WordPress/Installation/CentOS

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(Install Wordpress)
 
(23 intermediate revisions by one user not shown)
Line 3: Line 3:
 
Installation done on CentOS 6.9
 
Installation done on CentOS 6.9
 
=Download required packages=
 
=Download required packages=
  <nowiki>~$ sudo yum install mysql-server php php-mysql -y </nowiki>
+
  <nowiki>~$ sudo yum install mysql-server php php-mysql -y mod_ssl</nowiki>
 +
 
 +
=Date=
 +
Make sure your date/time is set correctly
 +
<nowiki>~$ date -s "5 FEB 2018 18:54:00" </nowiki>
  
 
=Setup MySQL=
 
=Setup MySQL=
Line 26: Line 30:
 
  <nowiki>~$ sudo mkdir /opt/wordpress && sudo wget -O /opt/wordpress/wordpress-4.9.2.tar.gz https://wordpress.org/latest.tar.gz
 
  <nowiki>~$ sudo mkdir /opt/wordpress && sudo wget -O /opt/wordpress/wordpress-4.9.2.tar.gz https://wordpress.org/latest.tar.gz
 
~$ mkdir /var/www/html/website.com
 
~$ mkdir /var/www/html/website.com
~$ tar -C /var/www/html/website.com/ -zxf /opt/wordpress/wordpress-4.9.2.tar.gz</nowiki>
+
~$ tar -C /var/www/html/website.com/ -zxf /opt/wordpress/wordpress-4.9.2.tar.gz
 +
~$ sudo cp -r /var/www/html/website.com/wordpress/* /var/www/html/website.com/
 +
~$ sudo rm -r var/www/html/website.com/wordpress/
 +
</nowiki>
 +
==Configure Wordpress==
 +
<nowiki>~$ cp /var/www/html/website.com/wp-config-sample.php /var/www/html/website.com/wp-config.php
 +
~$ ~$ vim /var/www/html/website.com/wp-config.php
 +
...
 +
// ** MySQL settings - You can get this info from your web host ** //
 +
/** The name of the database for WordPress */
 +
define('DB_NAME', 'database_name_here');
 +
 
 +
/** MySQL database username */
 +
define('DB_USER', 'username_here');
 +
 
 +
/** MySQL database password */
 +
define('DB_PASSWORD', 'password_here');
 +
 
 +
/** MySQL hostname */
 +
define('DB_HOST', 'localhost');
 +
</nowiki>
 +
it would also be a good idea to SALT your authentication and cookies. go to https://api.wordpress.org/secret-key/1.1/salt/ and it will auto generate random salts. You can change these at any time to invalidate all cookies given out forcing users to log back in.
 +
<nowiki> ~$ vim /var/www/html/website.com/wp-config.php
 +
...
 +
define('AUTH_KEY',        'mMHx%-{<+&.P~c27Yw;jQ*,bp*%W4vPF#/vo_[Q`My07j*zXj27PRumC-|4mhCV)');
 +
define('SECURE_AUTH_KEY',  'cu#`Jh,?^}jh%~#NE/:hzB<iCMf$@D| 4/ov|-OHrA=`/%? k15|T}k^kl2%ZaGP');
 +
define('LOGGED_IN_KEY',    'w!Ur~brqVe~B]-M^^YQ]gc[oo9oKsg.M//TH=k#mf_#Kq>AKbMih|B(8yuE`~dlI');
 +
define('NONCE_KEY',        '(+1vx]Q;)%&3Z}j1[${Q#/F5i465kTrOEG{hyM<|dv hfV2U%|@M6m|Fn9EnE1}^');
 +
define('AUTH_SALT',        'W((kWAX/0`-VZ`#30)0]:&D}c0KZg|aMhF5=L6wtJotRA2}DeD;,(YC_m67aq) W');
 +
define('SECURE_AUTH_SALT', 'D?fyi DhO&98g,R^+h[= XyeEp+Y?WcNDUv@!:1^PoNUD4xa|ko/a}mK*0i!w3{b');
 +
define('LOGGED_IN_SALT',  '}=JeV6A!uhkMC2hYH2Bwr-ME%|nnr!rvPH9Lt/S8Z%i>Z5s=<%x4F[NsUl3`Q.m{');
 +
define('NONCE_SALT',      'H4{=At.DFY+rUv{~L|fKbn/]W_UY-`EcUc`Su$LU|wdI@qi/>*z~g!qB+;/K|asG');</nowiki>
 +
 
 +
=HTTPD Configuration=
 +
If you've already got a site setup, you may already have httpd configured.  If not, it's fairly easy.<br>
 +
<br>
 +
If you're going with a subsite configuration, the virutalhost file is going to be simple and only point to the site's root directory.
 +
===HTTP===
 +
<nowiki> ~$ sudo vim /etc/httpd/conf.d/website.com.conf
 +
add:
 +
<VirtualHost *:80>
 +
        ServerName website.com
 +
        ServerAdmin [email protected]
 +
        DocumentRoot /var/www/html/website.com/
 +
        TransferLog /var/log/httpd/website.com-access_log
 +
        ErrorLog /var/log/httpd/website.com-error_log
 +
</VirtualHost></nowiki>
 +
 
 +
===HTTPS===
 +
<nowiki> ~$ sudo vim /etc/httpd/conf.d/website.com.conf
 +
add:
 +
Listen 443
 +
 
 +
<VirtualHost *:443>
 +
        LoadModule ssl_module modules/mod_ssl.so
 +
 
 +
        ServerName website.com
 +
        ServerAdmin [email protected]
 +
        DocumentRoot /var/www/html/website.com
 +
        TransferLog /var/log/httpd/website.com-access_log
 +
        ErrorLog /var/log/httpd/website.com-error_log
 +
        LogLevel debug
 +
 
 +
        #SSL
 +
        SSLEngine On
 +
        SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 +
        SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 +
</VirtualHost></nowiki>
 +
 
 +
=Update Configuration=
 +
With the site up and running, we need to configure wordpress to be able to do its own updates.
 +
==SSH Keys==
 +
First we want to create a new user and the corresponding SSH keys it will be using (no password).
 +
<nowiki>~$ sudo adduser wp-user
 +
~$ sudo su - wp-user
 +
~$ ssh-keygen -t rsa -b 4096
 +
hit enter through the passphrase prompts
 +
It should then confirm it has created the keys and their location.
 +
default is: /home/wp-user/.ssh/id_rsa and /home/wp-user/.ssh/id_rsa.pub</nowiki>
 +
 
 +
==wp-config.php==
 +
Next we need to update the wordpress configuration file with the settings needed to use this new user and ssh keys.  You will need to add the following lines:
 +
<nowiki>~$ sudo vim /var/www/html/website.com/wp-config.php
 +
...
 +
/** Update authentication */
 +
define('FS_METHOD', 'direct');
 +
define('FTP_BASE', '/var/www/html/website.com/');
 +
define('FTP_CONTENT_DIR', '/var/www/html/website.com/wp-content/');
 +
define('FTP_PLUGIN_DIR', '/var/www/html/website.com/wp-content/plugins/');
 +
define('FTP_THEMES_DIR', '/var/www/html/website.com/wp-content/themes/');
 +
define('FTP_PUBKEY','/home/wp-user/.ssh/id_rsa.pub');
 +
define('FTP_PRIKEY','/home/wp-user/.ssh/id_rsa');
 +
define('FTP_USER','wp-user');
 +
define('FTP_PASS','');
 +
define('FTP_HOST','localhost:22');</nowiki>
 +
 
 +
=Configure Folders and Permissions=
 +
Wordpress needs the appropriate permissions setup in order to load content properly, as well as to perform updates properly.<br>
 +
 
 +
To determine what user/group your httpd uses, you can run this command.
 +
<nowiki>~$ egrep -i '^user|^group' /etc/httpd/conf/httpd.conf
 +
User apache
 +
Group apache</nowiki>
 +
 
 +
Create the upload directory
 +
<nowiki>~$ mkdir /var/www/html/website.com/wp-content/uploads </nowiki>
 +
Set ownership and file/folder permissions
 +
<nowiki>~$ sudo chown apache:apache -R /var/www/html/website.com/*
 +
~$ sudo find /var/www/html/website.com/ -type d -exec chmod 755 {} \;
 +
~$ sudo find /var/www/html/website.com/  -type f -exec chmod 644 {} \; </nowiki>
 +
 
 +
=Configuring Email=
 +
==SELinux==
 +
With SELinux enabled, I found that I needed to grant httpd permission to both send mail and make network connections.
 +
<br>Check if sendmail and network connections are allowed for HTTPD
 +
<nowiki>~$ getsebool httpd_can_sendmail
 +
httpd_can_sendmail --> off
 +
~$ getsebool httpd_can_network_connect
 +
httpd_can_network_connect --> off</nowiki>
 +
<br>Allow HTTPD sendmail and network connections.  These commands can take some time, they took me around 30 seconds each to complete.
 +
<nowiki>~$ setsebool -P httpd_can_sendmail 1
 +
~$ setsebool -P httpd_can_network_connect 1</nowiki>
 +
 
 +
==WP Mail SMTP==
 +
While wordpress does have a default PHP Mailer built in, if you have security restrictions or are behind a dynamic ip (residential), you will need to be able to send mail through a SMTP server rather than directly out.  I've found that [https://wordpress.org/plugins/wp-mail-smtp/ this wordpress plug in, WP Mail SMTP] did the job very well.<br>
 +
When configuring it, make sure not to enter in your password (it is not needed to save the other settings).  Instead you will want to put the password in a secure location, such as <code>wp-config.php</code>
 +
<nowiki>~$ vim /var/www/html/website.com/wp-config.php
 +
...
 +
/** Email Authentication */
 +
define( 'WPMS_ON', true );
 +
define( 'WPMS_SMTP_PASS', 'your email password' );</nowiki>
 +
 
 +
==Sending custom domain email using Gmail==
 +
Gmail allows you to send mail as any other email address so long as you can complete these requirements:
 +
*have an active gmail account
 +
*be able to receive an email at the alternate email address and click the corresponding confirmation link
 +
To do this, you can [https://productforums.google.com/forum/#!topic/gmail/R4vrbItLTX0 follow these steps]
 +
#log into your gmail account and go to app passwords.
 +
#create a new mail app password; copy the 16 digit app password
 +
#go to the gmail settings and select the option to add another email address you own, making sure to specify a different "reply-to" address.
 +
#when you add the account, gmail will send a confirmation email to the alternate email address.  You will have to log into that mailbox and click the confirmation link.
 +
That's it, you're done!  You can now send mail through SMTP (or Gmail) as your new alternate address.  Since you selected that the "reply-to" address would be the same as your alternate, all email will return to that address, so make sure you have your forwards in place properly.
 +
 
 +
 
 +
=Increase Max Upload Size=
 +
None of the suggestions online worked for me, but I found that this did:<br>
 +
Find <code>php.ini</code> location
 +
<nowiki>~$ php -i | grep "Loaded Configuration File"
 +
Loaded Configuration File => /etc/php.ini</nowiki>
 +
Find and change <code>upload_max_filesize</code>
 +
<nowiki>~$ sudo vim /etc/php.ini
 +
...
 +
; Maximum allowed size for uploaded files.
 +
; http://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize
 +
upload_max_filesize = 10M</nowiki>
 +
Additional knowledge: For list of php settings and values, create a file within your site's root directory and add this line:
 +
<nowiki>~$ sudo vim /var/www/html/website.com/info.php
 +
<?php phpinfo(); ?></nowiki>
 +
Now browse to your website and load the new file: <code>www.website.com/info.php</code>
 +
 
 +
=Hardening=
 +
Here are some basic recommended hardening steps recommended by Automattic
 +
 
 +
==Disable File Editting==
 +
<nowiki>~$ vim /var/www/html/website.com/wp-config.php
 +
## Disable Editing in Dashboard
 +
define('DISALLOW_FILE_EDIT', true);</nowiki>
 +
 
 +
==2 Factor Authentication==
 +
Here is a recommended plugin for 2 factor authentication which works with Authy/Google Authenticator clients.<br>
 +
[https://wordpress.org/plugins/miniorange-2-factor-authentication/ https://wordpress.org/plugins/miniorange-2-factor-authentication/]
 +
 
 +
=Debugging=
 +
In the case that you need to debug, find these lines (or add them) and set them to <code>true</code>
 +
<nowiki>~$ sudo vim /var/www/html/website.com/wp-config.php
 +
...
 +
/** If debugging is needed, set these to true */
 +
define('WP_DEBUG', true);
 +
define('WP_DEBUG_LOG', true);</nowiki>
 +
If the errors are logged, you will see a new file called <code>debug.log</code> get created here
 +
<nowiki>~$ ls /var/www/html/website.com/wp-content/debug.log
 +
/var/www/html/website.com/wp-content/debug.log</nowiki>

Latest revision as of 07:03, 11 February 2018

Ubuntu Installation | CentOS Installation
Installation done on CentOS 6.9

Contents

[edit] Download required packages

~$ sudo yum install mysql-server php php-mysql -y mod_ssl

[edit] Date

Make sure your date/time is set correctly

~$ date -s "5 FEB 2018 18:54:00" 

[edit] Setup MySQL

Start MySQL

~$ sudo service mysqld start

Set the root password

~$ sudo /usr/bin/mysql_secure_installation 
Enter current password for root (enter for none):
Set root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

[edit] Configure MySQL

~$ mysql -u root -p
~$ mysql> CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED';
~$ mysql> CREATE DATABASE wordpress;
~$ mysql> GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'wordpressuserpassword' WITH GRANT OPTION;

[edit] Install Wordpress

~$ sudo mkdir /opt/wordpress && sudo wget -O /opt/wordpress/wordpress-4.9.2.tar.gz https://wordpress.org/latest.tar.gz
~$ mkdir /var/www/html/website.com
~$ tar -C /var/www/html/website.com/ -zxf /opt/wordpress/wordpress-4.9.2.tar.gz
~$ sudo cp -r /var/www/html/website.com/wordpress/* /var/www/html/website.com/
~$ sudo rm -r var/www/html/website.com/wordpress/

[edit] Configure Wordpress

~$ cp /var/www/html/website.com/wp-config-sample.php /var/www/html/website.com/wp-config.php
~$ ~$ vim /var/www/html/website.com/wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');

/** MySQL database username */
define('DB_USER', 'username_here');

/** MySQL database password */
define('DB_PASSWORD', 'password_here');

/** MySQL hostname */
define('DB_HOST', 'localhost');

it would also be a good idea to SALT your authentication and cookies. go to https://api.wordpress.org/secret-key/1.1/salt/ and it will auto generate random salts. You can change these at any time to invalidate all cookies given out forcing users to log back in.

 ~$ vim /var/www/html/website.com/wp-config.php
...
define('AUTH_KEY',         'mMHx%-{<+&.P~c27Yw;jQ*,bp*%W4vPF#/vo_[Q`My07j*zXj27PRumC-|4mhCV)');
define('SECURE_AUTH_KEY',  'cu#`Jh,?^}jh%~#NE/:hzB<iCMf$@D| 4/ov|-OHrA=`/%? k15|T}k^kl2%ZaGP');
define('LOGGED_IN_KEY',    'w!Ur~brqVe~B]-M^^YQ]gc[oo9oKsg.M//TH=k#mf_#Kq>AKbMih|B(8yuE`~dlI');
define('NONCE_KEY',        '(+1vx]Q;)%&3Z}j1[${Q#/F5i465kTrOEG{hyM<|dv hfV2U%|@M6m|Fn9EnE1}^');
define('AUTH_SALT',        'W((kWAX/0`-VZ`#30)0]:&D}c0KZg|aMhF5=L6wtJotRA2}DeD;,(YC_m67aq) W');
define('SECURE_AUTH_SALT', 'D?fyi DhO&98g,R^+h[= XyeEp+Y?WcNDUv@!:1^PoNUD4xa|ko/a}mK*0i!w3{b');
define('LOGGED_IN_SALT',   '}=JeV6A!uhkMC2hYH2Bwr-ME%|nnr!rvPH9Lt/S8Z%i>Z5s=<%x4F[NsUl3`Q.m{');
define('NONCE_SALT',       'H4{=At.DFY+rUv{~L|fKbn/]W_UY-`EcUc`Su$LU|wdI@qi/>*z~g!qB+;/K|asG');

[edit] HTTPD Configuration

If you've already got a site setup, you may already have httpd configured. If not, it's fairly easy.

If you're going with a subsite configuration, the virutalhost file is going to be simple and only point to the site's root directory.

[edit] HTTP

 ~$ sudo vim /etc/httpd/conf.d/website.com.conf
 add:
 <VirtualHost *:80>
         ServerName website.com
         ServerAdmin [email protected]
         DocumentRoot /var/www/html/website.com/
         TransferLog /var/log/httpd/website.com-access_log
         ErrorLog /var/log/httpd/website.com-error_log
 </VirtualHost>

[edit] HTTPS

 ~$ sudo vim /etc/httpd/conf.d/website.com.conf
 add:
Listen 443

<VirtualHost *:443>
        LoadModule ssl_module modules/mod_ssl.so

        ServerName website.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/html/website.com
        TransferLog /var/log/httpd/website.com-access_log
        ErrorLog /var/log/httpd/website.com-error_log
        LogLevel debug

        #SSL
        SSLEngine On
        SSLCertificateFile /etc/pki/tls/certs/localhost.crt
        SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

[edit] Update Configuration

With the site up and running, we need to configure wordpress to be able to do its own updates.

[edit] SSH Keys

First we want to create a new user and the corresponding SSH keys it will be using (no password).

~$ sudo adduser wp-user
~$ sudo su - wp-user
~$ ssh-keygen -t rsa -b 4096
hit enter through the passphrase prompts
It should then confirm it has created the keys and their location.
default is: /home/wp-user/.ssh/id_rsa and /home/wp-user/.ssh/id_rsa.pub

[edit] wp-config.php

Next we need to update the wordpress configuration file with the settings needed to use this new user and ssh keys. You will need to add the following lines:

~$ sudo vim /var/www/html/website.com/wp-config.php
...
/** Update authentication */
define('FS_METHOD', 'direct');
define('FTP_BASE', '/var/www/html/website.com/');
define('FTP_CONTENT_DIR', '/var/www/html/website.com/wp-content/');
define('FTP_PLUGIN_DIR', '/var/www/html/website.com/wp-content/plugins/');
define('FTP_THEMES_DIR', '/var/www/html/website.com/wp-content/themes/');
define('FTP_PUBKEY','/home/wp-user/.ssh/id_rsa.pub');
define('FTP_PRIKEY','/home/wp-user/.ssh/id_rsa');
define('FTP_USER','wp-user');
define('FTP_PASS','');
define('FTP_HOST','localhost:22');

[edit] Configure Folders and Permissions

Wordpress needs the appropriate permissions setup in order to load content properly, as well as to perform updates properly.

To determine what user/group your httpd uses, you can run this command.

~$ egrep -i '^user|^group' /etc/httpd/conf/httpd.conf
User apache
Group apache

Create the upload directory

~$ mkdir /var/www/html/website.com/wp-content/uploads 

Set ownership and file/folder permissions

~$ sudo chown apache:apache -R /var/www/html/website.com/*
~$ sudo find /var/www/html/website.com/ -type d -exec chmod 755 {} \;
~$ sudo find /var/www/html/website.com/  -type f -exec chmod 644 {} \; 

[edit] Configuring Email

[edit] SELinux

With SELinux enabled, I found that I needed to grant httpd permission to both send mail and make network connections.
Check if sendmail and network connections are allowed for HTTPD

~$ getsebool httpd_can_sendmail
httpd_can_sendmail --> off
~$ getsebool httpd_can_network_connect
httpd_can_network_connect --> off


Allow HTTPD sendmail and network connections. These commands can take some time, they took me around 30 seconds each to complete.

~$ setsebool -P httpd_can_sendmail 1
~$ setsebool -P httpd_can_network_connect 1

[edit] WP Mail SMTP

While wordpress does have a default PHP Mailer built in, if you have security restrictions or are behind a dynamic ip (residential), you will need to be able to send mail through a SMTP server rather than directly out. I've found that this wordpress plug in, WP Mail SMTP did the job very well.
When configuring it, make sure not to enter in your password (it is not needed to save the other settings). Instead you will want to put the password in a secure location, such as wp-config.php

~$ vim /var/www/html/website.com/wp-config.php
...
/** Email Authentication */
define( 'WPMS_ON', true );
define( 'WPMS_SMTP_PASS', 'your email password' );

[edit] Sending custom domain email using Gmail

Gmail allows you to send mail as any other email address so long as you can complete these requirements:

  • have an active gmail account
  • be able to receive an email at the alternate email address and click the corresponding confirmation link

To do this, you can follow these steps

  1. log into your gmail account and go to app passwords.
  2. create a new mail app password; copy the 16 digit app password
  3. go to the gmail settings and select the option to add another email address you own, making sure to specify a different "reply-to" address.
  4. when you add the account, gmail will send a confirmation email to the alternate email address. You will have to log into that mailbox and click the confirmation link.

That's it, you're done! You can now send mail through SMTP (or Gmail) as your new alternate address. Since you selected that the "reply-to" address would be the same as your alternate, all email will return to that address, so make sure you have your forwards in place properly.


[edit] Increase Max Upload Size

None of the suggestions online worked for me, but I found that this did:
Find php.ini location

~$ php -i | grep "Loaded Configuration File"
Loaded Configuration File => /etc/php.ini

Find and change upload_max_filesize

~$ sudo vim /etc/php.ini
...
; Maximum allowed size for uploaded files.
; http://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize
upload_max_filesize = 10M

Additional knowledge: For list of php settings and values, create a file within your site's root directory and add this line:

~$ sudo vim /var/www/html/website.com/info.php
<?php phpinfo(); ?>

Now browse to your website and load the new file: www.website.com/info.php

[edit] Hardening

Here are some basic recommended hardening steps recommended by Automattic

[edit] Disable File Editting

~$ vim /var/www/html/website.com/wp-config.php
## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

[edit] 2 Factor Authentication

Here is a recommended plugin for 2 factor authentication which works with Authy/Google Authenticator clients.
https://wordpress.org/plugins/miniorange-2-factor-authentication/

[edit] Debugging

In the case that you need to debug, find these lines (or add them) and set them to true

~$ sudo vim /var/www/html/website.com/wp-config.php
...
/** If debugging is needed, set these to true */
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);

If the errors are logged, you will see a new file called debug.log get created here

~$ ls /var/www/html/website.com/wp-content/debug.log
/var/www/html/website.com/wp-content/debug.log
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox