Step-by-Step – Create a WordPress Site on App Service in Microsoft Azure

In this article, we will look at how to deploy and create a WordPress site on App Service in Microsoft Azure.

WordPress can be hosted on a variety of platforms, such as WordPress.com, managed WordPress hosting, dedicated hosting, and cloud hosting where the hosting service provides flexible and scalable resources to host your WordPress site in the cloud.

To host WordPress in the cloud, you’ll need to sign up for a cloud hosting account with a provider that supports WordPress. Some popular cloud hosting providers that support WordPress include Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure.

Introduction

WordPress is one of the most popular and widely used content management systems (CMS) in the world. It was first released in 2003 and has since become the go-to platform for bloggers, small business owners, and large corporations alike.

WordPress is a free and open-source CMS that allows users to create and manage websites without any coding knowledge. It is built on PHP and uses a MySQL database to store content. WordPress is incredibly flexible and can be used to create all kinds of websites, from simple blogs to complex e-commerce platforms.

One of the key features of WordPress is its ease of use. The platform is designed to be intuitive and user-friendly, making it accessible to users of all skill levels. Additionally, WordPress is highly customizable, with thousands of themes and plugins available to extend its functionality.

WordPress can be installed and hosted as an Infrastructure as a Service (IaaS) using a Virtual Machine in the Microsoft Azure cloud. However, WordPress can also be hosted using Platform as a Service (PaaS) hosting option on Azure App Service. This will eliminate the need to manage any Virtual Machines, enabling you to more easily and securely host WordPress in Microsoft Azure.

Microsoft announced that WordPress on App Service which was under public preview since February 15, 2022, is now generally available. With advanced, top features and revised hosting plans, you can now deploy and manage WordPress websites with ease.

Let’s take a look at the necessary steps to create and get a WordPress site up and running on Azure App Service!

Prerequisites

To follow this article, you just need to have the following:

Azure subscription to deploy cloud resources, such as creating an Azure App Service to host a WordPress site – If you don’t have an Azure subscription, you can create a free one here.

Create a WordPress Site on App Service

Launch the Azure portal, click on the + Create a resource option on the left hamburger menu, then search the Azure Marketplace for “WordPress on App Service“.

Select the WordPress on App Service option and then click Create as shown in the figure below.

Please note that you can also find WordPress Virtual Machine options in the marketplace, be sure to choose the WordPress on App Service option from Microsoft to follow the steps described below.

In the Basics tab, under Project Details, you need to choose and select the following required options to configure before the resource can be provisioned in your Azure subscription.

Subscription: Select your desired subscription where you want to host your WordPress site.

Resource group: Select or create a new resource group to organize the resources for your WordPress website within your Azure Subscription.

Region: Choose the Azure region where to host your WordPress website within Microsoft Azure, here you need to select a region that is closer to your customer base to avoid latencies. Keep in mind that you can use a content delivery network (CDN) to improve your user experience (more on that later).

Name: Set a name for the default DNS name that is a subdomain of the .azurewebsites.net domain that will host the WordPress site initially. Keep in mind that you can set up a custom domain on the website (more on that later).

Next, we have to choose the hosting plan, enter the admin email, and set the access credentials.

Hosting plan: Choose a pricing tier, or hosting plan, to use for your WordPress site within Azure App Service. The WordPress hosting plan dictates your App Service Plan, Database SKU, and other available features. WordPress on App Service comes now with an “almost Free” version as well for trial purposes, you can also choose a Basic website for hobbyists, a development website, the Standard option for most production applications, and a Premium tier for websites that are under a heavy workload.

Should you need to change the plan, click on Change Plan as shown in the figure below, then choose your desired plan from the plan picker sidebar.

Site language: Select the desired site language.

Admin email: Set the administrator email address for your WordPress setup.

Admin username: Set the username for the WordPress administrator. The username can have only uppercase letters, lowercase letters, numbers, underscores, hyphens, periods, and the @ symbol.

Admin & Confirm password: Set and confirm the password to be used for the WordPress administrator.

We have blur-boxed the value for obvious reasons.

Click Next: Advanced > to choose some advanced options that can be configured.

In the Advanced tab, you can opt for advanced features like Azure Email Service, Azure CDN, Azure Front Door (AFD), and Azure Blob Storage. It’s strongly recommended that you select Azure CDN and Azure Blob storage. If you select Azure AFD, then you will need to either select an existing AFD profile or create a new one. Please note that you can choose to select either Azure CDN or Azure Front Door.

The Azure Email Service was recently integrated with WordPress on Azure AppService. The email feature in WordPress is essential for effective communication and user engagement. WordPress websites require communication with users for various purposes, such as user registration, password resets, campaigns, and contact form submissions, etc. The email integration is supported on all Hosting Plan SKUs (Basic/Standard/Premium) by default.

Please note that if you opt to enable Azure Email Service integration, you need to choose a Data Location for the service, you cannot change the location after you create the email service resource. This location determines where the data will be stored at rest. Microsoft does not control the location from which you or your end users may interact with the data through the use of apps or services.

In this example, we will not choose Azure CDN or Azure Front Door since will be using Cloudflare CDN instead.

Please note that if you opt to use Azure CDN, Azure Blob Storage, or Azure Front Door, you need to consider the additional costs associated with these services. Please check the Azure CDN pricing, Azure Blob Storage pricing, and Azure Front Door pricing pages.

Next, select Azure Blob Storage which allows you to store and access images, videos, and other files. This effectively reduces the load on your web server thereby improving performance and user experience. You can let Azure App Service create a new storage account for you, or select an existing storage.

For the Virtual Network, you can let Azure App Service create a new VNet for you, or select an existing VNet as shown in the figure below.

Last, click on the Review + Create button. On the Review + Create tab, you can see the summary details of the WordPress web application, you can download the JSON template for automation, and finally click Create.

The deployment might take around 10 to 15 minutes for all the resources to be deployed.

Access WordPress Site on App Service

Once the deployment has been completed, you can click Go to resource or go to the Resource Group that was created with all the new Azure resources for hosting your WordPress site on Azure App Service.

As shown in the figure below, you will see multiple Azure resources that were provisioned and configured to host your new WordPress site. These will include a MySQL database for the flexible server backend of WordPress, the App Service plan, the App Service resource that hosts the WordPress web application, and the Azure Virtual network used by the App Service and the MySQL database private access connection, among a few other resources created to set everything up.

Select and navigate to the App Service resource that will allow you to see the default domain name and other configuration options for the WordPress site.

As shown in the figure below, the default domain name can be used to access and use the WordPress site without needing to configure any custom domain. Keep in mind that a custom domain can be configured later as needed (more on that in a bit).

Copy the URL and then go to the website. You will land on the homepage of your WordPress site as shown in the figure below.

Now to access the default admin page of your WordPress, you need to add /wp-admin or /wp-login.php at the end of your URL. For example, “https://websitename.azurewebsites.net/wp-login.php“ will take you to the Admin page.

On the Admin page, you need to enter the credentials that you had set during the deployment of your WordPress Site on App Service.

Then you’re welcomed to the WordPress admin dashboard as shown in the figure below.

By default, the WordPress on Azure App Service team has included the following three WordPress plugins for you:

1) W3 Total Cache: We use this plugin for Redis cache and to enable integration with Azure CDN and Blob storage. Learn more about W3 Total Cache.
2) Smush: We use this plugin for image compression. Learn more about Smush.
3) Akismet: This plugin helps in protecting your website from malicious content. Learn more about Akismet.

Configure Custom Domain on WordPress Site

You could host your website with the default domain name and the subdomain .azurewebsites.net of the Azure App Service. However, it’s recommended to purchase a domain name from your favorite domain registrars such as GoDaddy or Cloudflare to host your WordPress site instead.

If you don’t have a custom domain yet, you can purchase an App Service domain directly from Azure.

To configure your custom domain to be used with your WordPress site, you need to navigate to the Custom domains pane under Settings of the App Service resource that was created for your WordPress web app, and then select ‘Add custom domain‘ as shown in the figure below.

In the Add Custom Domain page, set the following:

• Domain provider, select All other domain services.
• TLS/SSL certificate, select App Service Managed Certificate.
• TLS/SSL type, select SNI SSL. SNI binding is free of cost and supported by most modern browsers; IP-based SSL is supported only in the Standard tier or above and will incur additional costs.
• Domain, specify a fully qualified domain name you want based on the domain you own. For example, if you own domain.com, you can use www.domain.com.
• Don’t select Validate yet.

Now for each custom domain in App Service, you need two DNS records with your domain provider. As shown in the figure below, the Domain validation section shows you two DNS records that you must add with your domain provider. Select the respective Copy button to help you create the corresponding DNS records on your domain provider side.

Sign in to the website of your domain registrar, and find the page for managing DNS records, Domain Name, DNS, or Name Server Management (the exact page differs by domain provider).

1) Select Add or the appropriate widget to create a DNS record.
2) Select the DNS record type based on the Domain validation section in the Azure portal (CNAME or TXT).
3) Configure the DNS record based on the Host and Value columns from the Domain validation section as shown in the figure above.
4) Make sure to add two different records for your custom domain.

Once you are done on the domain registrar side, go back to the Add Custom domain page in the Azure portal, and select Validate.

If the Domain validation section shows green check marks under the Status column next for both domain records, then you’ve configured them correctly, then you can click Add.

If the Status shows any red X, fix any errors in the DNS record settings on your domain registrar’s side.

Last, you should see the custom domain added to the list. Wait a few minutes for App Service to create the managed certificate for your custom domain. When the process is complete, the red X becomes a green check mark with Secured.

Finally, browse to the DNS names of your WordPress custom domain name that you configured as described in the previous steps.

That’s it there you have it… Happy WordPress-ing!

Manage Access Restriction To Your WordPress Site

You can set up access restrictions to your WordPress site on Azure App Service by defining a priority-ordered allow/deny list that controls network access to your website.

The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit deny all exists at the end of the list.

The access restriction capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your WordPress site runs. Therefore, access restrictions are effectively network access control lists (ACLs).

To add an access restriction rule to your WordPress site, do the following:

1) Select and navigate to the App Service that you want to add access restrictions.

2) On the left pane, select Networking under Settings.

3) On the Networking pane, under Inbound Traffic, select Access Restriction as shown in the figure below.

On the Access Restrictions page, you can define lists of allow/deny rules to control traffic to your WordPress site. The rules are evaluated in priority order. If no created rule is matched to the traffic, the “Unmatched rule action” will control how the traffic is handled to your website.

To add an access restriction rule to your website, on the Access Restrictions page, select Add rule as shown in the figure below. After you add a rule, it becomes effective immediately.

Rules are enforced in priority order, starting from the lowest number in the Priority column. An implicit deny-all is in effect after you add even a single rule.

Next, you need to specify the IP Address Block in Classless Inter-Domain Routing (CIDR) notation for both the IPv4 and IPv6 addresses. To specify an address, you can use something like 1.2.3.4/32, where the first four octets represent your IP address and /32 is the mask. The IPv4 CIDR notation for all addresses is 0.0.0.0/0.

Now through the Azure portal, each access rule will allow you to add a single IP address block only, so if you need to add more than one IP range, then you need to create another access rule. This is not efficient!

What about if you have many IP addresses or address ranges that you want to allow or block?

The good news is that we can have multi-source rules that allow you to combine up to eight IP ranges or eight Service Tags in a single rule. You might use this if you’ve more than 512 IP ranges or if you want to create logical rules where multiple IP ranges are combined with a single HTTP header filter.

Let’s see how to manage access restrictions at scale for WordPress on App Service.

To use multi-source rules, you need to use Azure PowerShell, Azure CLI,  ARM JSON, or Bicep. The Multi-source rules are defined the same way you define single-source rules, but with each range separated with a comma (maximum eight IP ranges).

Here is a PowerShell example that you can use to protect your WordPress site (adjust the values to match your needs):

# Allow Access IPv4 Rule01 with Priority 100
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroupName" -WebAppName "WordPressAppName" 
  -Name "IPv4-Allow-Rule01" -IpAddress "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22" `
  -Priority 100 -Action Allow

# Allow Access IPv6 Rule01 with Priority 200
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroupName" -WebAppName "WordPressAppName" 
  -Name "IPv6-Allow-Rule01" -IpAddress "2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32" `
  -Priority 200 -Action Allow

# Block Access IPv4 Rule01 with Priority 300
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroupName" -WebAppName "WordPressAppName" 
  -Name "IPv4-Block-Rule01" -IpAddress "18.157.105.182/32,3.126.25.160/32,34.248.174.237/32,52.16.85.139/32" `
  -Priority 300 -Action Deny

Please note that there is a limit of 512 access restriction rules. If you require more than 512 access restriction rules, then it’s recommended that you consider installing a standalone security product, such as Azure Front Door, Azure App Gateway WAF, or use Cloudflare WAF security.

SSH Access To WordPress on Azure App Service

In some cases, you need to open an SSH or SFTP session to your WordPress on Azure App Service to have a higher level of control.

There are multiple methods available for accessing and engaging with your website. One option is to log in to the WordPress dashboard, where you can utilize the platform’s default tools to make modifications to your site. For a more advanced approach, you have the option to connect to your site using FTP, allowing for a more direct management experience. This technique enables you to access, download, and upload files, including those essential to the core functionality of your site.

However, there exists another even more direct method of interacting with your site known as Secure Shell (SSH). SSH shares similarities with FTP, but it offers a higher level of control and typically doesn’t require a graphical interface. By using SSH, you can engage with your site’s files and server through commands, granting you complete access to your server’s configuration. This level of access is not achievable through FTP.

Just to clarify, although SSH is slightly more advanced than FTP, it doesn’t require you to be a developer to utilize it. However, it is recommended to have familiarity with the command line and the ability to research the precise Linux commands needed for specific tasks. Once you have acquired this knowledge, the next step is to understand the process of setting up SSH access for your WordPress site.

Since the WordPress site is a Linux container running on Azure App Service, SSH support is restricted to the following options as of today:

1) Open SSH session in your browser via https://<app-name>.scm.azurewebsites.net/webssh/host and replace <app-name> with your app name:

https://<app-name>.scm.azurewebsites.net/webssh/host

If you’re not yet authenticated, you’re required to authenticate with your Azure subscription to connect. Once authenticated, you see an in-browser shell, where you can run commands inside your Linux WordPress container.

2) You can also open a direct SSH session from your WordPress Web App in the Azure Portal under the Development Tools as shown in the figure below.

3) Or you could open an SSH session from Remote Shell (Preview) using TCP tunneling as described below. TCP tunneling will create a network connection between your machine and App Service over an authenticated WebSocket connection.

First, make sure you have the latest Azure CLI installed on your machine. You can download the Azure Command-Line Interface (CLI) for Windows, macOS, and Linux. You can verify the Azure CLI version installed on your machine by running this command:

// Tip: Using the Azure Cloud Shell, you can also open a direct SSH session without installing the Azure CLI tool on your machine.

# Show the versions of Azure CLI modules and extensions
az --version

To enable TCP tunneling from your machine, you need to install the Azure CLI “webapp” extension by running the following command:

# If you install the extension for the first time, use this command:
az extension add --name webapp

# If you have webapp extension already installed, use this command to update:
az extension update --name webapp

Once the extension is installed, you need to run the following CLI command to create a TCP tunnel to the WordPress Linux container in App Service:

# Open SSH session from remote shell
az webapp create-remote-connection --subscription "subscription-id" --resource-group "resource-group-name" --name "wordpress-app-name" --port "local port to open"

The command line output on a PowerShell terminal will be something like this. The password has been intentionally obscured for obvious reasons.

Now, your machine is configured for any general purposed remote debugging with SSH/SFTP access for the WordPress web app as you specified in the create-remote-connection command.

Once the TCP tunnel is established, you can simply run the following commands in a Linux or PowerShell terminal to open SSH to your WordPress site to localhost at 127.0.0.1 and the port number that you specified above. You need to authenticate using the password that got generated from the previous command.

# Open SSH session from remote shell
ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc root@127.0.0.1 -p 2222

Please note that you have to specify the KexAlgorithms to diffie-hellman-group1-sha1 and include cipher at least one item in this list (aes128-cbc,3des-cbc,aes256-cbc), otherwise, you won’t be able to establish an SSH session and you will receive the following error message:

// Unable to negotiate with 127.0.0.1 port 2222: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc

Similarly, you can SSH to your WordPress Linux container from a Mac or Windows machine. Now, you can go party with SSH!

Like SSH, you can also use SFTP to manage your WordPress web app content. You need to install one of your favorite SFTP clients such as (FileZilla, WinSCP, or PuTTY SFTP), and connect the client to localhost 127.0.0.1 and the port number that is created for the TCP tunnel, then use the SSH username and password to log in.

You can download and install PowerShell OpenSSH for Windows from this page.

# Open SFTP session from remote shell
sftp -o KexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc -P 2222 root@127.0.0.1

Here is a screenshot connecting from WinSCP over SFTP to my WordPress site running on Azure App Service.

Now you can manage the WordPress site content stored in /var/www/wordpress using the SFTP client.

FTPS Access To WordPress on Azure App Service

Like SSH and SFTP, you can also use FTPS to manage your WordPress web app content through your favorite FTP/S client such as (FileZilla, or WinSCP). This option requires less work compared to SSH/SFTP as described in the previous section.

By default, WordPress deployment on Azure App Service has FTPS enabled only for added security. You can see that under Configuration > General settings as shown in the figure below.

For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don’t want to use FTP/S.

The next step is to go to your WordPress Web App in the Azure portal, from the left menu of your web app, select > Deployment Center> FTPS credentials and then copy the FTPS endpoint as shown in the figure below. You need only to copy the <endpoint-name>.ftp.azurewebsites.windows.net. The FTPS endpoint has been intentionally obscured for obvious reasons.

Then scroll down and look for the FTPS username and Password under the Application scope section as shown in the figure below.

Copy those details to your FTPS client and then connect. You can also click and Reset your FTPS password at any time.

Now you can manage the WordPress site content stored in /site/wwwroot using the FTP/S client.

Additional WordPress Features on Azure App Service

Apart from using these Azure services mentioned above, the WordPress on Azure App Service team at Microsoft has been undertaking the following features to make sure you have the best WordPress hosting experience.

Updated Technology Stack

The updates for Linux, PHP, and Nginx are installed automatically. New WordPress versions will be available for new deployments within two weeks of release. However, for existing deployments, you will have to upgrade your WordPress version yourself.

The offering also comes with an out-of-the-box implementation of Redis Cache in the Web Server which improves performance and reduces the load on your database.

Azure App Service Hosting Plans

Microsoft Azure provides you with three hosting plans for you to pick according to your WordPress requirements as follows:

* Basic (B1):

• WebApp Server: 1 vCore, 1.75 GB RAM, 10 GB Storage.
• MySQL Flexible Database Server: 1 vCore, 2 GiB RAM, 32 GiB storage, 400 IOPS.

* Standard (P1V2):

• WebApp Server: 1 vCore, 3.5 GB RAM, 250 GB Storage.
• MySQL Flexible Database Server: 2 vCores, 8 GiB RAM, 128 GiB storage, 700 IOPS.

* Premium (P1V3):

• WebApp Server: 2 vCores, 8 GB RAM, 250 GB Storage.
• MySQL Flexible Database Server: 2 vCores, 16 GiB RAM, 256 GiB storage, 1100 IOPS.

To learn more about the estimated cost, please check the App Service Plan pricing and Azure Database for MySQL pricing pages for your WordPress project.

Summary

In this article, we showed you how to deploy and create a WordPress site on Azure App Service in Microsoft Azure. We showed you how to configure a custom domain for your site, manage access restrictions and manage your WordPress content using SSH/SFTP and FTPS.

WordPress on Azure App Service is built on top of Azure App Service and takes advantage of all the advanced features in Azure App Service to build, deploy, and manage your WordPress applications.

WordPress on Azure App Service will also make use of other Azure services like MySQL Flexible server, Azure CDN, Azure BLOB storage, Azure Virtual Network (VNet), and Azure Front Door (AFD) to give you the best WordPress experience. In addition to using these Azure Products, the WordPress on Azure App Service team at Microsoft makes sure that you get the latest versions of all underlying technology including a dedicated support team.

Now go ahead and start creating a WordPress site at Create WordPress on App Service – Microsoft Azure Marketplace.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-