Obligatory disclaimer: Following this guide will result in the creation of DigitalOcean resources that will cost you money. Make sure you terminate the resources after following the guide to ensure you don't have unexpected charges at the end of the month.

Visit the bottom of this post for a quick glossary of terms you may not be familiar with.

I've also collected common problems and solutions in a troubleshooting section at the bottom of this post.

Before you start

Requirements

Before you start this guide, ensure you have the following things ready to go.

  1. A functioning Windows, Linux, or Mac computer. You should follow this guide using a computer, and not a mobile device.
  2. A domain name. You will need one to complete this guide. Google Domains and Namecheap offer cheap .com domain names.
  3. A DigitalOcean account if you do not already have one with a valid credit card set up.

Cost

Following this guide will cost you around $13 today. If you leave things running for a year, your costs will be around $72.

  • Domain name for one year ~ $12.00.
  • Droplet usage for today ~ $1.00.
  • Droplet usage for a year ~ $60.00.

Cost is reflective of prices at the time of this writing (April 14, 2020).

Setting up the environment

First, sign up for DigitalOcean

If you don't already have a DigitalOcean account, head on over to https://cloud.digitalocean.com/registrations/new and create your account. You will be required to provide a credit card before you can provision resources.

Now log in to the DigitalOcean Console

Visit https://cloud.digitalocean.com and sign in. We'll start this guide from the home page of the DO console.

The DigitalOcean console.
The DigitalOcean console.

Getting the server set up

Fire up a droplet

Click on the green Create button in the header of the console and choose the Droplets option from the corresponding drop down menu.

Create a Droplet using the Create button in the upper right corner of the console.
Create a Droplet using the Create button in the upper right corner of the console.

In the Choose an image section, you'll see a list of tabs at the top. We're actually going to use a preconfigured droplet for our WordPress install, so choose the Marketplace tab.

Choose an image section, select the Marketplace tab.
Choose an image section, select the Marketplace tab.

In the Recommended for you section under the search bar, you'll see an option for WordPress on xx.xx. Click on this option to select it (do not click Details).

Choose the option for WordPress on xx.xx.
Choose the option for WordPress on xx.xx.

Scroll down to the Choose a plan section, ensure the Starter category is selected, and then click the back arrow on the list of options to see cheaper options. DO selects the $40/mo droplet by default, which is annoying since 99% of people getting started with DO do not need this option.

Click the back arrow on the left of the $40/mo option to see other plans.
Click the back arrow on the left of the $40/mo option to see other plans.

Once you've scrolled back to the cheaper options, select the $5/mo option for 1GB / 1CPU. For a basic WordPress website with low traffic, this is all you'll need.

First click the back arrow on the list of options, then choose the $5/mo option.
First click the back arrow on the list of options, then choose the $5/mo option.

Skip over the Add block storage section to the Choose a datacenter region section. Here, pick a datacenter region (numbers in each region don't really matter for our use case) nearest your place of residence. For example, if you live on the east coast of the US, choose a number in the New York region. If you live on the west coast of the US, choose a number in the San Francisco region. The same principle applies if you live elsewhere in the world.

I'm going to select New York 1 for the purposes of this guide since I'm located on the east coast.

Skip over block storage and choose a datacenter region closest to your place of residence.
Skip over block storage and choose a datacenter region closest to your place of residence.

Scroll down to the Select additional options section and select the checkbox for Monitoring. You don't really need this, but there is no additional cost and it can help you understand if you need to scale up to another droplet size later if your website starts experiencing higher traffic.

Select the checkbox for Monitoring.
Select the checkbox for Monitoring.

In the Authentication section, you'll specify how you are going to access the droplet's command line. You're going to need to use the command line to finish setting up WordPress and to perform basic maintenance tasks every so often if you choose to keep WordPress running.

In the Authentication section, choose the option for SSH Keys and then click New SSH Key if you don't already have one in your DO account. In the modal that pops up, DO has provided a quick tutorial on creating a personal SSH key you can import into the console. Windows users will see a link to instructions for Putty. Follow these instructions to set up your SSH key to import into DigitalOcean. Important to note is that you need to import the public key into DigitalOcean. You will use the private key to authenticate.

Either import a new SSH key or use an existing one in your DO account.
Either import a new SSH key or use an existing one in your DO account.

Tip: If you aren't comfortable with SSH keys, you can also use the One-time password option. DO will email you a password that you can use to log in to your droplet instead of using an SSH key. However, this is insecure and should never be used for a website in production.

After you've imported an SSH key, it will be selected in the Authentication section. If you already have an SSH key, select it.

In the Finalize and create section, leave the number of droplets to be created set at 1, and give your droplet a memorable hostname. If you plan on using this WordPress website with a domain name, use your domain name as the hostname (e.g. for this blog, the hostname would be blog.nbent.ly (leave off the http).

We're not going to add any tags, and the default project is fine. For Add backups, select the checkbox to Enable backups. It adds 20% to the total monthly cost, but it's worth it if you ever screw anything up and need to revert to a prior functioning state.

Leave the setting for one droplet, give your droplet a hostname, and check the box to enable backups.
Leave the setting for one droplet, give your droplet a hostname, and check the box to enable backups.

Alrighty, we're ready to fire up this droplet! Give your selections a once-over and then click the green Create Droplet button. DO will work it's magic and create your droplet. It may take a couple of minutes to start everything up.

Create your droplet!
Create your droplet!

Setting up WordPress

Set up your domain name

We're going to start this next section of the guide by setting up your domain name to point to your newly created droplet. Log in to wherever you purchased your domain name. Find the section in your control panel where you can alter the domains DNS records. In this section, you are going to create a new record with the following values.

Name: your domain name.
Type: A record.
TTL: 1 Hour.
Value or Data: IP address of your droplet (you can find this on the DigitalOcean console, next to your droplet's hostname).

The interface used in each domain name provider varies quite a bit, but in the end your record should look something like this (we're using CloudFlare in this example).

We're creating an A record with the name wordpress.nbent.ly and pointing it to 161.35.62.163.
We're creating an A record with the name wordpress.nbent.ly and pointing it to 161.35.62.163.

SSH into your droplet

Now we're going to log in to your droplet via the command line. Don't worry if you've never used the command line before, it's relatively straightforward.

For Mac or Linux users, open up a terminal and type the following.

ssh root@mydomain.com and then hit return. The SSH client should recognize your SSH key automatically and use it to authenticate. If it doesn't you may need to specify where it is using ssh root@mydomain.com -i /location/of/id_rsa.

If you protected your SSH key with a passphrase, you may need to type it in to complete authentication. Additionally, you may be required to type yes to a prompt asking if you want to connect to the droplet.

If you specified a one-time password in the creation of your droplet, enter that when prompted.

You may need to type yes to a prompt that asks if you want to connect. You may also need to type a passphrase for your SSH key if you chose to protect it with one.
You may need to type yes to a prompt that asks if you want to connect. You may also need to type a passphrase for your SSH key if you chose to protect it with one.

For Windows users, open up putty and use the following values to connect to your droplet.

Host Name (or IP address): mydomain.com (your domain, not actually mydomain).

Type the domain name into the Host Name box in Putty.
Type the domain name into the Host Name box in Putty.

SSH > Auth > Private key file for authentication: Click browse and select the private key you created earlier in this guide.

In the Auth section, add your SSH key using the Browse... button.
In the Auth section, add your SSH key using the Browse... button.

If you specified a one-time password in the creation of your droplet, only enter the field for Host Name in Putty and then click Open. You will be prompted to enter your password via the terminal when the connection opens.

Now click the Open button. Putty will open the connection.

When you successfully log in, you'll see this text. What to do next is covered in the next section of this guide.
When you successfully log in, you'll see this text. What to do next is covered in the next section of this guide.

If you protected your SSH key with a passphrase, you may need to type it in to complete authentication. Additionally, you may be required to click yes to a prompt asking if you want to connect to the droplet.

Prompt asking if you want to connect to the server. Click the Yes button to continue.
Prompt asking if you want to connect to the server. Click the Yes button to continue.

Set up WordPress on your droplet

Once you successfully SSH into your droplet, DO will run a script that will automatically start a setup process for WordPress. Follow the instructions and enter data where the script requests it.

Read everything you see in the SSH window completely. Follow the prompts as the script asks you to complete them. Use the Enter and return keys to continue after you have entered a value.
Read everything you see in the SSH window completely. Follow the prompts as the script asks you to complete them. Use the Enter and return keys to continue after you have entered a value.

Some notes as you follow the instructions:

  • You'll need to enter your domain name here. If you mess up entering your domain name, use Ctrl+C (Windows) or Cmd+C (Mac) to exit the script. Log out using the command exit and then follow the instructions above to SSH into your droplet again. The script will re-run.
  • When the script asks if you want to use Let's Encrypt, specify yes.
  • Questions that require a yes or no answer require you to type either y or n on the keyboard.
  • Use the Enter (Windows) or return (Mac) key to continue.
Configuring WordPress account & site name.
Configuring WordPress account & site name.
Setting up Let's Encrypt to secure your WordPress website with an SSL certificate (enables https://).
Setting up Let's Encrypt to secure your WordPress website with an SSL certificate (enables https://).
Visit your domain name after the script completes to finish setup.
Visit your domain name after the script completes to finish setup.

After the script completes, you're done! Visit https://yourdomain.com/wp-admin to log in to the admin interface of WordPress with the credentials you entered in the set up script.

Logged in to the WordPress admin backend.
Logged in to the WordPress admin backend.

Now that you're set up, let's secure things

Use SSH keys to log in to your droplet

If you chose to use a one-time password to SSH into your droplet, now is the time to go back and figure out how to use SSH Keys instead. DigitalOcean provides a great set of instructions for this here.

Create your own user account & prevent root logins

Read this guide to learn how to do this.

Close off port 22 with a DigitalOcean firewall

To do this, go here, Create Firewall and give it a Name.
Select HTTP in the Type dropdown under the Inbound Rules section.
Select HTTPS in the Type dropdown for New rule under the Inbound Rules section.
You should have two inbound firewall rules, one for HTTP and one for HTTPS, both with Source set to All IPv4 and All IPv6.

Inbound rules settings for HTTP & HTTPS connections.
Inbound rules settings for HTTP & HTTPS connections.

Leave the Outbound Rules section as is.

Outbound rules settings for HTTP & HTTPS connections.
Outbound rules settings for HTTP & HTTPS connections.

Search for your droplet using the hostname in the Apply to droplets section and select it.

Apply the rules to your droplet.
Apply the rules to your droplet.

Click the Create Firewall button to create the firewall an apply it to your droplet. This firewall rule has permitted only HTTP and HTTPS connections to your droplet and has blocked SSH connections. In many ways, firewalls at the DigitalOcean level are better than firewalls installed locally on your droplet, as the DO firewall blocks traffic at the network border, before it even reaches your droplet.

Remember: when you need to log in to your droplet via command line, you will need to remove this firewall from your droplet first. If you don't, your SSH connection will not work.

And some quick notes about WordPress

Make sure you keep WordPress itself, and all themes or plugins you install updated. Use your favorite task manager, whether that be a pencil and paper or an app to schedule a recurring task once every month to run WordPress updates. WordPress gives you a really easy way to update itself and all of your plugins and themes through a single interface.

The WordPress updates interface.
The WordPress updates interface.

Finally, some quick notes about maintaining your droplet

You've got WordPress set up and working, but with the great deal DigitalOcean provides comes a cost. You need to periodically SSH in to your droplet and perform some maintenance tasks. Eventually, you may also need to upgrade the Droplet's operating system.

Set a reminder to SSH into your droplet and run the following command once every month. There are ways to automate this, but that's not a good idea, because an update could break something on your server and you'd want to know about that right away.

sudo apt update && sudo apt upgrade -y

And that's it

You've successfully launched a WordPress droplet on DigitalOcean! We've also taken a few basic security precautions to make it more difficult for nefarious individuals to mess up your website or use your droplet for illicit activities.


I'm Nick Bentley – message me on Twitter and check out my website.


Troubleshooting

Problem: I'm trying to log in to WordPress and I'm getting a "Connection timed out" error.
Solution: DO installs a WordPress plugin that integrates with your droplet's built-in firewall that blocks your IP address after several unsuccessful attempts to log in. To fix this, you'll need to SSH into your droplet and run the following command: fail2ban-client unban --all.

Problem: I can't SSH into my droplet, I get a connection timed out error.
Solution 1: First, check to make sure you correctly configured your DNS record. Try SSHing into your droplet using it's IP address instead of the hostname. If it works, the DNS record is your problem.
Solution 2: Second, check to see if you still have the DigitalOcean firewall configured to block port 22. We configured that in the securing your droplet section above. Temporarily remove the firewall from your droplet, log in via SSH & do what you need to do, and then log out and reapply the firewall to your droplet.
Solution 3: If you tried both of the above options and are still getting (specifically) a connection timed out error, you may have triggered your droplet's built in SSH protection measures. The quickest way to solve this problem is to destroy your droplet and start this guide again. If you have a website set up already, install a WordPress backup plugin and download a backup of your installation prior to destroying your droplet.

Glossary of Terms

Below you'll find a glossary of terms that were used in this guide, as well as quick definitions for each.

  • Datacenter: a physical location where servers reside - DigitalOcean has quite a number of datacenters across the globe. These are the physical locations where the servers droplets run on reside. Many large tech companies have their own datacenters.
  • DigitalOcean: an infrastructure as a service provider (IaaS) - they're the folks that are hosting the server your WordPress website is running on.
  • DNS record: an entry in the domain name system - DNS records allow you to map domain names to IP addresses (as well as some other stuff). Think of a DNS record as an entry in a phonebook. There are several types of DNS records, but the two most common are A records and CNAME records. A records map to an IP address, whereas CNAME records typically map to an A record.
    For example, an A record for mydomain.com might look like:
    A | mydomain.com | 123.123.123.1
    A CNAME record might look like:
    CNAME | subdomain.mydomain.com | mydomain.com
  • DO: abbreviation of DigitalOcean - the platform we're using to host your WordPress website.
  • Droplet: DigitalOcean's name for a server - a droplet is the server your WordPress website is running on in this guide.
  • fail2ban: a server-side protection program - fail2ban monitors connection attempts to your server (or in the case of this guide, droplet) and adds firewall blocks to IP addresses that unsuccessfully authenticate too many times.
  • IaaS or Infrastructure as a Service: cloud sales model - infrastructure as a service is where a company provides physical servers and equipment on which you can run your own software.
  • IP address: a number that identifies your computer or server on a network or the internet - this is a very basic definition of an IP address, but is essentially it's purpose. Much in the same way you have an address for your house or apartment and can use Google Maps to get directions, servers and computers need addresses for wayfinding as well.
  • PUTTY: SSH client for Windows PCs - Putty is an SSH client for Windows PCs and will allow you to connect to the command line of a remote server using the SSH protocol. Download the 64-bit installer here.
  • SSH: Secure Shell or Secure Socket Shell - facilitates a connection to your server's (or in the case of this guide, droplet's) command line.
  • SSH Key: Secure Shell Key or Secure Socket Shell Key - think of this as similar to a house key. The key you have on your person is equivalent to the private key whereas the lock on your house is equivalent to the public key. The SSH key is used as a more secure method of authenticating with your server. For example, if you have a pin code lock on your house (or a password), someone could guess the code (or password). If you have a traditional key lock on your house, only someone who has physical possession of the key can unlock the door. Same thing goes with your SSH key.
  • SSL Certificate: Secure Socket Layer certificate - this is used to enable the s in https. All websites should use https these days as a matter of best practice. If you choose not to enable https, also know that this will hurt your search ranking on Google.
  • WP: abbreviation of WordPress - the software powering your website.