How to Self-Host an HRMS

Choose Your HRMS Platform

Before provisioning infrastructure, decide which open source HRMS you will deploy. Each platform has different server requirements and technology dependencies.

OrangeHRM requires PHP 8.1+, MySQL 8.0+ and Apache or Nginx. It is the simplest to deploy and runs on the most common web hosting stack. Choose OrangeHRM if you want proven stability, minimal infrastructure complexity and a large community for troubleshooting.

Frappe HR requires Python 3.10+, MariaDB 10.6+, Redis, Node.js and the Frappe Bench CLI tool. The dependency list is longer, but Frappe Bench automates most of the setup. Choose Frappe HR if you need integrated payroll, plan to use ERPNext or have Python developers on your team.

IceHrm requires PHP 7.4+, MySQL 5.7+ and Apache or Nginx. Requirements are similar to OrangeHRM. Choose IceHrm if you want a lightweight, API-first HR system without ERP overhead.

OpenHRMS requires Python 3.8+, PostgreSQL 12+ and the Odoo framework. Choose OpenHRMS if you already use Odoo for other business functions or want access to Odoo's broader module ecosystem.

Select and Provision Your Server

For most organizations, a cloud VPS provides the best balance of cost, reliability and ease of management. Providers like Hetzner, DigitalOcean, Linode, Vultr and AWS Lightsail offer Linux VPS instances at predictable monthly prices.

Minimum specifications for a deployment serving up to 500 employees: 2 CPU cores, 4 GB RAM, 40 GB SSD storage. This handles the application, database, file uploads and room for growth. For organizations over 500 employees, scale to 4 cores and 8 GB RAM. If you run heavy payroll processing or generate large reports, additional RAM is the most impactful upgrade.

Operating system: Ubuntu Server 22.04 LTS or Debian 12 are the most widely supported by all four platforms. Both receive long-term security updates and have extensive package repositories. Avoid desktop editions, they include unnecessary services that consume resources and increase the attack surface.

On-premises servers make sense for organizations with existing data center infrastructure, strict data residency requirements or unreliable internet connectivity. Use the same OS and specification guidelines. Ensure the server has redundant power, RAID storage and a UPS to protect against hardware failures.

Install the Operating System and Dependencies

Start with a fresh OS installation. Update all packages immediately after installation to apply security patches. Then install the dependencies specific to your chosen platform.

For PHP-based platforms (OrangeHRM, IceHrm): install Nginx or Apache, PHP with required extensions (mbstring, xml, curl, gd, zip, intl, opcache), MySQL or MariaDB, and Composer for PHP package management. Enable PHP OPcache for performance. Configure PHP to handle file uploads up to at least 10 MB for employee document attachments.

For Frappe HR: install MariaDB, Redis, Node.js (LTS version), yarn, wkhtmltopdf (for PDF generation), Python 3.10+ with pip and virtualenv, and then install Frappe Bench using pip. Frappe Bench handles the rest of the application setup including creating the site, installing the HR app and configuring background workers.

For OpenHRMS: install PostgreSQL, Python 3.8+, pip, Node.js, and wkhtmltopdf. Then install Odoo from source or from the official Odoo Debian/Ubuntu repository. Configure PostgreSQL with a dedicated database user for Odoo.

Create a dedicated system user for the application rather than running it as root. Set file permissions so the application can read its own files and write to upload and log directories, but cannot modify other system files.

Deploy the HRMS Application

Follow the official installation documentation for your chosen platform. Each project provides step-by-step guides.

OrangeHRM: download the latest release from GitHub, extract it to your web server document root, navigate to the installation URL in your browser and complete the web-based installer. The installer creates the database, populates initial data and creates the admin account. The entire process completes in under five minutes once dependencies are installed.

Frappe HR: use Frappe Bench to initialize a new bench, create a new site, install the hrms app and set up the site. Frappe Bench handles virtual environment creation, dependency installation, database migration and static asset compilation. Run the setup wizard through the web interface to configure company details, fiscal year, currency and initial HR settings.

IceHrm: clone the repository, configure the database connection in the settings file, run the database migration script and access the web interface to complete setup. IceHrm provides SQL migration files that create all necessary tables and seed data.

OpenHRMS: start the Odoo server, create a new database through the web interface, install the HR modules from the apps menu and configure company settings. Install additional HR modules (attendance, payroll, recruitment) as needed from the apps catalog.

After installation, create your admin account with a strong password, configure the organization structure (departments, locations, job titles) and import employee data from CSV if migrating from another system.

Configure SSL and Domain Access

An HRMS handles sensitive employee data, so encrypted HTTPS connections are mandatory, not optional.

Register a domain or subdomain for your HRMS (for example, hr.yourcompany.com). Create a DNS A record pointing to your server's IP address. Wait for DNS propagation, which typically completes within an hour.

Install Certbot (the Let's Encrypt client) and obtain a free SSL certificate. Certbot can automatically configure Nginx or Apache to use the certificate and set up automatic renewal. Certificates renew every 90 days, and Certbot handles this through a cron job or systemd timer.

Configure your web server to redirect all HTTP traffic to HTTPS. Set HTTP Strict Transport Security (HSTS) headers so browsers remember to always use HTTPS for your domain. If your organization uses a corporate certificate authority, install those certificates instead of Let's Encrypt.

For organizations that restrict HRMS access to the corporate network, configure the web server to only accept connections from your office IP addresses or VPN range. This adds a network-level access control layer on top of application authentication.

Harden Security

An HRMS server holds some of the most sensitive data in any organization. Security hardening is essential.

Firewall: configure UFW or iptables to allow only SSH (port 22), HTTP (port 80) and HTTPS (port 443). Block all other inbound ports. If you use a non-standard SSH port, update the firewall accordingly.

SSH security: disable password authentication and require SSH key pairs. Disable root login over SSH. Use fail2ban to automatically block IP addresses that make repeated failed login attempts.

Database access: configure MySQL, MariaDB or PostgreSQL to listen only on localhost (127.0.0.1), not on public interfaces. Use a strong, unique database password. Create a dedicated database user for the application with only the permissions it needs, avoid using the root database account.

Application security: keep the HRMS software updated to the latest stable release. Subscribe to the project's security announcement mailing list or watch their GitHub repository for security advisories. Apply security patches promptly.

File permissions: set ownership so the web server user can read application files and write to upload/log directories. Make configuration files readable only by the application user, not world-readable, since they contain database credentials.

Set Up Backups and Monitoring

Data loss from a failed HRMS can be catastrophic. Automate backups and verify them regularly.

Database backups: schedule daily automated database dumps using mysqldump, mariadb-dump or pg_dump depending on your database. Store backups on the local server and copy them to an offsite location (S3, Backblaze B2, a separate server or an external drive). Retain at least 30 daily backups and 12 monthly backups.

File backups: back up the entire application directory including uploaded employee documents, configuration files and any custom code. Use rsync, restic or borgbackup for efficient incremental file backups. Store offsite copies alongside database backups.

Backup testing: a backup that has never been restored is not a backup. Schedule monthly restore tests to a separate environment to verify that backups produce a working system with intact data.

Server monitoring: install basic monitoring to alert you when disk space runs low, memory usage spikes, CPU stays elevated or the web server becomes unresponsive. Uptime monitoring services like UptimeRobot (free tier), Hetrixtools or a self-hosted solution like Uptime Kuma can check the HRMS URL every few minutes and send alerts if it goes down.

Plan Ongoing Maintenance

A self-hosted HRMS requires regular attention to stay secure and performant.

Weekly: apply OS security updates using unattended-upgrades or a manual update schedule. Review server logs for errors or unusual activity. Check backup job status and storage utilization.

Monthly: review the HRMS project's release notes for new versions. Test updates in a staging environment before applying to production. Run a backup restore test. Review user accounts and disable access for departed employees.

Quarterly: review server performance metrics to identify if hardware upgrades are needed. Audit user permissions to ensure least-privilege access. Review SSL certificate expiration dates. Update documentation for any configuration changes made during the quarter.

Annually: evaluate whether the chosen platform still meets organizational needs. Review the total cost of self-hosting (infrastructure, labor, opportunity cost) against managed alternatives. Plan for major version upgrades that may require database migrations or dependency updates.

Assign a specific person or team as the system owner. Self-hosted software without a designated maintainer deteriorates over time as updates are skipped, backups stop working and security patches go unapplied.