Hetzner Cloud — Complete Hosting Guide

From zero to multiple live websites on Hetzner Cloud, with Cloudflare DNS, WordPress, and CloudPanel. Written for someone who has never touched a server before.

00Overview & What You'll Build

The Architecture

01Prerequisites

02Choose Your Path

03How You'll Type Commands Required — Read This

You'll need to type a handful of commands during initial setup. Pick whichever option you're most comfortable with:

04Terminal Survival Guide Recommended — Read This

A few things that will save you a lot of confusion:

05Hetzner Projects Recommended — Read First

In Hetzner Cloud, everything (servers, firewalls, SSH keys, volumes, networks, backups, API tokens) lives inside a Project. A project is a container that groups related resources and isolates billing and access. You can have many projects under a single Hetzner account.

06Locations & Datacenters

Hetzner runs datacenters in several regions. Pick the one closest to your main audience — latency matters far more than marginal price differences. Location cannot be changed after creation; you'd have to migrate via snapshot.

07Server Types — CX vs CAX vs CPX vs CCX

Hetzner offers two tiers: Shared vCPU (cheaper, fine for most websites) and Dedicated vCPU (guaranteed cores, for CPU-heavy workloads). Within each tier there are different CPU architectures.

You can rescale freely between sizes within a line (e.g. CX22 → CX32), and also between shared lines that share architecture. Changing architecture (x86 ↔ ARM) requires a fresh install or snapshot-based migration.

08Images — What "Image" Means

The "Image" is what gets installed on your new server. Hetzner offers four kinds:

09IPv4 vs IPv6 Recommended — Read This

Every server gets network addresses. You'll see both "IPv4" and "IPv6" checkboxes during server creation. Here's what they actually mean:

What they are

Which should I enable?

What this means in DNS

If you set up DNS through Cloudflare with the orange cloud (Proxied) — which this guide recommends — you only need the A record. Cloudflare talks to your server over whichever protocol is available; visitors talk to Cloudflare. So IPv6 on the origin is "nice to have" but not required for your site to be reachable over IPv6 globally.

If you go DNS-only (grey cloud) and want full IPv6 support for visitors, add an AAAA record too, pointing at the ::1 address from your Hetzner server's /64 range (Server → Networking → copy the IPv6).

Connecting via SSH

# Over IPv4
ssh deploy@168.119.12.34

# Over IPv6 (brackets not needed for ssh, but needed in URLs)
ssh deploy@2a01:4f8:c17:1a2b::1

Your home ISP must support IPv6 for the second one to work. If it hangs, your network probably can't route IPv6 — just use IPv4.

10Private Networks Optional

A Private Network lets multiple servers in the same location talk to each other over a private subnet that is not exposed to the public internet. You'd use this when you eventually split your stack — e.g. one server for the web app, another for the database.

How: Hetzner Console → project → Networks → Create Network → pick a range (e.g. 10.0.0.0/16) → attach servers to it. Free of charge.

11Volumes (Block Storage) Optional

Volumes are extra disks you can attach to a server. Your server's built-in disk is fine for most websites (CX22 = 40 GB, plenty for dozens of WordPress sites). Volumes matter when you outgrow that.

Create in the browser (Volumes → Create Volume), attach to a server, then mount inside the OS (Hetzner shows the exact commands). You don't need this on day one — add it later if you hit a disk wall.

12Placement Groups Optional

A Placement Group tells Hetzner: "spread these servers across different physical hosts so they don't all go down together." Only useful if you run multiple servers that back each other up (e.g. two web servers behind a load balancer).

For a single-server setup, ignore this entirely. For HA setups: create a spread placement group, then assign each server to it at creation time.

13Cloud-init / User Data Optional — Power User

During server creation, there's a "Cloud config" / User Data field. This lets you paste a script that runs automatically on first boot — so your server comes up already updated, with users created and software installed, without touching the terminal manually.

Example — this auto-updates and installs basics:

#cloud-config
package_update: true
package_upgrade: true
packages:
  - ufw
  - fail2ban
  - htop
  - unattended-upgrades
runcmd:
  - ufw allow OpenSSH
  - ufw allow 80/tcp
  - ufw allow 443/tcp
  - ufw --force enable
  - systemctl enable --now fail2ban

14Labels Optional

Labels are key-value tags (env=prod, client=acme) you can attach to servers, volumes, networks, etc. Useful once you have many resources — filter the Console by label, or target groups of servers via the API. Ignore if you have 1–2 servers.

1.1Create Your Hetzner Account Required

Entirely in your browser.

1.2Generate SSH Keys Recommended

SSH keys let your computer prove its identity cryptographically instead of using a password.

What are SSH keys?

Generate the key pair

On your local computer (not the server), open your terminal:

ssh-keygen -t ed25519 -C "your-email@example.com"

Press Enter for default location, then set a passphrase (or Enter for none).

View the public key:

cat ~/.ssh/id_ed25519.pub

Copy the entire output line.

Add to Hetzner (browser)

Hetzner Cloud Console → your project → Security → SSH Keys → Add SSH Key → paste your public key.

1.3Create Your Server Required

Entirely in your browser via Hetzner Cloud Console. Make sure you're inside the right Project before clicking Add Server — resources are project-scoped and can't be moved between projects later.

1.4Connect to Your Server Required

Method A: Hetzner Web Console (browser)

Method B: Local terminal (SSH)

ssh root@YOUR_SERVER_IP

First time: type yes when asked about host authenticity.

First thing: update everything Required

apt update && apt upgrade -y

This installs all security patches. Takes a minute or two.

1.5Secure the Server Recommended

Create a non-root user

# Create user (replace "deploy" with any name you like)
adduser deploy

# Give them admin privileges
usermod -aG sudo deploy

Set a strong password. Skip optional info by pressing Enter.

Copy your SSH key to the new user Recommended

Only needed if you set up SSH keys:

mkdir -p /home/deploy/.ssh
cp /root/.ssh/authorized_keys /home/deploy/.ssh/
chown -R deploy:deploy /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chmod 600 /home/deploy/.ssh/authorized_keys

Test the new user Required before disabling root

Or from a local terminal, open a new window:

ssh deploy@YOUR_SERVER_IP
sudo whoami    # should output: root

Disable root login & password auth Recommended

nano /etc/ssh/sshd_config

Find and change (Ctrl+W to search):

PermitRootLogin no
PasswordAuthentication no

Remove # from the beginning of the line if present. Save: Ctrl+X → Y → Enter.

systemctl restart sshd

1.6Firewall Setup (UFW) Recommended

sudo ufw default deny incoming
sudo ufw default allow outgoing

# CRITICAL — allow SSH before enabling!
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# CloudPanel users: also allow port 8443
sudo ufw allow 8443/tcp

sudo ufw enable
sudo ufw status verbose

1.7Install Fail2Ban Recommended

Auto-bans IPs that try too many failed logins.

sudo apt install -y fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo fail2ban-client status

1.8Automatic Security Updates Recommended

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Select Yes. Critical patches will now auto-apply.

1.9Basic Monitoring Optional

Give yourself visibility into your server's health. Two commands to remember:

# Install htop — a visual process/CPU/memory monitor
sudo apt install -y htop

# Run it (press 'q' to exit)
htop

# Check disk space
df -h

# Check memory usage
free -h

That's it. Run these occasionally to make sure your server isn't running out of disk or memory. If disk usage is above 85%, it's time to clean up or upgrade.

🔐Quick Hardening Checklist

Before moving on to Part 2, tick everything off. This is your TL;DR safety net — go back and fix anything unchecked.

2.1Install NGINX Path A Required

sudo apt install -y nginx
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginx

Visit http://YOUR_SERVER_IP in your browser. You should see the NGINX welcome page.

2.2Install PHP Path A Required for WordPress

sudo apt install -y php-fpm php-mysql php-curl php-gd php-intl \
  php-mbstring php-soap php-xml php-xmlrpc php-zip php-imagick php-cli

php -v
# Note the version (e.g. 8.3) — you'll need this later

2.3Install MariaDB Path A Required for WordPress

sudo apt install -y mariadb-server
sudo mysql_secure_installation

Create a database for WordPress Required

sudo mysql

CREATE DATABASE wordpress_db;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'YOUR_STRONG_PASSWORD_HERE';
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wp_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

2.4Cloudflare DNS Setup Required

Entirely in your browser — Cloudflare Dashboard.

Main domain

Subdomains

One A record per subdomain. All point to the same IP.

Additional domains

For a different domain on Cloudflare: same A records (@ and www), same server IP. One server = unlimited domains.

2.5NGINX Virtual Hosts Path A Required

sudo mkdir -p /var/www/example.com/public_html
sudo chown -R deploy:deploy /var/www/example.com
sudo chmod -R 755 /var/www/example.com

sudo nano /etc/nginx/sites-available/example.com

Paste:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    root /var/www/example.com/public_html;
    index index.php index.html index.htm;

    access_log /var/log/nginx/example.com.access.log;
    error_log  /var/log/nginx/example.com.error.log;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ /\. { deny all; }

    location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ {
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }
}

Enable the site

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo nginx -t      # ALWAYS test before reloading
sudo systemctl reload nginx

2.6SSL Certificates Path A Required

Option 1: Cloudflare handles SSL (easiest) Recommended

If DNS is Proxied: Cloudflare Dashboard → SSL/TLS → set mode to Full. Done. No terminal needed.

Option 2: Let's Encrypt Optional

Temporarily set Cloudflare DNS to grey cloud (DNS only), then:

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot renew --dry-run    # test auto-renewal

Switch Cloudflare back to Proxied after. Set SSL mode to Full (strict).

2.7Install WordPress Path A Required

cd /var/www/example.com/public_html
sudo wget https://wordpress.org/latest.tar.gz
sudo tar -xzf latest.tar.gz
sudo mv wordpress/* .
sudo rm -rf wordpress latest.tar.gz
sudo chown -R www-data:www-data /var/www/example.com/public_html
sudo find /var/www/example.com/public_html -type d -exec chmod 755 {} \;
sudo find /var/www/example.com/public_html -type f -exec chmod 644 {} \;

Now visit your domain in a browser — the WordPress wizard appears. Enter your database details from section 2.3.

2.8Multiple Sites & Subdomains Path A Optional — when needed

Repeat the same process for each new site:

# 1. Create directory
sudo mkdir -p /var/www/newdomain.com/public_html

# 2. Copy & edit NGINX config
sudo cp /etc/nginx/sites-available/example.com /etc/nginx/sites-available/newdomain.com
sudo nano /etc/nginx/sites-available/newdomain.com
# Change: server_name, root, log paths

# 3. Enable, test, reload
sudo ln -s /etc/nginx/sites-available/newdomain.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

# 4. Add DNS in Cloudflare (browser)
# 5. Create database if WordPress (sudo mysql → CREATE DATABASE...)

Subdomains work identically — server_name blog.example.com; + A record in Cloudflare (blog → your IP).

2.9Non-WordPress Sites Path A Optional

Static HTML — simplified config (no PHP block)

server {
    listen 80;
    server_name static-site.com www.static-site.com;
    root /var/www/static-site.com/public_html;
    index index.html;
    location / { try_files $uri $uri/ =404; }
    location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { expires 30d; }
}

Node.js — reverse proxy

server {
    listen 80;
    server_name app.example.com;
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
}

3.1Install CloudPanel Path B Required

Free, open-source hosting panel. One-time terminal install, then everything else is browser-based.

apt update && apt -y upgrade && apt -y install curl wget sudo

MariaDB 11.4 Recommended

curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh; \
echo "19cfa702e7936a79e47812ff57d9859175ea902c62a68b2c15ccd1ebaf36caeb install.sh" | \
sha256sum -c && sudo CLOUD=hetzner DB_ENGINE=MARIADB_11.4 bash install.sh

MySQL 8.0 (alternative)

curl -sS https://installer.cloudpanel.io/ce/v2/install.sh -o install.sh; \
echo "19cfa702e7936a79e47812ff57d9859175ea902c62a68b2c15ccd1ebaf36caeb install.sh" | \
sha256sum -c && sudo CLOUD=hetzner DB_ENGINE=MYSQL_8.0 bash install.sh

Takes 5–10 minutes. Lots of text scrolling is normal.

3.2Access CloudPanel & First Login Path B Required

Open your browser: https://YOUR_SERVER_IP:8443

3.3Cloudflare DNS for CloudPanel Path B Required

All in your browser.

Admin panel access Recommended

Then CloudPanel → Admin Area → Settings → set hostname to admin.example.com.

Your websites Required

3.4Add a WordPress Site Path B Required

All in the browser:

3.5Add a PHP or Static Site Path B Optional

Sites → Add Site → choose: PHP App, Node.js, Python, or Static HTML. Enter domain, configure, Create. Upload files via SFTP (e.g. FileZilla) using the site user credentials.

3.6Subdomains Path B Optional

Two steps, both in browser:

3.7Multiple Domains Path B Optional

3.8SSL Certificates Path B Required

CloudPanel → your site → SSL/TLS tab → Actions → New Let's Encrypt Certificate → Create and Install.

3.9Backups & Snapshots Path B Recommended

What gets backed up?

Hetzner automatic backups (browser) Recommended

Hetzner Cloud Console → your server → Backups → Enable. Costs ~20% of server price. Creates daily full snapshots.

CloudPanel + Hetzner API snapshots (browser) Optional

Manual database backup (terminal) Optional

# Export a database to a .sql file
mysqldump -u root -p wordpress_db > ~/backup_$(date +%F).sql

# Download to your computer (run on YOUR machine, not the server)
scp deploy@YOUR_SERVER_IP:~/backup_*.sql ~/Downloads/

How often? Daily for active sites. Weekly minimum. Always before making big changes (updates, plugin installs, migrations).

Uploading Files to Your Server (SFTP) Recommended — Know This

SFTP (Secure File Transfer Protocol) is how you upload files to your server — themes, plugins, scripts, images, custom code. It works like drag-and-drop in a visual app. The most popular free SFTP client is FileZilla.

Install FileZilla

Download from filezilla-project.org (free, works on Mac/Windows/Linux). Install it like any other app.

Connect to your server

Open FileZilla and enter the connection details at the top:

Click Quickconnect. Accept the host key warning the first time. You'll see your local files on the left and your server files on the right.

Where to upload files

Drag files from the left panel (your computer) to the right panel (the server). FileZilla shows upload progress at the bottom.

Scheduled Tasks / Cron Jobs Optional — When Needed

Cron jobs let you run tasks automatically on a schedule — daily data refreshes, weekly reports, hourly API calls, database cleanups, or anything else you can express as a command.

WordPress scheduled tasks

WordPress has its own built-in scheduling system (WP-Cron). For most WordPress tasks, you don't need server-level cron at all:

This handles things like scheduled posts, cache clearing, backup plugin schedules, and email digests — all from the browser.

Server-level cron jobs (non-WordPress)

For anything outside WordPress — Python scripts, Node.js tasks, shell scripts, API calls — you use server cron jobs.

CloudPanel (browser) Path B

CloudPanel has a built-in cron manager:

Common cron job examples

Manual cron (terminal) Path A

If you're on Path A or want to manage cron from the terminal:

# Open the cron editor
crontab -e

# Add a line at the bottom. Format: minute hour day month weekday command
# Example: run a Python script every day at 6am
0 6 * * * python3 /var/www/example.com/scripts/refresh.py

# Example: run every 30 minutes
*/30 * * * * curl -s https://api.example.com/webhook

# Save and exit (Ctrl+X → Y → Enter in nano)

Email & Contact Forms Recommended — Read This

This catches almost everyone off guard: your Hetzner server cannot reliably send emails out of the box. If you install a WordPress contact form plugin (WPForms, Contact Form 7, etc.) and test it, the emails will either never arrive or land in spam.

Why?

Hetzner servers don't come with a mail server configured, and even if they did, emails from new/unknown servers are almost always flagged as spam by Gmail, Outlook, etc. You need a dedicated email service to send reliably.

The fix: use an SMTP plugin + email service

Reboots & Maintenance Recommended — Read This

Servers occasionally need to restart — after a kernel update, if something hangs, or during Hetzner maintenance windows. Here's what to know.

Do my sites come back automatically?

How to reboot

# Graceful reboot (from terminal or Web Console)
sudo reboot

Or from the browser: Hetzner Cloud Console → your server → Power → Reboot (soft/graceful) or Reset (hard/forced — use only if server is unresponsive).

Hetzner scheduled maintenance

Hetzner occasionally performs maintenance on their physical hardware. They will email you in advance (usually 1–2 weeks notice). During maintenance, your server may be migrated to another physical host — this causes a brief reboot (usually under 5 minutes). Your data and IP address stay the same. No action needed from you.

When to manually reboot

Cloudflare Recommended Settings Recommended

All done in the Cloudflare dashboard (browser). Applies to both paths.

Security

Speed

Caching

Network

Test Everything Works Required

Before calling it done, run through this checklist:

Common Mistakes Recommended — Read This

These will save you hours of frustration. Every one of these is something real beginners hit regularly.

How to Reconnect Later Recommended — Save This

When you close your terminal and come back tomorrow, here's how to get back in:

# From your local terminal:
ssh deploy@YOUR_SERVER_IP

# Or if you didn't set up a separate user:
ssh root@YOUR_SERVER_IP

Scaling Later Optional — Read When Ready

What happens when your sites grow? You have three options, roughly in order of effort:

For most sites, upgrading the server size is all you'll ever need. Don't over-engineer until you have the traffic to justify it.

Troubleshooting

Error 521 (Web server is down)

Check NGINX: sudo systemctl status nginx. Check firewall: sudo ufw status. Check IP in Cloudflare matches your server.

Error 522 (Connection timed out)

Server overloaded or ports blocked. Check with htop and sudo ufw status.

Error 525/526 (SSL handshake failed)

Cloudflare SSL mode mismatch. Use "Full" if no server cert, "Full (strict)" if you have Let's Encrypt.

Can't connect via SSH

Use the Hetzner Web Console (always works). Check SSH is running: sudo systemctl status sshd. Check firewall: sudo ufw status.

NGINX shows wrong site

Each site needs a unique server_name. Run sudo nginx -t to check for config errors.

WordPress white screen of death

Check PHP error log: sudo tail -50 /var/log/nginx/example.com.error.log. Usually a plugin conflict or memory limit. Edit wp-config.php and add define('WP_DEBUG', true); to see the real error.

Command Cheat Sheet