Don’t Use the 1-Click WordPress Installer on DigitalOcean

DigitalOcean supports plenty of applications through their Marketplace, including WordPress. These are essentially disk images, which you can deploy to the cloud with just one click. Well, maybe a few clicks.

In this article we’ll look at what exactly is in that WordPress image provided by DigitalOcean, we’ll look at the benefits and drawbacks of using the 1-click installer, as well as some alternatives to install WordPress on DigitalOcean.

What’s in the Image?

According to the Marketplace description, the WordPress image includes the Ubuntu 20.04 operating system, and all the software necessary to run a fully functional WordPress website, including an Apache HTTP server, a MySQL database server, the PHP interpreter, and of course WordPress itself. Additionally, the Marketplace image includes Fail2ban, Postfix and Certbot, which we’ll dig into soon.

The notes also mention that the UFW firewall will be configured to allow SSH, HTTP and HTTPS access, the database configuration for WordPress will be created automatically, Apache will be configured to support permalinks in WordPress, oh and it’ll also disable XML-RPC to “help prevent DDoS and other bruteforce attacks” — questionable, but we’ll let this one slide.

Let’s provision a server using this WordPress image and look around.

Creating the WordPress Droplet

During the creation stage we’re asked the regular questions: the droplet size, region, any additional volumes, SSH keys and other options. In addition to that, we’re given the option to add a managed database cluster for an additional fee. Not a terrible idea, so let’s try it out.

It took about a minute to provision. We immediately SSH’d into the server as root per the instructions on the Marketplace page, and had to wait about 15 more minutes for our “database to become available”:

We’re assuming if we opted out of the managed database option, this step would have been much quicker. The progress could also be seen from the Manage – Databases section in the DigitalOcean control panel:

After the database cluster finished provisioning, the install script asked for a domain or subdomain to use with the site, and a few other things like admin e-mail, login and password. This information was used to install and configure WordPress using WP-CLI.

During this process the wp-fail2ban plugin was also installed. That’s great for security, though the admin notice in the wp-admin dashboard prompting to opt-in for tracking, as well as the constant nudging in the top-level menu to upgrade to the pro version and paid addons threw us off.

Strangely though, the installed version of core WordPress was a major release, as well as a few minor releases behind the latest stable version (5.8 vs 5.9, 5.8.1, 5.8.2 or 5.8.3). This is extremely insecure (considering 5.8.2 and 5.8.3 were security releases) but luckily, the version was automatically updated when the WordPress Cron spawned for the first time.

The Pros and Cons

Overall, it was a fully working WordPress installation, ready to go, or almost ready. Let’s start with the pros:

• It took less than a minute to create the Droplet
• (Eventually) the latest version of WordPress was installed
• WP-CLI was ready and available, most commands worked as experted
• Connecting the database was a breeze
• Fail2ban was installed and configured, not only for SSH, but also (at least partially) for WordPress authentication
• The installation is pretty much standard, a few PPA sources were added for newer versions of PHP and MySQL
• PHP8 out of the box, hopefully the themes and plugins you’re planning to use are already compatible

There are a few cons as well:

• There’s no easy way to add another WordPress site to the same Droplet
• The default core wp db export command yielded a warning. Attempting to then import that file using wp db import resulted in an error (access denied, need SUPER and other privileges)
• The wp-fail2ban plugin is a terrible option considering it’s a freemium plugin with constant nudges to upgrade to the paid version, or buy paid addons. Other than being unnecessarily bloated and over-engineered, this plugin also seems to lack support for application passwords, which is a WordPress core feature. Here’s a good guide on how to protect WordPress with fail2ban.
• There’s no page caching implementation out of the box
• You’ll need to manually replace HTTP links if you opt-in for a Certbot certificate
• We’d prefer the Nginx web server instead of Apache though in most cases it won’t really matter that much
• It took a really long time for the database to become available, though if you opt out of using the managed service, this should not be a problem

There are a few other minor things we’d do differently.

For example, disabling XML-RPC by redirecting all the requests to the home page isn’t the most efficient option. Installed plugins and themes were slightly outdated, so had to be updated manually. Permalinks had to be enabled explicitly in WordPress. The GD imaging library is used instead of the recommend Imagick. The WordPress Cron wasn’t configured to spawn via the system cron scheduler.

As already mentioned, however, it is a perfectly functional WordPress site.

Alternatives

If you’re looking to host WordPress on DigitalOcean, there are plenty of options in addition to the 1-click installer via the Marketplace:

• You can manually configure a LAMP environment and install WordPress, this could be a great exercise if you’ve never done it before.
• You could look into Ansible and other similar general-purpose automation tools. While not tailored to WordPress, these give the flexibility and freedom to install and configure whatever you need, and however you need it, though there is often a learning curve.
• You could try commercial services, such as Cloudways, SpinupWP and RunCloud, which for a monthly fee will provision and maintain a DigitalOcean-based WordPress server for you, and provide you with a simple web-based UI to manage it.
• You could use open-source command-line based tools, such as EasyEngine, WordOps, SlickStack and of course our very own Sail for WordPress.

This is by no means an exhaustive list, but it does give you a quite a few options, which vary in time consumption, feature set, ease of use (CLI vs GUI), learning curve and price. We recommend skimming through each option, (including the 1-click install) to decide what feels best for you.

Sail for WordPress

We built Sail specifically to address some of the problems outlined in this article.

It’s an open source CLI-based tool, which allows you to quickly provision WordPress servers on DigitalOcean, with a production-ready high-performance and secure configuration. It’s free, written in Python, works on Linux, macOS and Windows. You can learn more about it here.