FrankenWP

WordPress + FrankenPHP — automated CLI installer in 2 commands

FrankenWP (fwp) installs and manages WordPress sites using FrankenPHP — a modern PHP server with HTTP/3 (QUIC), automatic HTTPS, and Zstandard compression built-in. Kernel tuning and firewall hardening are based on WordOps.

Supported Operating Systems

OS	Version	Arch
Debian	12 (Bookworm)	x86_64, aarch64
Debian	13 (Trixie)	x86_64, aarch64
Ubuntu	24.04 LTS (Noble)	x86_64, aarch64
Ubuntu	26.04 LTS	x86_64, aarch64

2-Command Install

# 1 — Download and install the full stack
wget -qO fwp https://cdn.jsdelivr.net/gh/overdigo/fwp@main/install.sh
sudo bash fwp

# 2 — Spin up a WordPress site
sudo fwp site create example.com

What Gets Installed

Component	Notes
FrankenPHP	Latest release, auto-detects x86_64 / aarch64
MariaDB	utf8mb4, Socket connection only (TCP disabled), optimized config
Redis	Socket connection only (TCP disabled), eviction: allkeys-lru
WP-CLI	Latest phar
WordPress	Any locale, fully automated via WP-CLI
Let's Encrypt HTTPS	Automatic via FrankenPHP / Caddy
HTTP/3 + QUIC	Enabled by default (443/tcp + 443/udp)
Zstandard compression	zstd → br → gzip in Caddyfile
Image Optimization	Automatic AVIF / WebP negotiation via Accept header
Security Headers	HSTS, CSP, TLS 1.3, Ed25519 certificates, hidden signatures
Rate Limiting	Anti-bruteforce for wp-login, XML-RPC block, API limits
Kernel tuning	BBR, sysctl, open file limits
UFW + Fail2Ban	Hardened rules
CLI Environment	bash-completion + nanorc (advanced syntax highlighting)
Productivity	Global aliases (fprl, fpre, ltr, ip4, ip6)
Auto XDP (Experimental)	Optional high-performance eBPF firewall for DDoS protection

What's new in v0.5.0

• Auto XDP (Experimental): Optional high-performance eBPF firewall for DDoS protection and automatic port whitelisting. Installed via install.sh --autoxdp.
• Systemd Resource Limits: Added fwp stack limits command to enforce memory prioritization (MemorySwapMax=0) and CPU accounting using cgroups for FrankenPHP, MariaDB, and Redis.
• Improved Installation Workflow: Fixes for worker.php timing and race conditions on site creation.

Admin Experience (v0.4.0+)

FrankenWP includes a standardized administration environment for root:

• Enhanced Nano: Pre-configured with line numbers, mouse support, and scopatz/nanorc for 150+ languages.
• Smart Completion: Tab-completion enabled for all commands (root-only for security).
• Essential Aliases:
  • fprl / fpre: FrankenPHP reload / restart
  • ltr / lk: List files by time (newest first) or size (largest first)
  • ip4 / ip6: Quickly check public IP addresses
  • l, ll, la: Colorized, human-readable directory listings

Commands

# Site management
sudo fwp site create example.com              # Default (WP Super Cache)
sudo fwp site create cf.com --cache=wpce      # WP Cloudflare Super Page Cache
sudo fwp site create dev.local --cache=none   # No caching plugin
sudo fwp site create dev.local --skip-ssl --locale=pt_BR --title="Dev Site"
sudo fwp site list
sudo fwp site info example.com
sudo fwp site disable example.com
sudo fwp site enable example.com
sudo fwp site delete example.com

# Stack
sudo fwp stack status          # Services + kernel parameters
sudo fwp stack upgrade         # Upgrade FrankenPHP binary

# Firewall
sudo fwp firewall status       # UFW rules + Fail2Ban status
sudo fwp firewall allow 8080/tcp
sudo fwp firewall deny 3306/tcp

# General
fwp version
fwp --help

File Layout

/opt/fwp/                         ← FrankenWP source
├── bin/fwp                       ← CLI entrypoint (symlinked to /usr/local/bin/fwp)
├── src/core/                     ← log.sh  os.sh  utils.sh  banner.sh
├── src/stack/                    ← frankenphp.sh  mariadb.sh  redis.sh
│                                   wpcli.sh  kernel.sh  firewall.sh
├── src/site/                     ← create.sh  delete.sh  enable.sh
│                                   disable.sh  list.sh   info.sh
└── templates/                    ← Caddyfile.tpl  frankenphp.service.tpl

/etc/fwp/
├── fwp.conf                      ← Global configuration
└── sites/<domain>.conf           ← Per-site registry (chmod 600)

/etc/frankenphp/
├── Caddyfile                     ← Global Caddy config
├── sites-available/<domain>.conf ← Per-site Caddyfile
└── sites-enabled/<domain>.conf   ← Symlink when active

/var/www/<domain>/
├── htdocs/                       ← WordPress web root
├── logs/access.log               ← Per-site access log
└── conf/                         ← Reserved for extra config

/etc/sysctl.d/99-frankenwp.conf   ← Kernel tuning
/etc/security/limits.d/99-frankenwp.conf  ← Open file limits
/etc/fail2ban/jail.d/frankenwp.conf       ← Fail2Ban SSH jail

Kernel Tuning (WordOps-based)

Applied automatically during install.sh:

Parameter	Value	Purpose
net.ipv4.tcp_congestion_control	bbr	Google BBR — better throughput
net.core.default_qdisc	fq	Required for BBR
net.core.somaxconn	65535	Max queued connections
net.ipv4.tcp_syncookies	1	SYN flood protection
net.ipv4.tcp_fin_timeout	15	Reduce TIME_WAIT
fs.file-max	2097152	Max open file handles
vm.swappiness	10	Keep data in RAM
Open file limit (nofile)	1048576	Per-process and system

Firewall Rules (WordOps-based)

ALLOW OUT  all
DENY  IN   all (default)
LIMIT IN   22/tcp     SSH (rate-limited — max 6 conn/30s)
ALLOW IN   80/tcp     HTTP
ALLOW IN   443/tcp    HTTPS / TLS
ALLOW IN   443/udp    HTTP/3 QUIC  ← required for FrankenPHP HTTP/3

Fail2Ban: 5 max SSH retries per 5-minute window → 1-hour ban. Action: ufw.