Raspberry Pi Webserver: Nginx, PHP, and MariaDB Setup Guide

A Raspberry Pi webserver running the LEMP stack (Linux, Nginx, MariaDB, PHP) can host a WordPress site, a personal blog, a local intranet, or a development server on the local network. Pi 4 handles low-traffic WordPress sites comfortably; Pi 5 handles more concurrent connections and is better for anything public-facing. This guide covers the Bookworm-correct install for Nginx, PHP-FPM, and MariaDB, the WordPress setup with a proper Nginx server block, and essential security steps: UFW firewall, Certbot SSL, and Fail2ban. For a reverse proxy that handles multiple services and automatic HTTPS, see Caddy Reverse Proxy Raspberry Pi: Complete Setup Guide.

Last tested: Raspberry Pi OS Bookworm Lite 64-bit | May 2026 | Raspberry Pi 4 Model B (4GB) | Nginx 1.22, PHP 8.2, MariaDB 10.11, WordPress 6.5

Installing Nginx on Raspberry Pi

Flash Raspberry Pi OS Bookworm Lite 64-bit, configure hostname, username, SSH, and Ethernet in Raspberry Pi Imager’s advanced settings, and boot. SSH in and set a static IP before installing anything. A web server must have a stable address. See Raspberry Pi Static IP: Router Reservation, nmcli, and nmtui Guide.

Install Nginx:

sudo apt update && sudo apt install -y nginx
sudo systemctl enable --now nginx

Test that Nginx is serving the default page:

curl http://localhost

Expected result: The command returns the Nginx welcome page HTML. From another device on the network, navigate to http://[pi-ip] and confirm the “Welcome to nginx!” page loads. If it does not load, check that UFW is not blocking port 80: sudo ufw status. If UFW is active, allow HTTP: sudo ufw allow 'Nginx HTTP'.

Installing PHP-FPM and MariaDB on Raspberry Pi Web Server

Install PHP-FPM and the required PHP extensions for WordPress, and MariaDB:

sudo apt install -y php-fpm php-mysql php-curl php-gd php-intl \
    php-mbstring php-soap php-xml php-xmlrpc php-zip mariadb-server

Secure the MariaDB installation:

sudo mysql_secure_installation

Accept the prompts: set a root password, remove anonymous users, disallow remote root login, remove the test database. Then create the WordPress database and user:

sudo mariadb -u root -p

CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'StrongPassHere';
GRANT ALL ON wordpress.* TO 'wpuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Verify PHP-FPM is running. Check the socket path. It is needed for the Nginx configuration:

ls /var/run/php/
# Should show: php8.2-fpm.sock (version may differ)

Expected result: MariaDB responds to sudo mariadb -u root -p after the password is set. The wordpress database and wpuser exist. PHP-FPM socket is present at /var/run/php/php8.2-fpm.sock (or the current PHP version). If the socket is missing, start PHP-FPM: sudo systemctl start php8.2-fpm.

Installing WordPress on the Raspberry Pi Web Server

Download and extract WordPress to the web root:

cd /var/www/html
sudo wget https://wordpress.org/latest.tar.gz
sudo tar -xzf latest.tar.gz
sudo rm latest.tar.gz
sudo mv wordpress/* .
sudo rmdir wordpress
sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;

Configure Nginx for WordPress. Edit the default server block:

sudo nano /etc/nginx/sites-available/default

Replace the contents with:

server {
    listen 80;
    server_name _;
    root /var/www/html;
    index index.php index.html;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}

Test the Nginx configuration and reload:

sudo nginx -t
sudo systemctl reload nginx

Complete the WordPress installation in the browser. Navigate to http://[pi-ip]. The WordPress installer loads. Enter the database name (wordpress), username (wpuser), password, database host (localhost), and table prefix. Click “Run the installation” and complete the site setup.

Expected result: The WordPress admin dashboard is accessible at http://[pi-ip]/wp-admin. If the installer shows a white screen, check the Nginx error log: sudo tail -20 /var/log/nginx/error.log. A common error is the wrong PHP-FPM socket version in the Nginx config. Update php8.2-fpm.sock to match the installed PHP version.

Security, SSL, and Remote Access for Raspberry Pi Web Server

UFW firewall. Enable UFW with HTTP, HTTPS, and SSH allowed:

sudo apt install -y ufw
sudo ufw allow ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable
sudo ufw status

SSL with Certbot. For a public domain pointing to the Pi (via dynamic DNS or a VPS reverse proxy), install Certbot for free Let’s Encrypt certificates:

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

Certbot modifies the Nginx config automatically to redirect HTTP to HTTPS and sets up certificate auto-renewal. For a local-network-only server without a public domain, a self-signed certificate or no SSL is acceptable.

Fail2ban. Install Fail2ban to block repeated failed SSH and WordPress login attempts:

sudo apt install -y fail2ban
sudo systemctl enable --now fail2ban

The default Fail2ban configuration protects SSH. For WordPress login protection, add a jail for the WordPress login URL in /etc/fail2ban/jail.local.

Remote access. Do not use port forwarding to expose WordPress directly to the internet on a Pi. The attack surface is too large for a device running on SD card storage. Instead, use Tailscale for secure remote access to the Pi’s local IP, or a VPS reverse proxy (Nginx or Caddy on a VPS forwards traffic to the Pi via Tailscale). See Tailscale Raspberry Pi: Complete Secure Remote Access Guide.

Performance notes. On Pi 4 (4GB) with Nginx and PHP-FPM, WordPress serves uncached pages at roughly 15-30 requests/second. With a PHP opcode cache (OPcache, enabled by default in PHP 8.x) and a WordPress caching plugin (W3 Total Cache or WP Super Cache), static pages serve from disk cache and throughput increases substantially. WordPress on Pi is appropriate for personal sites, intranets, and development. For a Docker-based multi-service homelab including a more performant web stack, see Docker on Raspberry Pi 5: Complete Beginner Stack with Portainer Guide.

FAQ

Can Raspberry Pi run a web server?

Yes. Raspberry Pi 4 and Pi 5 run Nginx with PHP and MariaDB reliably for low-traffic sites. Pi 4 (2GB) is adequate for a personal WordPress site or homelab intranet. Pi 4 (4GB) is comfortable for sites with moderate plugin load. Pi 5 handles higher concurrent connections and is better for anything with real traffic. The practical limit is around 20-50 concurrent PHP requests before response times degrade, depending on plugin weight and caching configuration.

Why does sudo apt install mysql-server fail on Bookworm?

MySQL Community Server is not in the Debian Bookworm APT repository. The correct package is mariadb-server. MariaDB is a drop-in replacement for MySQL and is fully compatible with WordPress. All WordPress database operations work identically with MariaDB. The MariaDB client command is mariadb rather than mysql, though mysql still works as an alias on Bookworm for backward compatibility.

What is the web root path for Nginx on Raspberry Pi OS?

The default web root for Nginx on Bookworm is /var/www/html. Older guides show /usr/share/nginx/www/ or /usr/share/nginx/html. These paths do not exist on current Debian-based Nginx packages. Confirm the web root after installation with grep root /etc/nginx/sites-available/default. WordPress files and any custom site files should be placed in /var/www/html and owned by www-data.

Should I use Apache or Nginx on Raspberry Pi?

Nginx for most Raspberry Pi web server builds. Nginx uses significantly less RAM than Apache under load, which matters on a Pi with 2-4GB total RAM shared with other services. Nginx’s event-driven architecture handles more concurrent connections with lower per-connection memory overhead. Apache has better .htaccess support (which some WordPress plugins rely on), but Nginx handles equivalent configuration in server blocks. If a specific plugin or application requires .htaccess, Apache is necessary; otherwise Nginx is the better default.

How do I access a Raspberry Pi web server from outside my home network?

The recommended approach is Tailscale: install it on the Pi and on the remote device, and access the Pi’s web server via its Tailscale IP. No port forwarding, no dynamic DNS, no attack surface exposed to the internet. For a public domain with HTTPS, use a VPS as a reverse proxy that forwards traffic to the Pi via Tailscale. The Pi never receives direct internet traffic. Dynamic DNS with port forwarding works but exposes the Pi directly to the internet, which is a significant security risk for a device running on SD card storage with no hardware redundancy.

References:

• Nginx documentation: nginx.org/en/docs
• MariaDB documentation: mariadb.com/kb/en
• WordPress requirements: wordpress.org/about/requirements
• Certbot documentation: certbot.eff.org
• Fail2ban documentation: fail2ban.org

---

About the Author

Chuck Wilson has been programming and building with computers since the Tandy 1000 era. His professional background includes CAD drafting, manufacturing line programming, and custom computer design. He runs PidiyLab in retirement, documenting Raspberry Pi and homelab projects that he actually deploys and maintains on real hardware. Every article on this site reflects hands-on testing on specific hardware and OS versions, not theoretical walkthroughs.

Last tested hardware: Raspberry Pi 4 Model B (4GB). Last tested OS: Raspberry Pi OS Bookworm Lite 64-bit. Nginx 1.22, PHP 8.2, MariaDB 10.11, WordPress 6.5, May 2026.