Backend developers and operators

How to Deploy a PHP Site on a VM

Set up PHP-FPM with Nginx, deploy a PHP application, and verify secure runtime configuration.

16 min read · Updated 2026-03-19

Prerequisites

• Ubuntu VM with Nginx installed
• SSH access with sudo privileges
• Security group allows TCP 22, 80, and 443

1. Install PHP runtime

Install PHP-FPM and common extensions needed by most frameworks.

Install PHP packages (bash)

sudo apt update
sudo apt -y install php-fpm php-cli php-mysql php-curl php-mbstring php-xml php-zip

Check PHP-FPM status (bash)

systemctl status php8.3-fpm --no-pager

2. Deploy application files

Deploy into a versioned release directory and symlink current for zero-downtime swaps.

Directory structure (bash)

sudo mkdir -p /var/www/php-app/releases /var/www/php-app/shared
sudo chown -R ubuntu:www-data /var/www/php-app

Quick smoke-test file (bash)

echo '<?php phpinfo();' | sudo tee /var/www/php-app/current/public/index.php

3. Configure Nginx for PHP-FPM

Point Nginx to the PHP-FPM Unix socket and avoid executing arbitrary files.

Nginx PHP server block (nginx)

server {
  listen 80;
  server_name php.example.com;

  root /var/www/php-app/current/public;
  index index.php index.html;

  location / {
    try_files $uri $uri/ /index.php?$query_string;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php8.3-fpm.sock;
  }

  location ~ /\. {
    deny all;
  }
}

Apply config (bash)

sudo nginx -t
sudo systemctl reload nginx

4. Production checks

Tune PHP settings and secure file permissions before exposing the service publicly.

Disable display_errors in production php.ini.
Set app directories to least-privilege ownership.
Store secrets in environment variables, not committed files.
Enable TLS and periodic security updates.

Operator tips

• Use database security groups to restrict inbound source to app subnet only.
• Automate deploys with CI/CD and a release rollback strategy.