DEV Community

Alan Varghese
Alan Varghese

Posted on

How to Set Up a Secure WordPress Website on AWS using LEMP Stack and Let’s Encrypt SSL

#beginners #devops #cloudcomputing #webdev

Building your own website doesn’t require expensive hosting anymore — you can host WordPress securely on AWS for free or at a minimal cost.

In this guide, we’ll walk through setting up a LEMP stack (Linux, Nginx, MySQL, PHP) on an AWS EC2 Ubuntu instance, install WordPress, and secure it using Let’s Encrypt SSL.

By the end, you’ll have your own fully functional WordPress website with HTTPS enabled.

What You’ll Need:

  • AWS account

  • Basic Linux knowledge

  • Domain name (or free No-IP subdomain)

  • SSH client (Mac Terminal, PuTTY, etc.)

Step 1: Launch Your EC2 Instance

  1. Go to AWS Management Console → EC2 → Launch Instance.

  1. Choose Ubuntu 24.04 LTS as the OS.

  2. Select a t2.micro (free-tier eligible).

  3. Configure Security Group:

- 22 (SSH) – your IP only

- 80 (HTTP) – anywhere

- 443 (HTTPS) – anywhere
Enter fullscreen mode Exit fullscreen mode

  1. Download the .pem key and connect via SSH:

ssh -i "your-key.pem" ubuntu@<EC2-Public-IP>

Step 2: Install the LEMP Stack

Install Nginx

sudo apt update sudo apt install nginx -y

sudo systemctl enable nginx

sudo systemctl start nginx

Visit your public IP — you should see the Nginx Welcome Page.

Install MySQL

sudo apt install mysql-server -y

sudo mysql_secure_installation

Install PHP

sudo apt install php-fpm php-mysql -y

Step 3: Configure MySQL for WordPress

Login to MySQL:

sudo mysql -u root -p

Then create a database and user:

CREATE DATABASE wordpress_db DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'StrongPassword123!'; GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wp_user'@'localhost'; FLUSH PRIVILEGES; EXIT;

Step 4: Install and Configure WordPress

cd /tmp
wget https://wordpress.org/latest.tar.gz
tar -xvzf latest.tar.gz
sudo mv wordpress /var/www/html/

Set correct ownership and permissions:

sudo chown -R www-data:www-data /var/www/html/wordpress/
sudo find /var/www/html/wordpress/ -type d -exec chmod 755 {} \;
sudo find /var/www/html/wordpress/ -type f -exec chmod 644 {} \;


Copy and configure the WordPress config file:

cd /var/www/html/wordpress/
sudo cp wp-config-sample.php wp-config.php
sudo nano wp-config.php`

Update the following lines:

define( 'DB_NAME', 'wordpress_db' ); define( 'DB_USER', 'wp_user' ); define( 'DB_PASSWORD', 'StrongPassword123!' ); define( 'DB_HOST', 'localhost' );

Step 5: Configure a Domain Name

You can use a free dynamic DNS domain from No-IP.

  • Create an account.

  • Register a subdomain (e.g., mywordpressite.zapto.org).

  • Point it to your EC2’s public IP.

Update your Nginx config:

sudo nano /etc/nginx/sites-available/wordpress

Example:

server { listen 80; server_name mywordpressite.zapto.org; root /var/www/html/wordpress; index index.php index.html; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.3-fpm.sock; } location ~ /\.ht { deny all; } }

Enable site and test config:

sudo ln -s /etc/nginx/sites-available/wordpress /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx

Step 6: Secure the Site with Let’s Encrypt SSL

Install Certbot:

sudo apt install certbot python3-certbot-nginx -y

Run:

sudo certbot --nginx -d mywordpressite.zapto.org

After completion, Certbot:

  • Adds SSL configuration automatically

  • Sets up automatic HTTPS redirection

  • Renews certificates automatically

Verify renewal setup:

sudo systemctl list-timers

Step 7: Complete WordPress Installation

Visit:

https://mywordpressite.zapto.org

You’ll see the WordPress installation page.

Follow on-screen steps to create your admin account and site name.

Troubleshooting:

  • 502 Bad Gateway = Restart PHP service and check socket.
  • Error Establishing DB Connection = Verify DB credentials.
  • Certbot Fails = Ensure domain points to EC2 public IP and port 80 is open.
  • Public IP Changes = Use Elastic IP or install No-IP dynamic client.

💡 Final Notes

  • Use sudo systemctl status nginx and sudo systemctl status php8.3-fpm to verify services.

  • Back up your database and WordPress files regularly.

  • Always renew SSL before expiry (sudo certbot renew --dry-run).

👤 About the Author

Hi! I’m Alan Varghese, a beginner DevOps and Cybersecurity enthusiast currently learning AWS, Linux, and automation through hybrid real-world projects.

I’m building hands-on experience with cloud deployments, security hardening, and CI/CD tools.

Contact:

Top comments (0)