Skip to content
Greffon
Tutorial

Self-Host WordPress with Greffon

WordPress runs a huge slice of the web, and almost none of it is owned by the people who write on it. Here is the honest setup for WordPress on a greffer you control.

GLGreffon Labs5 min read
~/blog/self-host-wordpress

WordPress powers a large slice of the web, from one-person blogs to small stores. Most of those sites live on someone else's hosting, where the plan, the uptime, and the data all sit behind an account you rent. Self-hosting flips that: the CMS, the database, and the uploads all live on a machine you own. Greffon takes the fiddly plumbing off your plate so you can get there without hand-writing a compose file.

Why own the site

WordPress is the world's most popular CMS: a blog, a brochure site, or with WooCommerce a small store, all from the same codebase and a deep plugin ecosystem. Grafting it onto a greffer means the posts, the media library, and the database sit on your hardware, not on a host that can change its terms or its prices under you.

The tradeoff is that the parts a managed host quietly handles, updates, backups, and uptime, become yours. None of them are hard, but they are real, and the rest of this post is about meeting them honestly rather than pretending they vanish.

Graft it from the catalog

On a greffer, you do not assemble a web server, a PHP runtime, a database, and a reverse proxy by hand. Pick WordPress from the catalog and graft it onto your greffer. Greffon issues the certificate and routes the app, so it comes up reachable over HTTPS from the first start. The authentication keys and salts WordPress uses to sign its cookies are generated for you as secrets, so you are not pasting them in by hand.

Claim the admin account fast

This is the sharp edge specific to WordPress, and it is easy to miss. On first visit, WordPress runs its install wizard, and that wizard is where the admin account gets created. There is no pre-set login. Whoever reaches the wizard first claims the admin account.

The first visitor to the wizard becomes the admin
Complete the install wizard immediately after you graft WordPress, and keep the instance URL private until you have. If you graft it and walk away, a stranger who stumbles onto the URL can create the admin user before you do. Treat the gap between deploy and finishing the wizard as the one moment the site is genuinely exposed.

Reach it from anywhere

A public site is only a site if the public can reach it. On the same network as your greffer it works the moment it starts. To serve it to the open internet you have two honest options.

The simplest is tunnel mode: a greffer connects outbound to the manager's tunnel and serves its apps over HTTPS without opening a single inbound port, which is the answer for a box behind NAT or CGNAT with no public IP. If you would rather expose the greffer directly, point a domain at it with port forwarding plus dynamic DNS. WordPress is plain HTTP under the hood, so either path carries it without any special handling.

Email needs an SMTP plugin

WordPress core has no built-in mail. Password resets, comment notifications, and contact-form messages all rely on outbound email, and out of the box that quietly fails. The fix is an SMTP plugin (WP Mail SMTP and similar) pointed at a mail provider you already use. Set this up before you need a password reset, not after you are locked out waiting for one.

Storage and backups

A WordPress site has two things worth protecting: the database (your posts, pages, and settings) and the uploads directory (your media library). Both grow over time, and a busy media library is usually the larger of the two, so keep an eye on disk on the greffer as the site fills out.

Greffon handles TLS and routing today, and native one-click backups are coming in M2. Until then, bring your own backup tool (restic or borgbackup are the usual choices), back up the WordPress data on a schedule, and store a copy off the greffer.

A backup you have not restored is not a backup
Test a restore once before you depend on the site. A backup that has never been restored is an assumption, not a safety net. Five minutes now is cheaper than rebuilding a site from memory later.

Keep it always-on

A public site has to be up when a visitor arrives, which is at any hour. Run it on an always-on greffer, a small VPS, a mini-PC, or a free Oracle Cloud box, rather than a laptop that sleeps at night. The Oracle walkthrough is a good place to get a greffer running before you graft WordPress onto it.

FAQ

Is this the real WordPress?
Yes. It is the standard WordPress release with its own database, not a fork or a hosted lookalike. The plugins and themes you know all work normally.
Can I run WooCommerce or other plugins?
Yes. Because it is standard WordPress, you install plugins and themes from inside the admin dashboard exactly as you would on any host. WooCommerce, Yoast, and the rest work unchanged.
Why didn't my contact form or password reset email arrive?
WordPress core has no built-in mail, so outbound email fails silently until you add an SMTP plugin and point it at a mail provider. Set that up early so password resets work when you need them.
I grafted it but never saw a login screen. What happened?
WordPress creates the admin account through its first-visit install wizard rather than a fixed default login. Finish that wizard right after deploying, and keep the URL private until you do, since the first visitor to reach it claims the admin account.
Who handles updates?
You do, the same as on any self-hosted site. WordPress and its plugins update from inside the admin dashboard. Keeping them current is part of owning the site, alongside backups you have tested.
GL
Greffon Labs
We build Greffon, the simplest way to turn any machine into a server you own.

Ready to turn on your greffer?

Install in minutes. Deploy each app in seconds. Your server, your apps.

Read the docs