Lightweight · Stable · Reproducible WNMP One‑Click Stack

The script is released under GPLv3. Commercial use and redistribution are allowed, but derivative works must remain open under the same license. Please follow the licenses of third‑party dependencies.

Primarily aimed at Debian 12/13 and Debian‑like systems. Verified on Windows11(WSL), (Linux)Debian 13, Debian 12, Ubuntu 22.04, Ubuntu 24.04, and Ubuntu 25.10. WSL (Debian recommended) receives safe downgrades.

For production, Debian13 is recommended. WNMP does not plan to support non‑Debian‑like distributions or EOL Debian variants.

Starting from v1.20, all software packages are downloaded into the /root/sourcewnmp directory. During reinstallation or upgrade, if the required compressed packages already exist, they will be detected and extracted directly without re-downloading.

However, fully offline installation is not possible. Components such as acme, MariaDB, PIE, and PECL still require an active network connection to be deployed. Therefore, v1.20 mainly addresses scenarios with slow or unstable networks, allowing users to manually download Nginx, PHP, and MariaDB source packages in advance and place them into the /root/sourcewnmp directory.

Below are the official download URLs for the required software. If your network connection is too slow, you can manually download these files and save them into /root/sourcewnmp:

https://nginx.org/download/nginx-1.28.1.tar.gz

https://www.php.net/distributions/php-8.5.0.tar.gz

https://www.php.net/distributions/php-8.4.16.tar.gz

https://www.php.net/distributions/php-8.3.29.tar.gz

https://www.php.net/distributions/php-8.2.30.tar.gz

https://github.com/php/pie/releases/latest/download/pie.phar

https://github.com/swoole/swoole-src/archive/master.tar.gz (Swoole 6.2-dev for PHP 8.5 save as: swoole.tar.gz)

https://github.com/swoole/swoole-src/archive/refs/tags/v6.1.4.tar.gz (Swoole 6.1.4 for PHP 8.2–8.4 save as: swoole.tar.gz)

https://archive.mariadb.org/mariadb-11.8.5/source/mariadb-11.8.5.tar.gz

https://archive.mariadb.org/mariadb-10.11.15/source/mariadb-10.11.15.tar.gz

https://archive.mariadb.org/mariadb-10.6.24/source/mariadb-10.6.24.tar.gz

https://packages.groonga.org/source/groonga/groonga-latest.tar.gz (save as: groonga.tar.gz)

https://packages.groonga.org/source/mroonga/mroonga-latest.tar.gz (save as: mroonga.tar.gz)

https://files.phpmyadmin.net/phpMyAdmin/5.2.3/phpMyAdmin-5.2.3-all-languages.zip (save as: phpmyadmin.zip)

Confirm you are using the Windows 11 operating system. First, you need to install the WSL subsystem.

Press Win+R to open the Run dialog box, then type cmd. Press Shift+Ctrl+Enter to enter the Administrator mode console.

wsl -l -o # Check if the remote system list can be read. If it reads normally, WSL is functioning correctly.

wsl --install debian # or wsl --install debian --web-download (Begin installing the Debian 13 subsystem. The first time you run this command, you may be prompted to restart your computer or notified that CPU virtualization support is disabled. Follow the on-screen instructions accordingly.)

After a normal installation, you will be prompted to configure a standard account and password. Once configured successfully, simply type: exit to exit the subsystem.

wsl -d debian -u root # Log in to the Debian system as the root user.

Copy
cd /root && apt update && apt install -y curl
curl -fL https://wnmp.org/wnmp.sh -o wnmp.sh
chmod +x wnmp.sh
bash wnmp.sh

Copy
cd /root && apt update && apt install -y curl
curl -fL https://raw.githubusercontent.com/lowphpcom/wnmp/main/wnmp.sh -o wnmp.sh
chmod +x wnmp.sh
bash wnmp.sh

In the address bar of this computer task, navigate to and open C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup # Replace [username] with your actual Windows login username.

Create a new wsl.vbs file and write the following content:

Copy
Set ws = CreateObject("Wscript.Shell")
ws.run "wsl -d debian", 0
' (ws.run "wsl -d ubuntu", 0) 

After initialization completes, the subsystem has installed the SSH server. Restart your computer as prompted, and you can then log in to your WSL Debian subsystem using an SSH client just like a regular server VPS.

Login address: 127.0.0.1 Port: 22

Additional WSL commands: In the Windows CMD environment, non-subsystem shell console

wsl -l -v # View list of installed systems

wsl --shutdown # Stop Subsystem

wsl --unregister debian # Uninstall Subsystem

If you need to access the subsystem via a local area network, open C:\Users\[username] # Please replace with your actual Windows login username.[username]

Create a new .wslconfig file and write the following content:

Copy
[wsl2]
networkingMode=Mirrored
dnsTunneling=true
firewall=true
autoProxy=true
[experimental]
hostAddressLoopback=true

Run the following command in an administrator PowerShell window to configure Hyper-V firewall settings to allow inbound connections:

Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow

Restart your computer again. You can now log into the subsystem using the same LAN IP address as your local Windows system. Enter `ipconfig` in the Command Prompt to view your local LAN IP address.

After restarting the computer, use an SSH client tool to access the subsystem and directly execute wnmp to begin deploying the web environment.

Because the most secure server is the one without a control panel.

GUI-based panel software (such as BT Panel) makes server management easier, but it also brings:

🔓 Extra open ports (e.g., 8888) that expand the attack surface;

⚠️ Retaining SSH password login, which increases brute-force attack risks;

🧩 Long-running panel daemons that may be exploited or escalated;

🔄 Auto-update and plugin systems that reduce auditability.

WNMP follows a completely different philosophy:

✅ SSH key-only login by default (the most secure authentication method);

✅ No web panel ports — after deployment, almost zero persistent processes;

✅ Fully transparent configuration — scriptable, versionable, and auditable;

✅ Focus on host-level performance and security baseline, not GUI convenience.

WNMP’s goal is not to “replace BT Panel,” but to provide a clean, engineer-oriented environment template — the command line itself is the control panel, where security and control always come first.

Panels are for beginners; WNMP is for engineers.

WNMP does not simply “package Nginx + PHP + MariaDB into a container.” Instead, it enables one-click host-level performance tuning and security baseline configuration (kernel network parameters, ulimit restrictions, SSH key setup, compilation optimizations, etc.) within a clean system environment.

These host-level capabilities are often uncontrollable within containers or require high privileges like --privileged, which undermines the original intent of container isolation.

Therefore, WNMP is recommended for use within KVM virtual machines, cloud servers, or KVM virtual systems running on Proxmox (PVE) to fully leverage its performance tuning and system optimization advantages.

Without MariaDB: minimum 512 MB RAM on Debian (the OS itself uses ~200 MB). On Ubuntu, minimum 768 MB RAM (the OS uses ~500 MB).

With MariaDB installed: at least 1 GB RAM is required for a proper installation.

Only PHP 8.2 – 8.5 are supported.

WNMP intentionally does not support EOL legacy versions.

pie install xxx

pie extensions can be found at:https://packagist.org/extensions

After installation, edit /usr/local/php/php.ini and add extension=xxx.so.

Verify with php -m.

Run wnmp restart or systemctl restart php-fpm to reload PHP‑FPM and enable the extension.

WNMP uses official download sources only. No third‑party mirrors are used.

If your download speed is extremely slow, try switching to a different system update source or install via proxy. For security reasons, always use the official download source!

Upstream releases appear first on official websites/GitHub, while Debian/Ubuntu repos may lag. Compiling also allows optional modules.

For example, WebDAV requires nginx-dav-ext-module.

As another example, Swoole supports PHP 8.5 on GitHub already, while some package repos lag; with WNMP you can use Swoole on PHP 8.5 immediately.

WNMP builds PHP with swoole,inotify, and redis enabled by default.

Since the WNMP author is also the LOWPHP author, WNMP ensures LOWPHP runs well. Traditional PHP‑FPM projects also run normally on WNMP.

inotify is an official optional extension for real‑time file change monitoring.

LOWPHP is a persistent‑memory runtime that leverages native C extensions for caching and hot‑reload. It’s similar in spirit to FrankenPHP (Go‑style) but built natively for PHP. It is both a runtime and a framework, enabling high‑performance apps with a familiar PHP‑FPM‑like development model and multi‑site support. Coming soon.

For DNS‑01 via Cloudflare: after compiling/installing Nginx with wnmp.sh, go to Cloudflare → My Profile → API Tokens → Create Token, choose “Edit zone DNS” to generate a token, then on the server run:

echo "SAVED_CF_Token='YOUR_TOKEN_HERE'" >> ~/.acme.sh/account.conf

If valid Cloudflare creds and dns_cf.sh are detected, DNS‑01 is preferred; otherwise it falls back to webroot. After issuance WNMP writes cert paths and reloads Nginx.

We recommend DNS‑01. With webroot, if a CDN is enabled, renewals may fail because the origin may not be reachable directly.

Win11-WSL local development environment, run `wnmp devssl` to implement self-signed certificates for local HTTPS requests.

Yes. The script detects internal network environments and prompts whether to force certificate application. Selecting "No" skips certificate application, ideal for development environment installation and debugging. Selecting "Yes" enables certificate application similar to installing within a PVE NAT IPv4 virtual LAN. As long as the PVE host forwards ports 80 and 443 to the current internal KVM virtual machine, certificates can be applied normally.

FTP is plaintext by default, making credentials easy to intercept. Even with TLS it’s cumbersome. Disable FTP server software entirely.

WebDAV rides on HTTPS (443) with SSL protection.

On Windows, use WinSCP (as with FTP) or RaiDrive (map as a local drive). On Linux, use Rclone to mount.

WebDAV supports multiple accounts per site. Run wnmp webdav repeatedly for the same domain to add more accounts. Password files are stored under /home/passwd/.

WinSCP settings: Protocol: WebDAV; Host: [domain]/webdav; Encryption: TLS/SSL implicit; Port: 443.

Other clients: https://[domain]/webdav.

Replace [domain] with your real domain.

Yes. When creating a site with wnmp vhost or adding WebDAV via wnmp webdav, choose “public directory: yes”. WNMP will disable all .php execution and serve any extension as a downloadable file.

If used purely as a drive, you can install Nginx only (skip PHP and MariaDB).

MariaDB is an open‑source fork by the original MySQL authors. It is highly compatible with MySQL syntax—migrate/import and it should just work.

MariaDB includes an optional Mroonga engine in multiple versions, but those are often outdated. WNMP disables the built‑in variant and installs the latest Mroonga separately.

MariaDB’s Mroonga page: https://mariadb.com/docs/server/server-usage/storage-engines/mroonga/about-mroonga

Mroonga official site: https://mroonga.org/

For MySQL/MariaDB projects, performance bottlenecks often come from query speed. Avoid LIKE fuzzy search—it’s slow!

Switch your table engine to Mroonga and add full‑text indexes on varchar/text columns. Example:

SELECT name FROM users WHERE MATCH (name) AGAINST ('+Hello Word' IN BOOLEAN MODE); (Replace field/table names with your own.)

See the Mroonga site for more documentation. https://mroonga.org/

Access https://[ip]/phpmyadmin. Servers with a public IPv4 address automatically obtain a Let's Encrypt IP certificate for protection and have Nginx Basic Auth enabled. The username is wnmp, and the default password is [needpasswd] or the same as the database password you set during MariaDB installation.

To change BasicAuth for the default site: htpasswd -bc /home/passwd/.default [user] [password]. (The default site supports a single account.)

MariaDB only supports connections from localhost, not 127.0.0.1. Please note that the project source code uses localhost to connect to the database.

Alternatively, manage via the shell by running mysql.

For Mroonga tables, do not import/export via phpMyAdmin (it does not consider Mroonga specifics).

Prefer mysqldump for import/export on the server:

All databases (with accounts/privileges/routines/events): mysqldump --all-databases --single-transaction --default-character-set=utf8mb4 --routines --events --flush-privileges | gzip > all_databases_backup.sql.gz

Single DB: mysqldump --single-transaction --default-character-set=utf8mb4 --databases test | gzip > test.sql.gz

Import: gunzip < all_databases_backup.sql.gz | mysql --default-character-set=utf8mb4

Import: gunzip < test.sql.gz | mysql --default-character-set=utf8mb4

Yes. Version v1.05 now supports overwriting installations. Alternatively, run `wnmp remariadb` to perform a full database backup to: /home/all_databases_backup_[time].sql.gz

Yes. Version 1.02 has just added the --pcntl extension, making it compatible with Workerman.

Yes. Install or remove components individually, or run only the kernel/network tuning.

Yes. Run wnmp sshkey

===

⚠️ Important reminder: Before confirming you have saved the private key to your own computer

⚠️ Do not disconnect the current SSH session, or you will be unable to log back into the server!

===

Save the private key to your local computer. You can then load the key in an SSH client for password-less login.

After configuring key-based login, the server will block all username/password logins.

WNMP auto‑tunes parameters based on your hardware and OS for strong production performance.

Benchmark with ab, wrk, etc.

On identical hardware, compare with other scripts. Results may vary and are for reference only.

Note: When testing concurrency, disable CDN caching, use HTTP, and run e.g. ab -n100000 -c1000 -k http://... — the -k flag (Keep‑Alive) better simulates real browsers and yields higher performance.

No. The author commits to open‑source principles; wnmp.org is the only official website.

QQ Group: 1075305476

Telegram Group: https://t.me/wnmps

Github: https://github.com/lowphpcom/wnmp

The community source code is being built on LOWPHP — stay tuned!