2e06db3291
Two bugs found: 1. wp-config-docker.php was being copied to /usr/src/wordpress/wp-config-docker.php, REPLACING the official WordPress config template. Our file only had security hardening settings (DISALLOW_FILE_EDIT, etc.) but no DB constants, auth keys, or table prefix. The generated wp-config.php had zero database configuration, so WordPress could never connect. Fix: Copy our config to /usr/src/websitebox-config.php instead, and load it via WORDPRESS_CONFIG_EXTRA=require_once in docker-compose.yml. 2. .user.ini set auto_prepend_file=wordfence-waf.php, but the file didn't exist until Wordfence plugin was installed. Every PHP request during initial setup returned a 500 fatal error. Fix: Add a stub wordfence-waf.php placeholder in the Docker image that gets copied with WordPress files. Wordfence replaces it during plugin activation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
WebsiteBox
A Docker-based, self-hosted WordPress deployment system. Provision a VPS, run the installer, and get a working SSL-secured WordPress portfolio site with a single command. All code is auditable, no telemetry, no external dependencies beyond what you explicitly configure.
Features
- One-command deploy:
docker compose up -dstarts everything - Automatic SSL: Let's Encrypt certificates acquired and renewed automatically
- Secure by default: Hardened WordPress config, Wordfence firewall, XML-RPC disabled, rate-limited login
- Age verification: Pre-configured Age Gate plugin (optional)
- Automated backups: UpdraftPlus with configurable retention
- VPS-agnostic: Works on any Ubuntu/Debian VPS provider
- Transparent: All persistent data in one visible directory (
websitebox-data/) - Auto-restart: Survives VPS reboots without intervention
Requirements
- A VPS with Ubuntu 20.04+ or Debian 11+ (1GB RAM minimum, 2GB recommended)
- A domain name with DNS access
- Basic command-line familiarity
Recommended VPS Providers
| Provider | Min Cost | Notes |
|---|---|---|
| BuyVM | $3.50/mo | Explicit "legal content" policy, free DDoS protection |
| Vultr | $6/mo | No explicit prohibition, widely used |
| OVHcloud | $5.50/mo | European, no explicit prohibition |
Quick Start
-
SSH into your VPS and run the installer:
curl -fsSL https://git.constantprojects.xyz/tankadmin/websitebox/raw/branch/main/install.sh | bash -
Answer the setup wizard prompts (domain, admin credentials, etc.)
-
Point your domain's A record to your server's IP address
-
Wait for DNS propagation, then start:
cd ~/websitebox docker compose up -d -
Visit your site at
https://yourdomain.comand log in athttps://yourdomain.com/wp-admin
Configuration Reference
All configuration is stored in .env (generated by setup.sh).
| Variable | Description | Default |
|---|---|---|
DOMAIN |
Your domain name | Required |
SITE_TITLE |
WordPress site title | My Portfolio |
ADMIN_USER |
WordPress admin username | Required |
ADMIN_EMAIL |
Admin email (for SSL & WordPress) | Required |
ADMIN_PASSWORD |
Admin password | Required |
AGE_GATE_ENABLED |
Enable age verification | true |
AGE_GATE_MIN_AGE |
Minimum age (18-21) | 18 |
SMTP_HOST |
SMTP server for email | (empty) |
SMTP_PORT |
SMTP port | 587 |
SMTP_USER |
SMTP username | (empty) |
SMTP_PASS |
SMTP password | (empty) |
BACKUP_RETENTION_DAYS |
Days to keep local backups | 30 |
Database passwords and WordPress salts are auto-generated by setup.sh — do not edit them manually.
Customization Guide
Theme
WebsiteBox uses a child theme built on GeneratePress. Customize it in the WordPress admin under Appearance > Customize, or edit the child theme files directly:
websitebox-data/wordpress/wp-content/themes/websitebox/
├── style.css # Custom styles
├── functions.php # Theme functions
├── index.php # Main template (inherits from GeneratePress)
└── theme.json # Theme settings (colors, typography)
Plugins
Pre-installed plugins can be managed normally through the WordPress admin. Additional plugins can be installed via Plugins > Add New.
- Age Gate: Configure under Settings > Age Gate
- Wordfence: Configure under Wordfence > Dashboard
- UpdraftPlus: Configure under Settings > UpdraftPlus Backups
Backup & Restore
Automatic Backups
UpdraftPlus runs automatic backups stored in websitebox-data/backups/.
Manual Backup
./scripts/backup.sh
This creates a database dump and compressed file backup in websitebox-data/backups/.
Cleanup Old Backups
./scripts/backup.sh --prune-only
Restore
- Go to Settings > UpdraftPlus Backups in wp-admin
- Select a backup to restore
- Follow the UpdraftPlus restore wizard
Remote Backups
For offsite backups, configure UpdraftPlus to send copies to Amazon S3, Backblaze B2, or other remote storage via the UpdraftPlus settings in wp-admin.
Updating WebsiteBox
cd ~/websitebox
./scripts/update.sh
This pulls the latest changes, rebuilds containers, and runs any migrations. See docs/UPDATING.md for details.
Uninstalling
cd ~/websitebox
docker compose down
# Remove all data (IRREVERSIBLE):
# rm -rf websitebox-data/
Security Practices
See docs/SECURITY.md for a full overview. Key points:
- SSL via Let's Encrypt with auto-renewal
- WordPress file editor disabled (
DISALLOW_FILE_EDIT) - XML-RPC disabled
- Non-standard database table prefix
- Rate limiting on wp-login.php
- Wordfence firewall and brute-force protection
- MariaDB not exposed to host network
- Auto-generated cryptographic passwords and salts
Troubleshooting
See docs/TROUBLESHOOTING.md for common issues. Quick commands:
# Check container health
./scripts/healthcheck.sh
# View logs
docker compose logs -f nginx
docker compose logs -f wordpress
docker compose logs -f db
# Restart a service
docker compose restart nginx
# Re-run WordPress first-boot setup
docker compose exec wordpress rm /var/www/html/.websitebox-setup-complete /var/www/html/.websitebox-setup-partial
docker compose restart wordpress
Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Submit a pull request with DCO sign-off (
git commit -s)
License
GPLv3 — see LICENSE.