Last Revised: October 2, 2021
- Versions to install
- Configuring the Operating System
- Installing Plesk
- Initial configuration
- Plesk Extensions
- Advanced settings
- Installing Redis
- Installing WP-CLI
- Creating a site (domain)
- Install WordPress
- Set up WordPress
- Adapting WordPress Toolkit
- About this document
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
This tutorial has been created in thanks to a Plesk license.
Get your Plesk licenses from their website or from your hosting provider.
Versions to install
Operating System: Ubuntu 20
Control Panel: Plesk Obsidian 18
In Clouding you have an option to select Plesk as a panel, so the installation will already be done and you can skip the first steps. When creating the VPS they will give you access to the panel.
Configuring the Operating System
Once the operating system is installed, the first thing we will configure will be the server time. In this case we will configure the Universal time zone.
timedatectl set-timezone 'UTC' timedatectl set-ntp on
The next thing we will do is check the version of the operating system and, subsequently, make a complete update of it.
lsb_release -a apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove
Once everything is updated, we will begin the installation of Plesk.
sh <(curl https://autoinstall.plesk.com/one-click-installer || wget -O - https://autoinstall.plesk.com/one-click-installer)
We will follow the basic questions and configurations you ask us. At the end of the installation it will provide us with a URL that can be accessed to its panel, where we will follow the configuration.
When accessing the URL you provide, we fill in the name, email, password and add the license if applicable. There is a testing option in case you haven’t decided yet or just want to try.
Remember that to have full access to the advanced control panel, you have to change the
Power User view to
Service provider view. This can be done from the Change View section in the lower-left corner of the screen. Another possibility to have more control of the panel is to go to the mode
Service provider view from the section
Tools & Settings → Interface Management.
If the panel is not by default in Spanish, we can activate it in this or other languages by going to the section
Tools & Settings → Interface Management → Languages and we will activate Spanish with
To have the panel in Spanish immediately, we will go to the menu in the section of
Profile and there we will save the session (we must appear the Spanish language by default in the selection part).
Prior to the configuration, I recommend that you review some of the most interesting extensions for Plesk that can be useful when using WordPress or server management. They are not mandatory, but some such as Let’s Encrypt, SSL It! or WordPress Toolkit will make configuration and maintenance tasks much easier.
All general configuration options are in the menu
Herramientas y configuración area. Here are a number of sections that we are going to review to get ready for our WordPress and for optimal security and maintenance.
Apache Web Server Configuration
In the section we
Configuración del servidor web Apache will select as
Modo MPM the one of
The Apache Modules that we will leave active is as follows:
We should have at least the versions supported by PHP officially and stably. In case they are not all, we can go to the top link where
Plesk Installer we can add or remove PHP versions.
By default we will leave in use the PHP-FPM options to use with Apache.
PHP 7.3 extensions
PHP 7.4 Extensions
PHP 8.0 Extensions
Applications and databases
Database hosting preferences
We will activate some of the options to increase the security and complexity in the database.
- Add the prefix and an underscore to the beginning of the database names:
Nombre de usuario
- Add the user name and an underscore to the beginning of the database user names:
- Default settings for remote access for database users:
Sólo permitir conexiones locales
In principle we will configure els ervidor so that the database cannot be accessed from the outside. There are many security scanning systems that check MySQL ports for insecure passwords or passwordless access.
Configuring Restricted Mode
In the tab we
Configuración de PHP will make some changes.
memory_limit: 256M max_execution_time: 300 max_input_time: 60 post_max_size: 128M upload_max_filesize: 128M opcache.enable: On
If we want to have security levels a little higher than normal we can make some configuration changes.
- FTPS usage policy:
Permitir únicamente conexiones FTPS seguras
IP Address Ban (Fail2Ban)
- Enable intrusion detection:
Firewall for Web Applications (ModSecurity)
In the “Settings” section we will change to the
OWASP set of rules that supports WordPress.
TLS versions and ciphers management
Mozilla TLS and ciphers versions:
activado, of type
If you have the option of ImunifyAV we will activate this antivirus system and server protection.
We will make a configuration (in the
Settings) that will help us improve tracking.
- “Quick Scan” mode: enabled
- Skip images and other media files: enabled
- Optimize scanning by speed: enabled
- Max working threads: 1
- Scheduled rescanning: monthly
- Start automatic scanning at: 04:00
- Max allocated memory for a single working thread (Mb): 768
- Number of days to keep infected files in backup: 7
- Trim malicious file instead of deleting it: off
- Update antivirus databases automatically: enabled
- Allow users to use files ignore list: enabled
- Enable antivirus warning banners: enabled
- Enable ImunifyAV menu shortcut: enabled
- Scanning timeout: Unlimited
- Log level: Normal
To work with improvements in the performance of the object cache, we are going to leave Redis ready as a storage system. This installation and configuration will be done through SSH, since by default it does not come with Plesk,
apt -y update && apt -y upgrade && apt -y dist-upgrade && apt -y autoremove apt -y install redis-server
Later, and in the same way as the rest of the elements, we are going to configure it to start automatically if the server is restarted.
systemctl stop redis-server.service systemctl enable redis-server.service systemctl start redis-server.service systemctl status redis-server.service
One of the basic elements in any server that is going to have WordPress is WP-CLI. This is why we will do the installation.
A situation that we usually encounter is that there is no PHP by default on the server, so WP-CLI could not be executed. We can verify that it does not exist by looking for its version:
If it returns an error, we will have to look for which one we want to execute by default. For this we can see the list of all available PHP:
plesk bin php_handler --list
One of the columns is that of PHP-CLI that will be the path we use to use the version we want. In this case we will use PHP 7.4. First we will validate that it works:
As we want this to be permanent, we will need the CLI WP-Toolkit.
plesk bin extension --install wp-toolkit
and now, we will configure WP-CLI, in this case for PHP 7.4.
curl -q -O "https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar" && mv wp-cli.phar /usr/sbin/ && chmod +x /usr/sbin/wp-cli.phar && if [[ -f /bin/php-cli ]]; then alias wp='/bin/php-cli /usr/sbin/wp-cli.phar --allow-root'; else alias wp='/opt/plesk/php/7.4/bin/php /usr/sbin/wp-cli.phar --allow-root'; fi wp --info
If everything has gone correctly, we will see the WP-CLI information after the last command.
Creating a site (domain)
Let’s go to the y
We’ll add the domain, assign the IP address, a strong username and password, and enable the Protect domain with Let’s Encrypt option.
Once the domain is created, we can access its file.
The first thing we will do is improve the configuration of certificates and security.
We will enter the section and activate the
HSTS (to 6 months) and the
Conservar los sitios web protegidos, in addition to the
Asociación de OCSP.
We will make some changes to the PHP settings specific to WordPress.
- memory_limit: 256M
- max_execution_time: 300
- max_input_time: 60
- post_max_size: 128M
- upload_max_filesize: 128M
- opcache.enable: on
- disable_functions: (leave empty)
For php-FPM configuration we can leave it automatically or configure it with the data from the PHP-FPM Dynamic Configuration section of the WordPress Performance section.
Access to web hosting
Although it is not necessary for all domains, it may be interesting that we leave the bash enabled for the execution of WP-CLI. To do this, in the section
Acceder al servidor vía SSH we will activate the option
In the Mail Settings we will use the followinginte configuration:
- SSL/TLS certificate for webmail: Let’s Encrypt
- SSL/TLS certificate for mail: Let’s Encrypt
- Use the DKIM anti-spam protection system to sign outgoing email messages
Before creating our WordPress we will create the base email account of any installation, which is
- Create General email
It can be used to access Plesk:
- Create Forward email
Enable mail forwarding
- Configuring Apache and nginx Index Files:
index.php index.html index.htm
Serve static files directly using nginx:
activar la lista por defecto
When entering the tab of a domain we will see at the top the WordPress section, or also centralized in the options menu under the WordPress tab.
In this case we can centralize everything from the WordPress section. If we already have a server mounted, it is best to make a first
Análisis. With this, it will search the entire server for the possible WordPress that you have installed.
On the other hand, through the link
Instalar we can create a WordPress with one click. We will select the different options, being able to choose the administrator user and the configuration of the database to do it automatically.
If we want to not worry, we can choose to update both WordPress, plugins and themes, automatically. Subsequently, we can choose the Smart Update system.
Once the installation is finished, we will see in the list the new site.
The first configuration to review is that of
Corregir seguridad. When accessing we will see a button with which we can make a first
Comprobación de Seguridad. This will go through the entire list and update and tell us what is active and what is not.
What should we activate? It will depend a lot on the functionalities of the site that you are going to have, although in general you can activate all those that are pending.
IMPORTANT: If the option
Modificar el nombre de usuario predeterminado del administrador is already correct, it is better not to activate it since it could change the administrator user. If you are going to run it, please make sure you have an alternate Administrator user, even temporarily.
In the list of tools we will mark by default the option of
Desactivar wp-cron.php. This system eliminates the user-generated crony system and converts it to a scheduled task so that it does not get saturated in case of having a high-traffic site.
Apache and nginx configuration
Within the domain tab we will enter the Apache configuration and nginx part, where by default we have Apache activated.
In the case of WordPress we can make some optimizations.
Apache Common Configuration
- Index files:
index.php index.html index.htm
responder con encabezados Expira únicamente para archivos estáticos
Additional Apache Directives
In the HTTPS policies part, we will add the following lines…
Header always set Strict-Transport-Security "max-age=10886400; includeSubDomains" Header always append X-Frame-Options SAMEORIGIN Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff
To improve the cache, we will use the
Copia en caché (nginx). This will activate a layer above the web server that acts as a proxy and cache, which will greatly improve the download of static files. If we enter the configuration we must optimize it.
- Proxy mode:
- Intelligent processing of static files :
- Serve static files directly using nginx :
- We will include the following default extensions:
ac3 avi bmp bz2 css cue dat doc docx dts eot exe flv gif gz htm html ico img iso jpeg jpg js mkv mp3 mp4 mpeg mpg ogg pdf png ppt pptx qt rar rm svg swf tar tgz ttf txt wav woff woff2 xls xlsx zip webp
- Enable nginx cached copy:
- Cache size:
- Cache timeout:
- Cache key:
- Cache requests with cookies:
- Turn off cached copy for locations
- Bypass cache when:
activadoNon-cache HTTP headers are received in the request
activadoHTTP authorization headers are received in the request
activadoThe GET nocache parameter is received in the request
- Return cached copied status records:
activadoUpload returns 5xx server error
desactivadoUpload returns a 4xx client error
activadoThe cache is being updated
Enabling caching can lead to some storage issues. Later we must install a plugin that is able to help with this management.
Set up WordPress
In this configuration you will not detail the general configurations of WordPress, but you will specify the useful improvements to get the most out of the previous configuration.
Cache with Redis
The first of the plugins that we will install is that of Redis.
Once we have it Installed and Activated, we will go to its configuration and activate it, resulting in a notice that it is active and working.
For the management of php OPcache we will use another plugin.
In this case we must first activate the functionality of the plugin.
From that moment we can also see the usage statistics of PHP OPcache.
Adapting WordPress Toolkit
Without a doubt, the WordPress Toolkit for Plesk is a great tool that makes it easy to install and manage WordPress.
A first configuration that you should apply is the default one within the Settings section, where, above all, we will review the additional permissions:
[desactivado]Allow copying of wp-config.php when using the data copy feature
[activado]Always create complete snapshots of websites
[activado]Use rsync for file copy operations
[activado]Allow customers to use sets when installing WordPress
[activado]Disable search engine indexing for cloned websites
[activado]Disable wp-cron.php on all new WordPress installations
On the other hand, if you usually install a series of plugins and themes by default on your new sites, the Sets section will be key.
In addition, you can customize the plugins and themes, also deciding whether or not you want it to be activated by default on the site.
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.