How To Install WordPress on Debian 13

WordPress powers over 43% of all websites on the internet, making it the undisputed leader in content management systems. When combined with Debian 13’s rock-solid stability and enhanced security features, you get a powerful platform for hosting professional websites. This comprehensive guide walks through installing WordPress on Debian 13 using the LAMP stack (Linux, Apache, MariaDB, PHP), complete with SSL encryption and security hardening measures. The entire process takes approximately 15-20 minutes and results in a production-ready WordPress installation.

Debian 13, codenamed “Trixie,” brings significant improvements including PHP 8.4 support, updated packages, and enhanced performance optimizations that make it an excellent choice for WordPress hosting. Whether you’re launching a personal blog, business website, or e-commerce platform, this step-by-step tutorial provides everything needed to get WordPress running smoothly on Debian 13.

Prerequisites

Before starting the installation process, ensure you have the following requirements in place. A fresh Debian 13 server with at least 1GB RAM is necessary, though 2GB is recommended for optimal performance. Root or sudo privileges are essential for executing system commands throughout this tutorial.

A valid domain name should already point to your server’s IP address through DNS A records. Basic familiarity with Linux command line operations will help you follow along more easily. SSH access to your server is required, and firewall ports 80 (HTTP) and 443 (HTTPS) must be open for web traffic.

Update System Packages

Keeping your system updated ensures you have the latest security patches and bug fixes. Begin by logging into your Debian 13 server via SSH and updating the package repository information.

sudo apt update && sudo apt upgrade -y

The apt update command refreshes the package lists from repositories, while apt upgrade installs available updates for currently installed packages. The -y flag automatically confirms the installation prompts. If kernel updates are applied during this process, reboot your server to ensure all changes take effect.

Install Apache Web Server

Apache serves as the foundation of your web server, handling HTTP requests and delivering WordPress content to visitors. Install Apache2 using the default Debian package manager.

sudo apt install apache2 -y

After installation completes, start the Apache service and enable it to launch automatically at system boot.

sudo systemctl start apache2
sudo systemctl enable apache2

Verify that Apache is running correctly by checking its service status.

sudo systemctl status apache2

You should see an active (running) status in green text. Test the web server by opening your browser and navigating to your server’s IP address. The default Apache2 Debian welcome page confirms successful installation.

Install MariaDB Database Server

WordPress requires a database to store all website content, user information, and configuration settings. MariaDB, a MySQL-compatible database server, provides excellent performance and reliability.

sudo apt install mariadb-server mariadb-client -y

Start and enable the MariaDB service.

sudo systemctl start mariadb
sudo systemctl enable mariadb

Secure your database installation by running the security script.

sudo mariadb-secure-installation

The script presents several security prompts. When asked to switch to unix_socket authentication, enter N since Debian 13 already uses this by default. Set a strong root password when prompted, using a combination of uppercase letters, lowercase letters, numbers, and special characters.

Answer Y to remove anonymous users, which prevents unauthorized database access. Disable remote root login by answering Y, as root should only connect from localhost. Remove the test database by selecting Y since it’s unnecessary for production environments. Finally, reload privilege tables with Y to apply all security changes immediately.

Install PHP and Required Extensions

PHP processes WordPress code and generates dynamic web pages. Debian 13 includes PHP 8.4, which offers significant performance improvements and security enhancements over previous versions.

sudo apt install php libapache2-mod-php php-mysql php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip -y

This command installs PHP along with essential extensions that WordPress requires for full functionality. The php-mysql extension enables database connectivity, while php-gd handles image processing for media uploads. The php-curl extension facilitates external HTTP requests, and php-mbstring provides multibyte string handling for international character sets.

Verify your PHP installation by checking the version.

php -v

The output should display PHP 8.4 along with copyright and license information. You can also view all installed PHP modules.

php -m

Create WordPress Database and User

WordPress needs a dedicated database and user account with appropriate privileges. Log into MariaDB as the root user.

sudo mysql -u root -p

Enter the root password you set during the security configuration. Create a new database for WordPress using UTF8MB4 character encoding, which supports all Unicode characters including emojis.

CREATE DATABASE wordpress_db DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

Create a dedicated database user and assign a strong password.

CREATE USER 'wordpress_user'@'localhost' IDENTIFIED BY 'your_strong_password';

Replace your_strong_password with a secure password of your choice. Grant all privileges on the WordPress database to this user.

GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wordpress_user'@'localhost';

Flush privileges to ensure the changes take effect immediately.

FLUSH PRIVILEGES;

Exit the MariaDB shell.

EXIT;

Download and Extract WordPress

Navigate to the web root directory where WordPress files will reside.

cd /tmp

Download the latest WordPress version from the official website.

wget https://wordpress.org/latest.tar.gz

Extract the downloaded archive.

tar -xvzf latest.tar.gz

Move the WordPress files to your desired web directory.

sudo mv wordpress /var/www/html/

Remove the downloaded archive to free up disk space.

rm latest.tar.gz

Configure WordPress Database Connection

WordPress needs to know how to connect to your database. Navigate to the WordPress directory.

cd /var/www/html/wordpress

Copy the sample configuration file to create your actual configuration.

sudo cp wp-config-sample.php wp-config.php

Open the configuration file using your preferred text editor.

sudo nano wp-config.php

Locate the database connection settings and update them with your database information.

define('DB_NAME', 'wordpress_db');
define('DB_USER', 'wordpress_user');
define('DB_PASSWORD', 'your_strong_password');
define('DB_HOST', 'localhost');

Replace the placeholder values with your actual database name, username, and password. WordPress requires unique authentication keys and salts for enhanced security. Visit https://api.wordpress.org/secret-key/1.1/salt/ in your browser to generate random keys.

Copy the generated keys and replace the existing placeholder values in wp-config.php. For additional security, consider changing the database table prefix from wp_ to something unique.

$table_prefix = 'wpx_';

Save and close the file by pressing Ctrl+X, then Y, then Enter in nano.

Set Proper File Permissions

Correct file permissions ensure WordPress functions properly while maintaining security. Change ownership of all WordPress files to the Apache user.

sudo chown -R www-data:www-data /var/www/html/wordpress

Set appropriate directory permissions.

sudo find /var/www/html/wordpress -type d -exec chmod 755 {} \;

Set proper file permissions.

sudo find /var/www/html/wordpress -type f -exec chmod 644 {} \;

These permissions allow the web server to read and serve files while preventing unauthorized modifications.

Create Apache Virtual Host

Apache Virtual Hosts allow you to host multiple websites on a single server. Create a new configuration file for your WordPress site.

sudo nano /etc/apache2/sites-available/wordpress.conf

Add the following Virtual Host configuration, replacing your-domain.com with your actual domain name.

<VirtualHost *:80>
    ServerAdmin admin@your-domain.com
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    DocumentRoot /var/www/html/wordpress

    <Directory /var/www/html/wordpress>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/wordpress_error.log
    CustomLog ${APACHE_LOG_DIR}/wordpress_access.log combined
</VirtualHost>

The AllowOverride All directive enables WordPress to use .htaccess files for URL rewriting, which is essential for pretty permalinks. Save and close the file.

Enable the Apache rewrite module, which WordPress requires for clean URLs.

sudo a2enmod rewrite

Enable your new Virtual Host configuration.

sudo a2ensite wordpress.conf

Disable the default Apache site to prevent conflicts.

sudo a2dissite 000-default.conf

Test your Apache configuration for syntax errors.

sudo apachectl configtest

You should see “Syntax OK” in the output. Reload Apache to apply the changes.

sudo systemctl reload apache2

Complete WordPress Installation via Browser

Open your web browser and navigate to your domain name. The WordPress installation wizard appears automatically. Select your preferred language from the dropdown menu and click Continue.

The welcome screen displays information about what you’ll need. Click “Let’s go!” to proceed. WordPress displays the Site Information form where you’ll configure your website details.

Enter a descriptive Site Title that represents your website. Choose a unique Username for the administrator account, avoiding common names like “admin” which are prime targets for hackers. Create a strong Password using the WordPress password generator or your own secure password.

Provide a valid Email Address for administrative notifications and password recovery. Decide whether to discourage search engines from indexing your site during development by checking the visibility option. Click “Install WordPress” to complete the setup.

WordPress displays a success message upon completion. Click “Log In” and enter your administrator credentials to access the WordPress dashboard. The dashboard provides access to all WordPress features including posts, pages, themes, plugins, and settings.

Secure WordPress Installation

Security should be a top priority for any WordPress installation. Restrict permissions on the wp-config.php file since it contains sensitive database credentials.

sudo chmod 440 /var/www/html/wordpress/wp-config.php

Disable file editing from the WordPress admin panel by adding this line to wp-config.php.

define('DISALLOW_FILE_EDIT', true);

This prevents potential attackers from modifying theme and plugin files through the WordPress interface. Disable XML-RPC if you don’t need it, as it’s frequently targeted for brute force attacks.

Add the following code to your .htaccess file.

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Change the default WordPress login URL by installing a security plugin like WPS Hide Login, which makes it harder for bots to find your login page. Limit login attempts to prevent brute force attacks by installing a plugin like Limit Login Attempts Reloaded.

Enable two-factor authentication for all administrator accounts using plugins like Google Authenticator or Wordfence. Regular backups are crucial for disaster recovery. Install a backup plugin like UpdraftPlus and configure automatic daily backups to remote storage.

Install SSL Certificate with Let’s Encrypt

SSL certificates encrypt data transmitted between your server and visitors, protecting sensitive information and improving SEO rankings. Install Certbot, the official Let’s Encrypt client.

sudo apt install certbot python3-certbot-apache -y

Run Certbot to obtain and install your SSL certificate.

sudo certbot --apache -d your-domain.com -d www.your-domain.com

Replace your-domain.com with your actual domain. Certbot prompts you to provide an email address for renewal notifications and important security updates. Agree to the Terms of Service and decide whether to share your email with the Electronic Frontier Foundation.

Certbot automatically configures Apache to use the SSL certificate and redirects HTTP traffic to HTTPS. Choose option 2 to redirect all traffic to secure HTTPS connections when prompted. Test your SSL certificate by visiting your website with https:// prefix.

Verify that automatic renewal is configured by running a dry-run test.

sudo certbot renew --dry-run

If the test succeeds, your certificate will automatically renew before expiration. Let’s Encrypt certificates are valid for 90 days and renew automatically through a systemd timer.

Update WordPress to use HTTPS for all URLs. Log into the WordPress dashboard and navigate to Settings > General. Change both the WordPress Address (URL) and Site Address (URL) to use https:// instead of http://. Click “Save Changes” at the bottom of the page.

Optimize PHP Configuration

PHP optimization significantly improves WordPress performance and enables larger file uploads. Locate your PHP configuration file.

sudo nano /etc/php/8.4/apache2/php.ini

Adjust the following settings to optimize WordPress performance.

upload_max_filesize = 64M
post_max_size = 128M
memory_limit = 256M
max_execution_time = 300
max_input_time = 300

These values allow uploading larger media files and prevent timeout errors on resource-intensive operations. Enable and configure OPcache for significant performance improvements.

opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2

OPcache stores precompiled PHP bytecode in memory, reducing CPU usage and improving response times. Save the file and restart Apache to apply changes.

sudo systemctl restart apache2

Verify the changes in WordPress by navigating to Tools > Site Health and checking the PHP information section.

Post-Installation Configuration

Essential plugins enhance WordPress functionality and security. Install a comprehensive security plugin like Wordfence Security or Sucuri Security to protect against malware, brute force attacks, and other threats. Configure the security plugin to enable firewall protection and malware scanning.

Install a caching plugin such as WP Super Cache or W3 Total Cache to dramatically improve page load speeds. Caching plugins generate static HTML files, reducing database queries and server resources. Configure your caching plugin according to your hosting environment and traffic patterns.

Add an SEO plugin like Yoast SEO or Rank Math to optimize content for search engines. These plugins help with meta descriptions, XML sitemaps, breadcrumbs, and content analysis. Install a backup solution like UpdraftPlus or BackWPup to automate regular backups of your database and files.

Configure WordPress permalinks for SEO-friendly URLs. Navigate to Settings > Permalinks and select “Post name” structure. This creates clean URLs that include post titles rather than ID numbers. Click “Save Changes” to update your permalink structure.

Choose a professional WordPress theme that aligns with your website goals. The Appearance section of the dashboard allows you to browse, preview, and install themes. Consider responsive design, loading speed, and customization options when selecting a theme.

Troubleshooting Common Issues

Error Establishing Database Connection indicates WordPress cannot connect to MariaDB. Verify database credentials in wp-config.php match the database name, username, and password you created. Confirm MariaDB is running with sudo systemctl status mariadb. Test database connectivity by logging into MariaDB with the WordPress user credentials.

403 Forbidden errors occur when file permissions are incorrectly set. Check that all WordPress files are owned by www-data and have appropriate permissions. Verify your Apache Virtual Host configuration includes AllowOverride All in the Directory block. Examine the .htaccess file for syntax errors that might cause access issues.

500 Internal Server errors indicate server-side problems requiring log analysis. Check Apache error logs with sudo tail -f /var/log/apache2/error.log to identify specific issues. Increase PHP memory_limit if you see memory exhaustion errors. Deactivate recently installed plugins by renaming the plugins directory via SSH to identify conflicts.

White Screen of Death occurs when PHP encounters fatal errors. Enable debugging by adding define('WP_DEBUG', true); to wp-config.php. Check PHP error logs at /var/log/apache2/error.log for specific error messages. Increase memory_limit in php.ini if memory exhaustion is reported.

Permalink issues preventing pretty URLs typically result from missing mod_rewrite. Enable the Apache rewrite module with sudo a2enmod rewrite and restart Apache. Verify AllowOverride is set to All in your Virtual Host configuration. Resave permalink settings in the WordPress dashboard to regenerate the .htaccess file.

Performance Optimization Best Practices

Website speed directly impacts user experience and search engine rankings. Implement caching at multiple levels including browser caching, page caching, and object caching. Configure your caching plugin to generate static HTML pages and enable browser caching headers.

Enable Gzip compression in Apache to reduce bandwidth usage and improve load times. Add this code to your .htaccess file.

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
</IfModule>

Optimize images before uploading by compressing them and using appropriate dimensions. Install an image optimization plugin like Smush or ShortPixel to automatically compress images upon upload. Use lazy loading to defer loading images until they enter the viewport, reducing initial page load time.

Minimize the number of installed plugins, keeping only essential ones active. Each plugin adds code that must execute on every page load, potentially slowing your site. Audit plugins regularly and remove unused ones.

Consider implementing a Content Delivery Network (CDN) to serve static assets from geographically distributed servers. CDNs reduce latency by delivering content from servers closest to your visitors. Popular options include Cloudflare, StackPath, and BunnyCDN.

Optimize your database by removing post revisions, spam comments, and transient options. Install a database optimization plugin like WP-Optimize to automate regular cleanup tasks. Keep your database lean to ensure fast query execution.

Security Best Practices for Long-Term Protection

Maintain a regular update schedule for WordPress core, themes, and plugins. Outdated software contains known vulnerabilities that attackers actively exploit. Enable automatic updates for minor WordPress releases and security patches.

Implement strong password policies requiring complex passwords for all user accounts. Use a password manager to generate and store unique passwords. Enforce password requirements through security plugins that check password strength during registration.

Configure a web application firewall (WAF) to filter malicious traffic before it reaches WordPress. Security plugins like Wordfence and Sucuri include WAF functionality. Consider using Cloudflare’s free WAF for additional protection at the DNS level.

Install and configure Fail2ban to automatically block IP addresses exhibiting malicious behavior. Fail2ban monitors log files and creates firewall rules to ban suspicious IPs after multiple failed login attempts.

sudo apt install fail2ban -y

Create a custom jail configuration for WordPress authentication.

sudo nano /etc/fail2ban/jail.local

Add WordPress-specific rules to protect your login page.

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/apache2/access.log
maxretry = 3
bantime = 3600

Regular security audits help identify vulnerabilities before attackers exploit them. Use security scanning plugins to check for malware, outdated software, and configuration issues. Schedule scans to run automatically at least weekly.

Limit the number of users with administrator privileges to reduce attack surface. Create role-based accounts with minimum necessary permissions for contributors and editors. Review user accounts quarterly and remove inactive users promptly.

Congratulations! You have successfully installed WordPress. Thanks for using this tutorial to install the latest version of WordPress CMS on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official WordPress website.