extensions

Prior to the configuration, I recommend that you review some of the most interesting extensions for Plesk that can be useful when using WordPress or server management. They are not mandatory, but some such as Let’s Encrypt, SSL It! or WordPress Toolkit will make configuration and maintenance tasks much easier.

Advanced settings

All general configuration options are in the menu Herramientas y configuración area. Here are a number of sections that we are going to review to get ready for our WordPress and for optimal security and maintenance.

General settings

Apache Web Server Configuration

In the section we Configuración del servidor web Apache will select as Modo MPM the one of Event.

The Apache Modules that we will leave active is as follows:

  • access_compat
  • auth_basic
  • authn_core
  • authz_core
  • autoindex
  • brotli
  • buffer
  • cache
  • cache_disk
  • cache_socache
  • cgid
  • Deflate
  • dir
  • expires
  • fcgid
  • file_cache
  • filter
  • Headers
  • http2
  • Include
  • negotiation
  • proxy
  • proxy_fcgi
  • proxy_http
  • proxy_http2
  • proxy_wstunnel
  • reqtimeout
  • rewrite
  • setenvif
  • socache_redis
  • socache_shmcb
  • suexec
  • userdir

PHP Configuration

We should have at least the versions supported by PHP officially and stably. In case they are not all, we can go to the top link where Plesk Installer we can add or remove PHP versions.

By default we will leave in use the PHP-FPM options to use with Apache.

PHP 7.3 extensions

  • bcmath
  • curl
  • Dba
  • Dom
  • fileinfo
  • Gd
  • imagick
  • imap
  • Intl
  • json
  • mbstring
  • mysqli
  • mysqlnd
  • opcache
  • pdo
  • pdo_mysql
  • Phar
  • POSIX
  • pspell
  • redis
  • soap
  • sodium
  • sysvmsg
  • sysvsem
  • sysvshm
  • Tidy
  • xmlreader
  • xmlrpc
  • xmlwriter
  • xsl
  • zip

PHP 7.4 Extensions

  • bcmath
  • curl
  • Dba
  • Dom
  • fileinfo
  • Gd
  • imagick
  • imap
  • Intl
  • json
  • mbstring
  • mysqli
  • mysqlnd
  • opcache
  • pdo
  • pdo_mysql
  • Phar
  • POSIX
  • pspell
  • redis
  • soap
  • sodium
  • sysvmsg
  • sysvsem
  • sysvshm
  • Tidy
  • xmlreader
  • xmlrpc
  • xmlwriter
  • xsl
  • zip

PHP 8.0 Extensions

  • bcmath
  • curl
  • Dba
  • Dom
  • fileinfo
  • Gd
  • imap
  • Intl
  • mbstring
  • mysqli
  • mysqlnd
  • opcache
  • pdo
  • pdo_mysql
  • Phar
  • POSIX
  • pspell
  • redis
  • snmp
  • soap
  • sodium
  • sysvmsg
  • sysvsem
  • sysvshm
  • Tidy
  • xmlreader
  • xmlwriter
  • xsl
  • zip

Applications and databases

Database hosting preferences

We will activate some of the options to increase the security and complexity in the database.

  • Add the prefix and an underscore to the beginning of the database names: Nombre de usuario
  • Add the user name and an underscore to the beginning of the database user names: activado
  • Default settings for remote access for database users: Sólo permitir conexiones locales

In principle we will configure els ervidor so that the database cannot be accessed from the outside. There are many security scanning systems that check MySQL ports for insecure passwords or passwordless access.

Plesk

Configuring Restricted Mode

In the tab we Configuración de PHP will make some changes.

memory_limit: 256M
max_execution_time: 300
max_input_time: 60
post_max_size: 128M
upload_max_filesize: 128M
opcache.enable: On

Safety

If we want to have security levels a little higher than normal we can make some configuration changes.

Security Policy

  • FTPS usage policy: Permitir únicamente conexiones FTPS seguras

IP Address Ban (Fail2Ban)

  • Enable intrusion detection: activado

Firewall for Web Applications (ModSecurity)

In the “Settings” section we will change to the OWASP set of rules that supports WordPress.

TLS versions and ciphers management

Mozilla TLS and ciphers versions: activado, of type Intermedia (recomendada)

ImunifyAV

If you have the option of ImunifyAV we will activate this antivirus system and server protection.

We will make a configuration (in the Settings) that will help us improve tracking.

  • “Quick Scan” mode: enabled
  • Skip images and other media files: enabled
  • Optimize scanning by speed: enabled
  • Max working threads: 1
  • Scheduled rescanning: monthly
  • Start automatic scanning at: 04:00
  • Max allocated memory for a single working thread (Mb): 768
  • Number of days to keep infected files in backup: 7
  • Trim malicious file instead of deleting it: off
  • Update antivirus databases automatically: enabled
  • Allow users to use files ignore list: enabled
  • Enable antivirus warning banners: enabled
  • Enable ImunifyAV menu shortcut: enabled
  • Scanning timeout: Unlimited
  • Log level: Normal

Installing Redis

To work with improvements in the performance of the object cache, we are going to leave Redis ready as a storage system. This installation and configuration will be done through SSH, since by default it does not come with Plesk,

apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove
apt -y install redis-server

Later, and in the same way as the rest of the elements, we are going to configure it to start automatically if the server is restarted.

systemctl stop redis-server.service
systemctl enable redis-server.service
systemctl start redis-server.service
systemctl status redis-server.service

Installing WP-CLI

One of the basic elements in any server that is going to have WordPress is WP-CLI. This is why we will do the installation.

A situation that we usually encounter is that there is no PHP by default on the server, so WP-CLI could not be executed. We can verify that it does not exist by looking for its version:

php -v

If it returns an error, we will have to look for which one we want to execute by default. For this we can see the list of all available PHP:

plesk bin php_handler --list

One of the columns is that of PHP-CLI that will be the path we use to use the version we want. In this case we will use PHP 7.4. First we will validate that it works:

/opt/plesk/php/7.4/bin/php -v

As we want this to be permanent, we will need the CLI WP-Toolkit.

plesk bin extension --install wp-toolkit

and now, we will configure WP-CLI, in this case for PHP 7.4.

curl -q -O "https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar" && mv wp-cli.phar /usr/sbin/ && chmod +x /usr/sbin/wp-cli.phar && if [[ -f /bin/php-cli ]]; then alias wp='/bin/php-cli /usr/sbin/wp-cli.phar --allow-root'; else alias wp='/opt/plesk/php/7.4/bin/php /usr/sbin/wp-cli.phar --allow-root'; fi
wp --info

If everything has gone correctly, we will see the WP-CLI information after the last command.

Creating a site (domain)

Let’s go to the y Añadir DominiosectionDominios.

We’ll add the domain, assign the IP address, a strong username and password, and enable the Protect domain with Let’s Encrypt option.

Once the domain is created, we can access its file.

SSL/TLS Certificates

The first thing we will do is improve the configuration of certificates and security.

We will enter the section and activate the HSTS (to 6 months) and the Conservar los sitios web protegidos, in addition to the Asociación de OCSP.

PHP Configuration

We will make some changes to the PHP settings specific to WordPress.

  • memory_limit: 256M
  • max_execution_time: 300
  • max_input_time: 60
  • post_max_size: 128M
  • upload_max_filesize: 128M
  • opcache.enable: on
  • disable_functions: (leave empty)

For php-FPM configuration we can leave it automatically or configure it with the data from the PHP-FPM Dynamic Configuration section of the WordPress Performance section.

Access to web hosting

Although it is not necessary for all domains, it may be interesting that we leave the bash enabled for the execution of WP-CLI. To do this, in the section Acceder al servidor vía SSH we will activate the option /bin/bash.

Email accounts

In the Mail Settings we will use the followinginte configuration:

  • SSL/TLS certificate for webmail: Let’s Encrypt
  • SSL/TLS certificate for mail: Let’s Encrypt
  • Use the DKIM anti-spam protection system to sign outgoing email messages

Before creating our WordPress we will create the base email account of any installation, which is wordpress@example.com.

  • Create General email address
    Email address: wordpress@example.com
    It can be used to access Plesk: deactivado
    Mailbox: desactivado
  • Create Forward email address
    Enable mail forwarding tu_cuenta_actual@example.com
  • Configuring Apache and nginx Index Files: index.php index.html index.htm
    Serve static files directly using nginx: activar la lista por defecto

Install WordPress

When entering the tab of a domain we will see at the top the WordPress section, or also centralized in the options menu under the WordPress tab.

In this case we can centralize everything from the WordPress section. If we already have a server mounted, it is best to make a first Análisis. With this, it will search the entire server for the possible WordPress that you have installed.

On the other hand, through the link Instalar we can create a WordPress with one click. We will select the different options, being able to choose the administrator user and the configuration of the database to do it automatically.

If we want to not worry, we can choose to update both WordPress, plugins and themes, automatically. Subsequently, we can choose the Smart Update system.

Once the installation is finished, we will see in the list the new site.

The first configuration to review is that of Corregir seguridad. When accessing we will see a button with which we can make a first Comprobación de Seguridad. This will go through the entire list and update and tell us what is active and what is not.

What should we activate? It will depend a lot on the functionalities of the site that you are going to have, although in general you can activate all those that are pending.

IMPORTANT: If the option Modificar el nombre de usuario predeterminado del administrador is already correct, it is better not to activate it since it could change the administrator user. If you are going to run it, please make sure you have an alternate Administrator user, even temporarily.

In the list of tools we will mark by default the option of Desactivar wp-cron.php. This system eliminates the user-generated crony system and converts it to a scheduled task so that it does not get saturated in case of having a high-traffic site.

Apache and nginx configuration

Within the domain tab we will enter the Apache configuration and nginx part, where by default we have Apache activated.

In the case of WordPress we can make some optimizations.

Apache Common Configuration

  • Index files: index.php index.html index.htm
  • Expires: 28 días + responder con encabezados Expira únicamente para archivos estáticos

Additional Apache Directives

In the HTTPS policies part, we will add the following lines…

Header always set Strict-Transport-Security "max-age=10886400; includeSubDomains"
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

nginx configuration

To improve the cache, we will use the Copia en caché (nginx). This will activate a layer above the web server that acts as a proxy and cache, which will greatly improve the download of static files. If we enter the configuration we must optimize it.

  • Proxy mode: activado
  • Intelligent processing of static files : activado
  • Serve static files directly using nginx : activado
  • We will include the following default extensions: ac3 avi bmp bz2 css cue dat doc docx dts eot exe flv gif gz htm html ico img iso jpeg jpg js mkv mp3 mp4 mpeg mpg ogg pdf png ppt pptx qt rar rm svg swf tar tgz ttf txt wav woff woff2 xls xlsx zip webp
  • Enable nginx cached copy: activado
  • Cache size: 1 GB
  • Cache timeout: 1 hora
  • Cache key: $scheme$request_method$host$request_uri
  • Cache requests with cookies:
    • _ga
    • _gid
  • Turn off cached copy for locations
    • /wp-admin/
  • Bypass cache when:
    • activado Non-cache HTTP headers are received in the request
    • activado HTTP authorization headers are received in the request
    • activadoThe GET nocache parameter is received in the request
  • Return cached copied status records:
    • activado Upload returns 5xx server error
    • desactivado Upload returns a 4xx client error
    • activado The cache is being updated

Enabling caching can lead to some storage issues. Later we must install a plugin that is able to help with this management.

Set up WordPress

In this configuration you will not detail the general configurations of WordPress, but you will specify the useful improvements to get the most out of the previous configuration.

Cache with Redis

The first of the plugins that we will install is that of Redis.

Once we have it Installed and Activated, we will go to its configuration and activate it, resulting in a notice that it is active and working.

OPcache Cache

For the management of php OPcache we will use another plugin.

In this case we must first activate the functionality of the plugin.

From that moment we can also see the usage statistics of PHP OPcache.

Adapting WordPress Toolkit

Without a doubt, the WordPress Toolkit for Plesk is a great tool that makes it easy to install and manage WordPress.

A first configuration that you should apply is the default one within the Settings section, where, above all, we will review the additional permissions:

  • [desactivado] Allow copying of wp-config.php when using the data copy feature
  • [activado] Always create complete snapshots of websites
  • [activado] Use rsync for file copy operations
  • [activado] Allow customers to use sets when installing WordPress
  • [activado] Disable search engine indexing for cloned websites
  • [activado] Disable wp-cron.php on all new WordPress installations

On the other hand, if you usually install a series of plugins and themes by default on your new sites, the Sets section will be key.

In addition, you can customize the plugins and themes, also deciding whether or not you want it to be activated by default on the site.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.