I’ll describe the creation of a single website in your domain. With regard to multiple sites see for example how-to-host-multiple-websites-with-one-apache-server
Either you edit a site with html and php directly in /var/www/html/ with an editor or you apply a tool like WordPress to create responsive websites. I describe the HowTo:
1) Download WordPress (WordPress Download) and extract it to your apache root directory /var/www/html. It is widely used for creation of responsive sites (i.e. properly scaled according to the viewports of visitors). More than 40% of all Websites in the internet are built with WordPress.
2) Start the creation of your Website with the Browser address: http://localhost/wp-login.php.
Type a username and password for the wordpress login. You will be asked for the database name WordPress will use. Assuming you have created the database db0001 as above, choose this and as user a privileged database user as explained above with his password. Then WordPress starts and you are logged in to its Dashboard. In its menu go to Settings > General and fill in some credentials like email and local wordpress URL. Choose a Permalink structure (for example Plain) and some other marks. In General, Writing I prefer to use the Classic Editor in Text Mode, because I prefer to edit HTML directly instead of using a block editor.
3) Find a Theme in Appearance and download it. You need your FTP credentials for that. I use my Linux account Username and Password, which I configured for vsftpd in advance (see above). Activate the downloaded Theme. I used the Theme Hello Elementor for these pages, but there are dozens as alternatives. You can download several themes, test them by activating one of the downloaded examples and choose what you like best.
4) Edit Pages and create a Menu with them for the site. Don´t forget to save an edited page at the right with the blue Update button. You can view your work left top with “Visit Site”. With “Customize” you can type a title of your site, fill in a Logo and Headings etc. and own css rules under “Additional CSS” (Fonts, their weight and more). What you can customize depends on the Theme.
5) Download and install useful Plugins, especially for Security purposes. I recommend the following, which you can see in a Screenshot of my WordPress Plugins.
Be aware that a public server carries a high risk. It is essential to secure public servers and websites against attacks. In WordPress, plugins such as Limit-Login-Attempts, Headers Security and Wordfence Security are indispensable. When you have activated them on a WordPress site you will quickly realize by reports of these plugins how many attacks take place daily even on actually insignificant pages and you can see the risk. Isolate a public webserver from other computers in your network and never store private data on an exposed server. There are professional offers for website protection, for example Sucuri. See also a WP beginners guide.
As a warning see a single report from the Wordfence Plugin on really many attacks within a short time of only 5 days against my completely unimportant little website in the domain stiftung-swk.de. The most frequent attacks, which I see, are attempts of directory traversal and sql injections.
Counteract hacker attacks: In your own webserver – assumed it is apache2 – you can restrict access to the directories wp-admin and /usr/share/phpmyadmin through instructions in /etc/apache2.conf and /etc/phpmyadmin/apache.conf by allowing only certain ip addresses. However, I suggest not to use phpmyadmin at all, if you dont need it. Furthermore, use other prefixes than wp_ for your database tables.
When your website is hosted by an ISP, you should restrict access to wp-login.php by a plugin like “wsp hide login” and choose a very strong password for a login to phpmyadmin as long as it is active (if necessary, activate it only temporarily, when you need it).
6) Use a good .htaccess file for the Website, which makes your site hopefully secure against attacks. Important are Plugins to Limit Login Attempts, to scan for malware and to disable the old, but still present WordPress xmlrpc.php interface, which allows attackers to test login passwords. When you want, you can download my .htaccess file, which provides several security rules: Download .htaccess_example and place the following example files as .htaccess into the directories /wp-includes and /wp-content/uploads: Download .htaccess_in_uploads_and_includes.
That point is really important! I notice hundreds of attack attempts per month to my public Websites from all over the world (reported by the Wordfence Plugin, from China, Russia, USA and many others). Dont allow hackers to abuse your Site for criminal purposes (there are many deceitful purposes) and learn more on security in the digitized world.
For a private Website you can additionally use a password protection where you allow only certain users access with a password. This is managed by your .htaccess file and an according file .htpasswd. You easily find how this is done. You can also require a password for single pages of the Site within WordPress’ Editor.
When you intend to publish a permanent Website, a solution is a domain at a Webhosting provider like Manitu (25 DB, 50 GB storage, my provider) or Hetzner (analogous offer) in Germany for less than 30-55€ per year (DSGVO). Alternatively you can think on a self-configured Virtual Private Server (VPS) as described here like offered from Host-On in Frankfurt (my current provider). In that case you should study more on server configuration and security tools. Good detailed installation descriptions – other than mine – for a Debian server, possibly as VPS, are at the following Links Howto your first Debian Server and How to Install a Debian 12 (Bookworm) Minimal Server.
The security of your website is definitely your own responsibility by usual hosting contracts.
You can transfer a private WordPress Website from your home server to a provider or VPS with the help of the WordPress Plugin all-in-one-wp-migration ai1wm, as soon as you have a database at the provider enabled and installed WordPress and that plugin as described above. Doing this, observe that probably there is a maximum upload size for PHP depending on the server configuration. For a restore with an upload to your VPS, change in /etc/php/8.x/apache2/php.ini the parameters post_max_size and upload_max_filesize from default 2M to your needs. Of course you can also use other Website tools than WordPress. Find out what fits your needs.
Dont hesitate to execute several security tests for all of yours what is publicly accessible! Check your password strength (for example with that Password-strength-test). Make security scans with tools by hackertarget.com, wpsec.com, securityheaders.com et al. If your site cannot be scanned, it’s not a bad result. Possibly you will learn that it’s not that easy to configure sufficient security headers on a site. Pay attention to these headers, which are often missing even on professional sites (maybe compare some you are interested in). See for example – if it’s still available – Link on Security Headers (in German).
When you are a more advanced Linux user, I recommend the detailed documentations of Debian to nearly all aspects of Linux and its administration. Use as a starting point for example Debian Reference in German and Securing-Debian.Howto in English. Finally, make timely Backups of your work.