Setting up WordPress on a server

This post assumes that you’ve already gotten a web server running and redirected a domain (or subdomain) name to it.  It walks you through installing and running a WordPress site on that server.

Along the way, we’ll be installing PHP and MySQL, which means that the server can also be used for the other things that a LAMP (Linux, Apache, MySQL, PHP) server can be used for besides WordPress.

Sources: These instructions are combined from the famous WordPress five-minute install document along with the MySQL secure installation script and Anson Cheung’s steps to optimize Apache on an AWS micro instance.

Step 1: Get required packages

Log on to your server as described in the post on getting a web server running.

cd

wget https://wordpress.org/latest.tar.gz

tar -xzvf latest.tar.gz

sudo apt-get install mysql-client mysql-server php php-mysql libapache2-mod-php

The mysql installation may ask you for a password for the mysql root account.  You should pick a strong password.  You need to remember this password and make sure others don’t get it, so you may want to store it in a password vault of some sort.

Step 2: Configuring packages

By default, the system is configured in a way that makes sense for large servers with lots of memory and processors.  If you’re running on a free-tier micro instance from AWS, this can cause the system to run out of memory and crash or thrash when it receives a large number of queries (such as when random botnets start scanning your host for security holes).  This can make the system unusably slow.  To avoid this, we configure things to limit memory use and the number of requests that the server will try to handle at once.

  • sudo nano /etc/apache2/mods-enabled/mpm_prefork.conf

Change the StartServers value to 3, the MinSpareServers to 2, MaxSpareServers to 5, MaxRequestWorkers to 10, and MaxConnectionsPerChild to 10.

  • sudo service apache2 restart

Step 3: Set up MySQL

The first step is to secure the MySQL installation:

  • sudo mysql_secure_installation

This will ask you for the mysql root password that you created in the previous step.  Answer no to the question about validating the root password, since you have already set it to something strong.  Answer y for all of the other questions.

The next step is to configure the user and database that will be used by WordPress.  In the block below, $ represents the command prompt (which will have a host name and directory in front of it on your system), and it includes the expected responses from the system.  The commands typed by you are in bold.  The phrase ‘password’ should be replaced by a strong password for the wordpress user, which should be enclosed in single quotes — do not copy and paste the quotes or the word password.  You need to remember this password for WordPress configuration later.

$ mysql -u root -p
Enter password: [enter the mysql root password here]
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5340 to server version: 3.23.54

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> CREATE DATABASE wordpressdatabase;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON wordpressdatabase.* TO wordpressuser@localhost IDENTIFIED BY ‘password’;
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

mysql> EXIT
Bye
$

Step 4: Enable HTTPS

WordPress sends your login and password information from your computer to the server in plain text, with the result that they can be intercepted as described here.  It also sends any information added by users of your site over plain-text connections, so you should not ask for sensitive information from your users over the standard connection.  To prevent such third-party interception, you must route all of your login/admin traffic over SSL.  As of 2017, to prevent Google from down-ranking your pages in search results, you must be able to route all traffic via SSL.

This must be done before configuring your WordPress site so that the login and password information is not captured by someone else who will then have full access to your site.

As of July 2017, it is not possible to use AWS-provided SSL certificates on servers like the one described in the post for getting a web server running, so we’ll use a different free certificate issuing agent.

(This is based on the description at https://letsencrypt.org and its Get Started link.  It shows instructions for how to get a certificate when you have ssh access to the server (which we have).  It recommends using the Certbot site.)  Its instructions for using Apache on Ubuntu 16.04 are as follows:

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot

(You can copy and paste the above together, but you need to hit return after doing that batch before doing the ones below)
sudo apt-get update
sudo apt-get install python-certbot-apache

Once that has been installed, you can get a certificate and have Certbot modify the Apache configuration to begin serving it using the following command:

sudo certbot –apache

(You need to type two dashes in front of apache, WordPress will have converted that into an em-dash, which is a long dash).

(Enter an email address where urgent renewal and security messages should be sent, as prompted.  Also read the terms of service and then select (A)gree if you do agree with them. Decide whether to share your information with the EFF and select the appropriate response. Enter your domain name as requested (if you are redirecting www.YOURDOMAIN.com, add that whole host name rather than just YOURDOMAIN.com).  When asked which configuration to configure (you will be asked twice), select the one labeled HTTPS.)

sudo service apache2 restart

Auto-renewal: The certificate obtained above will expire after 90 days.  To ensure that certificates remain up to date and do not expire, you need to configure the system to get new certificates before they expire.  There is script that can be run weekly that will renew any certificates that are expiring in the next 30 days.  The above process should have placed a file named certbot in the directory /etc/cron.d.  Verify that this file exists; it will run twice a day to ensure that your certificates stay up to date.

Step 5: Replace HTML with WordPress

This assumes that you want the server to respond with the WordPress site for direct queries to its root directory (the default web page for this server will be the WordPress site).

sudo cp -r ~/wordpress/* /var/www/html

sudo rm /var/www/html/index.html

sudo find /var/www/html -exec chown www-data {} \;

Step 6: Configure your WordPress site online

Now you can point a web browser at the secure version of your redirected domain (for me, this was https://hack4missions.net) and it should bring up a set of dialog boxes asking for your configuration information.  Note: Always use the https:// prefix when connecting to the administrator interface to avoid having your password intercepted.

  • The first asks for the language, I selected English (United States)
  • The Database Name is wordpressdatabase, the User Name is wordpressuser, the password is the one you chose above (without the quotes), and the host and prefix can be left alone.  If you get the incorrect data base, user, or password it will complain about not being able to reach the server.
  • This brings you to a page where you do initial site configuration.  You need to decide some things at this point, but they can be changed later.  The Site Title is what will show up at the top of the page.  The Username is what you will use to log on to the site to edit it (more users can be added later).  Again, pick a strong password and remember it.  Add an email address for yourself to receive notices from the site of things to be moderated and such.

At this point, you can log on to your WordPress site as the administrator and adjust a few more things, then get busy producing content.

  • If there are any updates to perform, do them first.
  • Go to the Settings menu item, which by default is General Settings.
    • Change the WordPress Address and the Site Address both to a URL indicating the name of the domain that has been redirected here (if you have redirected one).  For me, this was http://hack4missions.net so that I what I put in both places.  For a secure connection by default, I would have used https://hack4missions.net.