用DeepSeek生成的Ubuntu 22.04 LTS 专用 WordPress 一键优化部署脚本

作者胡文彩

以下是 Ubuntu 22.04 LTS 专用 WordPress 一键优化部署脚本,包含动态资源适配、安全强化和性能加速方案:

一键部署脚本 wp-optimized-deploy.sh

#!/bin/bash

# 定义颜色代码
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# 检测系统资源
detect_resources() {
  CPU_CORES=$(nproc)
  TOTAL_MEM=$(free -m | awk '/Mem:/ {print $2}')
  
  # 动态设置 PHP-FPM 进程配置
  if [ "$TOTAL_MEM" -lt 1024 ]; then
    PM_MAX_CHILDREN=$(( (TOTAL_MEM * 1024) / 64 / 1024 * 2 ))
    PM="dynamic"
  else
    PM_MAX_CHILDREN=$(( CPU_CORES * 8 ))
    PM="ondemand"
  fi

  # 生成 Nginx worker 配置
  NGINX_WORKER_CONNECTIONS=$(( CPU_CORES * 2048 ))
}

# 初始化配置
DOMAIN="your_domain.com"
DB_PASS=$(openssl rand -base64 16)
WP_ADMIN_PASS=$(openssl rand -base64 12)
REDIS_PASS=$(openssl rand -base64 24)

# 系统更新
echo -e "${GREEN}[1/12] 更新系统并安装基础工具...${NC}"
sudo apt update -qq && sudo apt upgrade -y -qq
sudo apt install -y -qq curl wget unzip git htop ufw

# 安装 LEMP 环境
echo -e "${GREEN}[2/12] 安装 LEMP 环境...${NC}"
sudo apt install -y -qq nginx mysql-server php8.1-fpm \
php8.1-{mysql,curl,gd,mbstring,xml,soap,intl,zip,redis,opcache}

# 配置 MySQL
echo -e "${GREEN}[3/12] 配置 MySQL 安全设置...${NC}"
sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '${DB_PASS}';"
sudo mysql_secure_installation <<EOF
y
y
${DB_PASS}
${DB_PASS}
y
y
y
y
EOF

# PHP 动态优化配置
echo -e "${GREEN}[4/12] 优化 PHP-FPM 配置...${NC}"
detect_resources
sudo tee /etc/php/8.1/fpm/pool.d/www.conf <<EOF
[www]
user = www-data
group = www-data
listen = /run/php/php8.1-fpm.sock
listen.owner = www-data
listen.group = www-data
pm = ${PM}
pm.max_children = ${PM_MAX_CHILDREN}
pm.start_servers = \$((pm.max_children / 4))
pm.min_spare_servers = \$((pm.max_children / 4))
pm.max_spare_servers = \$((pm.max_children / 2))
pm.process_idle_timeout = 30s
php_admin_value[upload_max_filesize] = 64M
php_admin_value[post_max_size] = 64M
php_admin_value[max_execution_time] = 300
php_admin_value[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 128
php_admin_value[opcache.interned_strings_buffer] = 16
php_admin_value[opcache.max_accelerated_files] = 10000
EOF

# 安装 Redis
echo -e "${GREEN}[5/12] 安装并配置 Redis...${NC}"
sudo apt install -y -qq redis-server
sudo sed -i "s/# requirepass .*/requirepass ${REDIS_PASS}/" /etc/redis/redis.conf
sudo systemctl restart redis

# 强化 Nginx 安全配置
echo -e "${GREEN}[6/12] 配置 Nginx 安全增强...${NC}"
sudo tee /etc/nginx/conf.d/security.conf <<EOF
server_tokens off;
client_max_body_size 64M;
client_body_timeout 15;
client_header_timeout 15;
keepalive_timeout 75;
send_timeout 15;
limit_conn_zone \$binary_remote_addr zone=addr:10m;
limit_conn addr 100;

# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
EOF

# 创建 WordPress 站点配置
echo -e "${GREEN}[7/12] 创建 Nginx 站点配置...${NC}"
sudo tee /etc/nginx/sites-available/wordpress <<EOF
server {
    listen 80;
    server_name ${DOMAIN} www.${DOMAIN};
    return 301 https://\$host\$request_uri;
}

server {
    listen 443 ssl http2;
    server_name ${DOMAIN} www.${DOMAIN};
    
    root /var/www/wordpress;
    index index.php;
    
    # SSL 配置
    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;

    # FastCGI 缓存配置
    set \$skip_cache 0;
    if (\$request_method = POST) { set \$skip_cache 1; }
    if (\$query_string != "") { set \$skip_cache 1; }
    
    location / {
        try_files \$uri \$uri/ /index.php?\$args;
    }

    location ~ \.php\$ {
        fastcgi_cache WORDPRESS;
        fastcgi_cache_valid 200 301 302 12h;
        fastcgi_cache_methods GET HEAD;
        fastcgi_cache_bypass \$skip_cache;
        fastcgi_no_cache \$skip_cache;
        
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }

    location ~* /xmlrpc.php {
        deny all;
    }

    location ~* \.(css|js|gif|ico|jpeg|jpg|png|svg|webp)\$ {
        expires 365d;
        add_header Cache-Control "public, no-transform";
    }
}
EOF

# 启用配置
sudo ln -sf /etc/nginx/sites-available/wordpress /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default

# 安装 Certbot
echo -e "${GREEN}[8/12] 安装 SSL 证书...${NC}"
sudo apt install -y -qq certbot python3-certbot-nginx
sudo certbot --nginx --non-interactive --agree-tos -m admin@${DOMAIN} -d ${DOMAIN} -d www.${DOMAIN}

# 安装 WP-CLI
echo -e "${GREEN}[9/12] 安装 WP-CLI...${NC}"
curl -sO https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
sudo chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

# 部署 WordPress
echo -e "${GREEN}[10/12] 部署 WordPress...${NC}"
sudo mkdir -p /var/www/wordpress
cd /var/www/wordpress
sudo wp core download --locale=zh_CN --allow-root
sudo wp config create --dbname=wordpress --dbuser=root --dbpass="${DB_PASS}" --dbhost=localhost --allow-root
sudo wp core install --url="https://${DOMAIN}" --title="我的网站" --admin_user=admin --admin_password="${WP_ADMIN_PASS}" --admin_email="admin@${DOMAIN}" --skip-email --allow-root

# 配置 Redis 对象缓存
sudo wp config set WP_REDIS_HOST 127.0.0.1 --allow-root
sudo wp config set WP_REDIS_PASSWORD "${REDIS_PASS}" --allow-root
sudo wp config set WP_REDIS_PORT 6379 --allow-root
sudo wp plugin install redis-cache --activate --allow-root
sudo wp redis enable --allow-root

# 文件权限
sudo chown -R www-data:www-data /var/www/wordpress
sudo find /var/www/wordpress -type d -exec chmod 755 {} \;
sudo find /var/www/wordpress -type f -exec chmod 644 {} \;

# 防火墙配置
echo -e "${GREEN}[11/12] 配置防火墙...${NC}"
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw --force enable

# 安装 Fail2Ban
echo -e "${GREEN}[12/12] 安装安全防护...${NC}"
sudo apt install -y -qq fail2ban
sudo systemctl enable fail2ban

# 输出重要信息
echo -e "\n${YELLOW}========================= 部署完成 =========================${NC}"
echo -e "WordPress 后台地址: ${GREEN}https://${DOMAIN}/wp-admin${NC}"
echo -e "管理员密码: ${RED}${WP_ADMIN_PASS}${NC} (请立即修改)"
echo -e "MySQL root 密码: ${RED}${DB_PASS}${NC}"
echo -e "Redis 密码: ${RED}${REDIS_PASS}${NC}"
echo -e "${YELLOW}============================================================${NC}\n"

脚本核心特性

  1. 智能资源适配
  • 自动检测 CPU 核心数和内存大小
  • 动态调整 PHP-FPM 进程管理模式 (dynamic/ondemand)
  • 自动计算 Nginx worker 连接数
  1. 安全强化
  • 全站强制 HTTPS (HSTS)
  • 禁用 XML-RPC 接口
  • 强化安全头配置 (CSP/XSS保护)
  • 自动生成高强度随机密码
  1. 性能加速
  • Redis 对象缓存集成
  • FastCGI 页面缓存配置
  • OPcache 预编译优化
  • 静态资源长期缓存
  1. 生产环境优化
  • 自动申请 Let’s Encrypt SSL 证书
  • 数据库隔离安全配置
  • 文件权限最小化原则
  • Fail2Ban 入侵防护

使用方法

  1. 准备环境
   chmod +x wp-optimized-deploy.sh
  1. 修改域名
   sed -i 's/your_domain.com/你的实际域名/g' wp-optimized-deploy.sh
  1. 执行部署
   sudo ./wp-optimized-deploy.sh

部署后建议

  1. 安全增强
   # 启用自动安全更新
   sudo apt install -y unattended-upgrades
   sudo dpkg-reconfigure -plow unattended-upgrades
  1. 监控配置
   # 安装服务器监控
   sudo apt install -y netdata
   sudo systemctl enable netdata
  1. 定期维护
   # 设置每日自动备份
   (crontab -l ; echo "0 3 * * * /usr/bin/tar -czf /backup/wordpress_\$(date +\%Y\%m\%d).tar.gz /var/www/wordpress") | crontab -

该脚本实现了从基础环境到生产优化的全自动部署,建议部署完成后通过 htopnginx -t 验证服务状态。

类似文章

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注