Docker image for WordPress and ClassicPress hosting with NGINX and PHP 8.4.

• ⚡ Based on Debian + NGINX 1.26 + PHP 8.4 + s6-overlay v3
• 🌱 Everything is done via environment variables; PHP configurations, NGINX, and even WordPress constants are handled by environment variables. No need to edit wp-config.php.
• 🧠 Real caching support, works well with WP Super Cache, W3 Total Cache, WP Fastest Cache, and also with NGINX FastCGI Cache (via NGINX Helper).
• 📦 Separate code, uploads, cache, and logs!
• 🔧 Interactive installer, start the container, run docker exec -it presshost ./presshost and perform the guided installation.

PressHost is already trusted by high-traffic websites, including:

• 🎫 Catraca Livre - cultural events and entertainment platform
• 📖 Manual do Usuario - technology and tutorials website

Together, these sites handle more than 20 million pageviews per month, proving PressHost's reliability and performance at scale.

wget https://raw.githubusercontent.com/butialabs/presshost/main/compose.yml
nano compose.yml
docker compose up -d

WP_SITEURL and WP_HOME fall back to SITEURL when not set. server_name is also derived from the host portion of SITEURL.

If it's a migration, you can skip the installation and just copy the files to the correct volumes.

Upon startup, an index.php file would be displayed automatically if none already exists.

Salts are generated automatically at startup if they are not defined.

On the first start, if the files at SSL_CERT_PATH and SSL_PRIVATE_PATH do not exist, a self-signed certificate is generated automatically. Mount /site/ssl as a volume to persist it across container recreates and image updates. Existing files are never overwritten, so providing your own certificate (Let's Encrypt, internal CA, etc.) just works by mounting it at the configured paths.

• On container startup:

  • Any existing NGINX cache directories are always cleaned up first
  • This ensures a clean state when upgrading or changing cache settings

• When NGINX_CACHE=true:

  • Cache directories are created in /site/cache/nginx/fastcgi/
  • Cache files are generated during operation
  • The X-FastCGI-Cache header will be present in responses with values like HIT, MISS, or BYPASS

The cache can be purged using the NGINX Cache Purge module. We recommend using the NGINX Helper

Two empty configuration files are included and loaded at startup. Mount your own versions to extend NGINX without modifying the image.

Example — reverse proxy at /i/ on the same domain:

# compose.yml
services:
  presshost:
    volumes:
      - ./custom-presshost.conf:/etc/nginx/conf.d/custom-presshost.conf

# custom-presshost.conf
location /i/ {
    proxy_pass http://image-service:3000/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

All logs are written under /site/logs and rotated daily by logrotate: nginx-access.log, nginx-error.log, php-fpm.log, php-error.log, php-slow.log, cron-presshost.log, cron-nginx.log and wp-debug.log (when WP_DEBUG_LOG=true).

These variables are used during the interactive installation process via presshost command:

PressHost ships with built-in protections that keep PHP/NGINX healthy under load:

Any environment variable starting with PRESS_ is automatically converted to a Press constant. The PRESS_ prefix is removed and the value is passed to wp-config.php.

Security note: PHP-FPM runs with clear_env=yes. The init script forwards an explicit allow-list (DB_*, WP_*, SMTP_*, AUTH_*/salts, PRESS_*, INSTALL_*, SITEURL, TZ, etc.) into the pool. Variables outside that list are not exposed to PHP - phpinfo() will not leak unrelated container env vars.

Examples:

services:
  presshost:
    image: ghcr.io/butialabs/presshost:latest
    environment:
      # ...
      SSL_CERT_PATH: /site/ssl/live/your-domain.com/fullchain.pem
      SSL_PRIVATE_PATH: /site/ssl/live/your-domain.com/privkey.pem
      SSL_TRUSTED_CERT_PATH: /site/ssl/live/your-domain.com/chain.pem
      NGINX_SSL_STAPLING: "on"
      NGINX_SSL_STAPLING_VERIFY: "on"
    volumes:
      # ...
      - /etc/certbot:/site/ssl:ro

Note: The SSL_TRUSTED_CERT_PATH variable should point to the intermediate certificate chain (chain.pem) for OCSP stapling to work correctly. Without this, you may see warnings like "ssl_stapling ignored, no OCSP responder URL in the certificate".

Note: Nginx automatically reloads daily at 00:00 (container timezone) to pick up renewed certificates. This ensures seamless certificate rotation without manual intervention.

The container ships with the presshost CLI. Launch it with:

docker exec -it presshost presshost

When no WordPress/ClassicPress is installed yet, the menu lets you:

1. Install WordPress: downloads wordpress.org/latest.zip (or a specific version), unpacks it to /site/press, generates wp-config.php + wp-secrets.php (locally generated salts, no external API), runs wp core install, and resets ownership of the install directory to www-data:www-data.
2. Install ClassicPress: same flow, pulling from the official ClassicPress release archive.

When a site is already installed, the menu offers:

1. View installation info: shows detected type (WordPress/ClassicPress), version, site URL, title and the configured directories (/site/press, /site/uploads, /site/cache).
2. Exit.

You can also invoke the installer non-interactively:

# Same flows scripted via env vars (no TTY required)
docker exec -e PRESSHOST_DEFAULT_ACTION=wordpress \
            -e INSTALL_URL=https://example.com \
            -e INSTALL_EMAIL=admin@example.com \
            -it presshost presshost

presshost fix-perms resets ownership to www-data:www-data and applies safe permissions (755 for directories, 644 for files, 640 for wp-config.php and wp-secrets.php) on /site/{press,uploads,cache,logs}. It must be invoked with the root account inside the container:

docker exec -u 0 presshost presshost fix-perms

Made with ❤️ by Butiá Labs