
Hosting WordPress within a Docker container presents its own set of unique challenges, although having tested a bare-metal instance of WordPress on an old Pi the benefits far outweigh the drawbacks. For security considerations alone, it can be considered a far superior form of implementation.
The first question is how to best host an instance within Docker? There are dozens of different images available from both WordPress and the Docker community with different implementations and design choices when it comes to implementing. I would strongly recommend not going with an ‘all in one’ image, as these open multiple avenues for compromise, including outdated dependencies and a vastly increased opportunity for lateral movement upon compromise.
Do I seem rather focused on security? With over 40% of hosted sites running WordPress (20% adjusted for active), combined with a legacy codebase and combined with plugins running with little to no guardrails, WordPress sites are a tantalizing prospect for a potential threat actor. This means automated updates, backups & attack surface reduction are a must for risk mitigation. Docker assists quite nicely with all 3 of these, especially considering containerization is a core feature of the framework. Without any additional steps, the WordPress instance is already abstracted one layer from the host. Using Docker, each piece of the LAMP stack can additional be segmented into it’s own container, minimizing attack surface to the ports opened on each.
The final stack for my instance includes nginx for reverse-proxy routing & multi-domain routing for multiple sites, MariaDB for a slight performance uplift to MySQL and the stock WordPress image. Certbot automates SSL renewals, with nginx allowing tight control of any traffic routed to target sites, including CSP policies. Docker compose allows the luxury of fine-tuning each, allowing secrets to be passed securely and WordPress config options easily injected into runtime with a bind-mount of the config file. With the difficulty of the initial environment setup via docker compose complete, any subsequent changes or environment updates are accomplished within minutes.
Within the WordPress instance itself functionality is almost identical to bare metal. However, security remains just as important. 2FA, WordFence (firewall/pseudo-IDP) and HSTS hardening ensure that activities within the container remain as controlled as possible. In the firewall logs you can almost immediately see intrusion attempts globally. Restricting whitelisted IPs to us-only would help greatly, however the built-in brute force protection within wordfence should be more than sufficient outside of an enterprise instance.
“Dockerized” WordPress has proven to be highly convenient once the initial work of configuration is completed, allowing for rapid deployment and heightened security with minimal overhead. As long as best practices are observed, I would have a hard time recommending another way to host a WordPress instance.