WordPress on top of Lighttpd – beginner setup

So YOU want to host your own wordpress site? I assume that you’ve done your homework on the topic already, and the world is filled with excellent tutorials on installation and customizing the platform installation in details.

wordpress.org logo

On this post I will go through my shortlist – what you need to know and what you should know. Based on the experience I’ve had with this platform. And something that I would have appreciated a lot when i started my journey on this area.

Platform and Installation

If you host your own server, you need to have (example setup only):

  • OS – I myself chose Ubuntu 14.04
  • SQL database (like MySQL)
  • Webserver & PHP
  • WordPress installation

With the webserver you can choose between several alternatives, if you decide to take apache – you have lot of configuration code examples available for all kind of things. If you choose something more lightweight, like lighttpd as I did – then it is more difficult to find the code examples or tuning examples, but they exist and they are out there. btw – I’m very pleased with lighttpd. 🙂

Theme and Responsiveness

If you don’t want to use exactly the default blog themes available in WordPress – you can always check the market for free or premium themes that are available for wordpress. And make sure the theme is responsive, and if possible – review the user comments about the compatibility with plugins and WP updates in general. Some work well while some might have issues.

SEO and Page Load Performance

You have to look into Search Engine Optimization – bare minimum register to Google Search Engine Console or other similar tools and submit your XML sitemaps to different search engines. But word of caution here – really plan which pages from your site you want to have visible in search engines, and which not – and only then create the XML sitemaps accordingly and publish to search engines. You can use WordPress pluging in order to automate this one. Getting your pages removed from indexes takes some time – but can be fully avoided with good planning and execution and submitting only your READY site to search engines.

You need to guide and give instructions to search engine crawlers on how to index your site, so look into “nofollow” and similar tags and use them accordingly for best results. AND once more – make sure your site is responsive – for example google is more likely to raise your rank if your site supports mobile devices and small screens.

Also use Pagespeed Insights or similar tools test to test your site load performance – and some comments on the site support for desktop or mobile devices.

 Hardening and fighting against SPAM

Do your homework right from the beginning – on how to do the hardening, as many things are easier if done already on installation. You have the options for changing the default folder names, not using default usernames for admin etc. That is the basic stuff – do your homework.

On top of the basic stuff – you can add few additional things for extra layer of security:

  • 2-factor authentication for ADMIN account – this gives you peace of mind
  • some ‘hidden’ front-end spam engine – like WP Spamshield
  • Limit Login Attempts –  lock IP for defined timeperiod after 2-3 failed login tries

And then – I certainly promote on fighting against brute force botnets that will try to login your site. And it makes more sense in stopping those before they get to PHP execution level – as it will definitely impact your site performance. This leaves you atleast following 2 options:

  • Setup HW firewall level IP restrictions (for example country level), this way IP outside your defined whitelist cannot get through firewall to your webserver at all.
  • Setup a cookie level check – that your WP login or comment sections cannot be called directly but only through loading your site (and the cookie implemented for  the site). This is my personal favorite – as this stops the spambots in webserver before they reach the database or are executed in PHP

Here is detailed example on how to setup the WordPress cookie level hardening for lighttpd setup.

  • Install Cookies for Comments WP plugin, that will inject a cookie for your sites loaded
  • Modify your Lighttpd.conf file with adding following lines:
Select Code
$HTTP["url"] =~ "^/wp-comments-post.php.*$" {
$HTTP["cookie"] !~ ".*be42f5c4c35e23da049668331aa9ead9.*" {
url.access-deny = ( "" )
$HTTP["url"] =~ "^/wp-login.php.*$" {
$HTTP["cookie"] !~ ".*be42f5c4c35e23da049668331aa9ead9.*" {
url.access-deny = ( "" )
$HTTP["url"] =~ "^/xmlrpc.php.*$" {
url.access-deny = ( "" )
$HTTP["url"] =~ "^/wp-config.php.*$" {
url.access-deny = ( "" )
  • The string be……..ad9 is the site specific cookie – the one in the example is belonging to my site. You can actually see it by looking my source code. So you should modify your string accordingly – just look at the Cookies for Comments settings for details.
  • The third HTTP-line is not related to cookie security, but denying access to xmlrpc.php which brings you extra benefit, by addressing one typical attack type utilizing the xmlrpc procedure. “xmlrpc.php” is a php script that supports a standard WP function to remotely publish posts via email (and get pingbacks). I don’t update my blog via email, so I can block this functionality.
  • The last HTTP-line is protecting wp-config.php – as it should NEVER be accessed directly by anybody, and since it contains the critical database details, we will block it here also.


Do setup a working backup practices, with tools like UpDraftPlus for wordpress – they are worth the investment. Also keep working backups of your most important WP system files, like wp-config.php, in case you get those corrupted – it can be a lifesaver when you cannot login to your site.

Locked out from WordPress due to experimenting?

In case this happens due to plugins for example – don’t worry, you still have a chance making it right. Please visit this WordPress page for details: https://codex.wordpress.org/Login_Trouble

And I hope you made the backups from your wordpress core system files, so that you can FTP and make things right? 🙂

Pretty Permalinks

Make sure you configure and use these in wordpress – it is a lot easier from the beginning to have nice looking links in search engines. Just do it.

Final Words

That is pretty much the setup from the perspective that I wanted to bring-up. Now it is up to you to produce high quality content on the matters that are close to your heart – and that is the real beef of it all!

Enjoy your ride with WordPress hosting! 🙂

Juha Ketola

Juha Ketola

Author is a passionate IT enthusiast and early adopter. Packed with years of experience leading Enterprise level IT development teams within the biggest companies of Technology industry. Watches closely start-ups and new disruptive innovations in order to stay on the cutting edge. Embraces hands-on IT development and IoT.
Juha Ketola
Link to open Linkedin Profile

Leave a Reply