环境:Debian 12(Ubuntu 22.04 同理,包名可能略有差异)
目标:一键完成 LNMP 环境、WordPress 安装、Nginx 配置、HTTPS 证书签发与自动续期
预备:服务器公网 IP、已解析到服务器的域名(DNS A 记录直指服务器 IP,暂时不要开 CDN/代理)
适用人群:新机器首装、快速上线、可重复执行。脚本是幂等的(多次跑不破坏已存在的数据前提配置)。
0)一键脚本(推荐)
1. 写入参数(先根据自己情况改下面 6 个变量)
cat > /root/wp_auto_vars.sh <<'EOF'
# ========== 必改参数 ==========
DOMAIN="example.com" # 主域名,不带 http/https
EMAIL="[email protected]" # 用于申请 Let's Encrypt
DB_NAME="wpdb" # WordPress 数据库名
DB_USER="wpuser" # WordPress 数据库用户
DB_PASS="$(openssl rand -base64 24)" # 强密码(可改成自定义)
WWWROOT="/var/www/${DOMAIN}" # 站点根目录
PHPVER="8.2" # Debian 12 默认 8.2
# ========== 必改参数 ==========
EOF2. 一键安装脚本
cat > /root/wp_auto_install.sh <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
source /root/wp_auto_vars.sh
echo "==> Using:"
echo "DOMAIN = $DOMAIN"
echo "EMAIL = $EMAIL"
echo "DB_NAME= $DB_NAME"
echo "DB_USER= $DB_USER"
echo "DB_PASS= $DB_PASS"
echo "WWWROOT= $WWWROOT"
echo "PHPVER = $PHPVER"
sleep 2
echo "==> Step 1/9: 更新系统并安装组件"
apt update
apt install -y nginx mariadb-server \
php${PHPVER} php${PHPVER}-fpm php${PHPVER}-mysql php${PHPVER}-curl \
php${PHPVER}-xml php${PHPVER}-gd php${PHPVER}-mbstring php${PHPVER}-zip php${PHPVER}-intl \
curl unzip tar certbot
systemctl enable --now nginx mariadb php${PHPVER}-fpm
echo "==> Step 2/9: 创建站点目录"
mkdir -p "${WWWROOT}"
chown -R www-data:www-data "${WWWROOT}"
chmod -R 755 "${WWWROOT}"
echo "==> Step 3/9: 初始化 MariaDB(安全配置 + 创建库/用户)"
mysql -e "CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';"
mysql -e "GRANT ALL PRIVILEGES ON \`${DB_NAME}\`.* TO '${DB_USER}'@'localhost'; FLUSH PRIVILEGES;"
echo "==> Step 4/9: 下载并部署 WordPress 到 ${WWWROOT}"
cd /tmp
curl -fsSLO https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
rsync -a wordpress/ "${WWWROOT}/"
chown -R www-data:www-data "${WWWROOT}"
echo "==> Step 5/9: 80 端口临时站点(用于 ACME 校验)"
cat > /etc/nginx/sites-available/${DOMAIN}.conf <<NGX
server {
listen 80;
listen [::]:80;
server_name ${DOMAIN} www.${DOMAIN};
root ${WWWROOT};
index index.php index.html;
location ^~ /.well-known/acme-challenge/ {
root ${WWWROOT};
default_type "text/plain";
allow all;
}
location / {
try_files \$uri \$uri/ /index.php?\$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php${PHPVER}-fpm.sock;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht { deny all; }
}
NGX
ln -sf /etc/nginx/sites-available/${DOMAIN}.conf /etc/nginx/sites-enabled/${DOMAIN}.conf
nginx -t && systemctl reload nginx
echo "==> Step 6/9: 申请 HTTPS 证书(webroot 模式)"
certbot certonly --webroot -w "${WWWROOT}" \
-d "${DOMAIN}" -d "www.${DOMAIN}" \
--email "${EMAIL}" --agree-tos -n --rsa-key-size 4096
echo "==> Step 7/9: 写入 Nginx HTTPS 配置(含 80→443 跳转)"
cat > /etc/nginx/sites-available/${DOMAIN}.conf <<NGX
server {
listen 80; listen [::]:80;
server_name ${DOMAIN} www.${DOMAIN};
root ${WWWROOT};
location ^~ /.well-known/acme-challenge/ { root ${WWWROOT}; default_type "text/plain"; allow all; }
location / { return 301 https://\$host\$request_uri; }
}
server {
listen 443 ssl http2; listen [::]:443 ssl http2;
server_name ${DOMAIN} www.${DOMAIN};
root ${WWWROOT}; index index.php index.html;
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / { try_files \$uri \$uri/ /index.php?\$args; }
location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|webp|woff2?)$ {
expires 7d;
access_log off;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php${PHPVER}-fpm.sock;
fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht { deny all; }
}
NGX
nginx -t && systemctl reload nginx
echo "==> Step 8/9: 生成 wp-config.php(写入 DB + 盐)"
cd "${WWWROOT}"
if [ ! -f wp-config.php ]; then
cp wp-config-sample.php wp-config.php
sed -i "s/database_name_here/${DB_NAME}/" wp-config.php
sed -i "s/username_here/${DB_USER}/" wp-config.php
sed -i "s/password_here/${DB_PASS}/" wp-config.php
for i in {1..8}; do
RND=$(openssl rand -base64 48 | tr -d '\n' | sed "s/\//_/g")
sed -i "0,/put your unique phrase here/s//${RND}/" wp-config.php
done
fi
chown -R www-data:www-data "${WWWROOT}"
echo "==> Step 9/9: 证书自动续期(续期后自动 reload Nginx)"
mkdir -p /etc/letsencrypt/renewal-hooks/deploy
cat > /etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh <<'HOOK'
#!/usr/bin/env bash
systemctl reload nginx
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh
systemctl enable --now certbot.timer || true
echo "==> ALL DONE"
echo "访问:https://${DOMAIN} 完成 WordPress 安装向导(站点标题、管理员账号等)"
EOF
chmod +x /root/wp_auto_install.sh3. 执行一键脚本
sudo -i # 建议先切 root
bash /root/wp_auto_install.sh执行完毕后:浏览器访问 https://你的域名 → 进入 WordPress 安装向导(站点标题、管理员账户等)。🎉
为什么稳?先用 80 站点跑 ACME 校验 → 成功后再切 HTTPS 与全站 301;webroot 模式避免奇怪的 rewrite 干扰;安装
certbot.timer 并挂载 deploy-hook 自动 nginx reload;脚本 set -euo pipefail 有错就停,避免半成功。1)常见问题与排坑
① 证书申请失败/403
- 确认 DNS A 记录已解析到当前服务器 IP;不要开 CDN/代理(Cloudflare 需“灰云 / 仅 DNS”)。
- 服务器防火墙放行 80/443:
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw status② Nginx 配置测试
nginx -t && systemctl reload nginx③ 证书自动续期验证
certbot renew --dry-run续期后会自动执行:/etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh,Nginx 自动重载。
2)想改配置?(变量解释)
nano /root/wp_auto_vars.sh
DOMAIN="example.com" # 主域名(不含 http/https)
EMAIL="[email protected]" # Let's Encrypt 联系邮箱
DB_NAME="wpdb" # 数据库名
DB_USER="wpuser" # 数据库用户
DB_PASS="强密码" # 可自定义固定密码
WWWROOT="/var/www/${DOMAIN}" # 站点根目录
PHPVER="8.2" # Debian 12 默认 8.2改完直接重新执行:
bash /root/wp_auto_install.sh脚本具备幂等性:已存在的库/证书/站点配置会被安全更新(必要时覆盖同名 Nginx 配置)。
3)手动分步(非脚本)命令清单
# 0. 变量
DOMAIN="example.com"
EMAIL="[email protected]"
DB_NAME="wpdb"
DB_USER="wpuser"
DB_PASS="$(openssl rand -base64 24)"
WWWROOT="/var/www/${DOMAIN}"
PHPVER="8.2"
# 1. 安装组件
apt update
apt install -y nginx mariadb-server php${PHPVER} php${PHPVER}-fpm php${PHPVER}-mysql \
php${PHPVER}-curl php${PHPVER}-xml php${PHPVER}-gd php${PHPVER}-mbstring php${PHPVER}-zip php${PHPVER}-intl \
curl unzip certbot
systemctl enable --now nginx mariadb php${PHPVER}-fpm
# 2. 数据库
mysql -e "CREATE DATABASE IF NOT EXISTS \`${DB_NAME}\` DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "CREATE USER IF NOT EXISTS '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASS}';"
mysql -e "GRANT ALL PRIVILEGES ON \`${DB_NAME}\`.* TO '${DB_USER}'@'localhost'; FLUSH PRIVILEGES;"
# 3. WordPress
mkdir -p "$WWWROOT"
cd /tmp && curl -fsSLO https://wordpress.org/latest.tar.gz && tar -xzf latest.tar.gz
rsync -a wordpress/ "$WWWROOT/"
chown -R www-data:www-data "$WWWROOT"
# 4. Nginx http 站点(先不跳转 https)
cat > /etc/nginx/sites-available/${DOMAIN}.conf < /etc/nginx/sites-available/${DOMAIN}.conf < /etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh <<'HOOK'
#!/usr/bin/env bash
systemctl reload nginx
HOOK
chmod +x /etc/letsencrypt/renewal-hooks/deploy/nginx-reload.sh
systemctl enable --now certbot.timer || true 4)后续优化建议(安全 & 性能)
安全
- 数据库 root 口令:Debian 默认
unix_socket无密码,必要时为 root 设置密码并限制远程访问。 - SSH:更换默认端口、仅允许密钥登录;可启用
fail2ban。 - Nginx:适时开启 HSTS(确认无误后再启用)。
- WordPress:后台改路径/双因素验证;定期备份数据库与
wp-content。
性能
- PHP Opcache:Debian 12 默认启用,可在
/etc/php/8.2/fpm/php.ini微调(如opcache.memory_consumption)。 - Nginx 缓存静态资源已配置(7 天);可按需使用页缓存/对象缓存(如 Redis)。
- 媒体上传:合理限制
client_max_body_size(Nginx)与upload_max_filesize/post_max_size(PHP)。
Cloudflare / CDN
- 申请证书时务必“灰云(仅 DNS)”;签完证再开“橙云(代理)”。
- 回源端口统一 443;必要时考虑启用 Origin CA 或自签回源证书(本文采用公有证书已满足大多数场景)。
Ubuntu 22.04 差异
- PHP 包名通常为
php8.1/php8.2(需添加 PPA 或使用发行版自带版本);其余命令基本一致。 - 防火墙同样可用
ufw;systemd 操作一致。
如果启用 IPv6 且 DNS AAAA 已生效,证书申请/访问都以你服务器的 v6 可达性为准;确保安全组/防火墙放通 80/443 的 IPv6。
5)一页清单(速记版)
- 域名解析:A → 服务器 IP,先别开 CDN
- 执行:变量文件 → 一键脚本 → 浏览器完成安装向导
- 证书:webroot 校验,
certbot.timer自动续期 + Nginx reload - 安全:SSH 加固、数据库最小暴露、WP 二次验证
- 性能:Opcache、静态缓存、对象缓存(可选)
到这里,一个可靠、可维护的 WordPress 生产环境就搭好了。祝你上线顺利,流量暴涨!🎉
No responses yet