WordPress/Installation/CentOS
From r00tedvw.com wiki
(Difference between revisions)
| (18 intermediate revisions by one user not shown) | |||
| Line 3: | Line 3: | ||
Installation done on CentOS 6.9 | Installation done on CentOS 6.9 | ||
=Download required packages= | =Download required packages= | ||
| − | <nowiki>~$ sudo yum install mysql-server php php-mysql -y </nowiki> | + | <nowiki>~$ sudo yum install mysql-server php php-mysql -y mod_ssl</nowiki> |
| + | |||
| + | =Date= | ||
| + | Make sure your date/time is set correctly | ||
| + | <nowiki>~$ date -s "5 FEB 2018 18:54:00" </nowiki> | ||
=Setup MySQL= | =Setup MySQL= | ||
| Line 48: | Line 52: | ||
</nowiki> | </nowiki> | ||
it would also be a good idea to SALT your authentication and cookies. go to https://api.wordpress.org/secret-key/1.1/salt/ and it will auto generate random salts. You can change these at any time to invalidate all cookies given out forcing users to log back in. | it would also be a good idea to SALT your authentication and cookies. go to https://api.wordpress.org/secret-key/1.1/salt/ and it will auto generate random salts. You can change these at any time to invalidate all cookies given out forcing users to log back in. | ||
| − | <nowiki> | + | <nowiki> ~$ vim /var/www/html/website.com/wp-config.php |
... | ... | ||
define('AUTH_KEY', 'mMHx%-{<+&.P~c27Yw;jQ*,bp*%W4vPF#/vo_[Q`My07j*zXj27PRumC-|4mhCV)'); | define('AUTH_KEY', 'mMHx%-{<+&.P~c27Yw;jQ*,bp*%W4vPF#/vo_[Q`My07j*zXj27PRumC-|4mhCV)'); | ||
| Line 58: | Line 62: | ||
define('LOGGED_IN_SALT', '}=JeV6A!uhkMC2hYH2Bwr-ME%|nnr!rvPH9Lt/S8Z%i>Z5s=<%x4F[NsUl3`Q.m{'); | define('LOGGED_IN_SALT', '}=JeV6A!uhkMC2hYH2Bwr-ME%|nnr!rvPH9Lt/S8Z%i>Z5s=<%x4F[NsUl3`Q.m{'); | ||
define('NONCE_SALT', 'H4{=At.DFY+rUv{~L|fKbn/]W_UY-`EcUc`Su$LU|wdI@qi/>*z~g!qB+;/K|asG');</nowiki> | define('NONCE_SALT', 'H4{=At.DFY+rUv{~L|fKbn/]W_UY-`EcUc`Su$LU|wdI@qi/>*z~g!qB+;/K|asG');</nowiki> | ||
| + | |||
| + | =HTTPD Configuration= | ||
| + | If you've already got a site setup, you may already have httpd configured. If not, it's fairly easy.<br> | ||
| + | <br> | ||
| + | If you're going with a subsite configuration, the virutalhost file is going to be simple and only point to the site's root directory. | ||
| + | ===HTTP=== | ||
| + | <nowiki> ~$ sudo vim /etc/httpd/conf.d/website.com.conf | ||
| + | add: | ||
| + | <VirtualHost *:80> | ||
| + | ServerName website.com | ||
| + | ServerAdmin [email protected] | ||
| + | DocumentRoot /var/www/html/website.com/ | ||
| + | TransferLog /var/log/httpd/website.com-access_log | ||
| + | ErrorLog /var/log/httpd/website.com-error_log | ||
| + | </VirtualHost></nowiki> | ||
| + | |||
| + | ===HTTPS=== | ||
| + | <nowiki> ~$ sudo vim /etc/httpd/conf.d/website.com.conf | ||
| + | add: | ||
| + | Listen 443 | ||
| + | |||
| + | <VirtualHost *:443> | ||
| + | LoadModule ssl_module modules/mod_ssl.so | ||
| + | |||
| + | ServerName website.com | ||
| + | ServerAdmin [email protected] | ||
| + | DocumentRoot /var/www/html/website.com | ||
| + | TransferLog /var/log/httpd/website.com-access_log | ||
| + | ErrorLog /var/log/httpd/website.com-error_log | ||
| + | LogLevel debug | ||
| + | |||
| + | #SSL | ||
| + | SSLEngine On | ||
| + | SSLCertificateFile /etc/pki/tls/certs/localhost.crt | ||
| + | SSLCertificateKeyFile /etc/pki/tls/private/localhost.key | ||
| + | </VirtualHost></nowiki> | ||
| + | |||
| + | =Update Configuration= | ||
| + | With the site up and running, we need to configure wordpress to be able to do its own updates. | ||
| + | ==SSH Keys== | ||
| + | First we want to create a new user and the corresponding SSH keys it will be using (no password). | ||
| + | <nowiki>~$ sudo adduser wp-user | ||
| + | ~$ sudo su - wp-user | ||
| + | ~$ ssh-keygen -t rsa -b 4096 | ||
| + | hit enter through the passphrase prompts | ||
| + | It should then confirm it has created the keys and their location. | ||
| + | default is: /home/wp-user/.ssh/id_rsa and /home/wp-user/.ssh/id_rsa.pub</nowiki> | ||
| + | |||
| + | ==wp-config.php== | ||
| + | Next we need to update the wordpress configuration file with the settings needed to use this new user and ssh keys. You will need to add the following lines: | ||
| + | <nowiki>~$ sudo vim /var/www/html/website.com/wp-config.php | ||
| + | ... | ||
| + | /** Update authentication */ | ||
| + | define('FS_METHOD', 'direct'); | ||
| + | define('FTP_BASE', '/var/www/html/website.com/'); | ||
| + | define('FTP_CONTENT_DIR', '/var/www/html/website.com/wp-content/'); | ||
| + | define('FTP_PLUGIN_DIR', '/var/www/html/website.com/wp-content/plugins/'); | ||
| + | define('FTP_THEMES_DIR', '/var/www/html/website.com/wp-content/themes/'); | ||
| + | define('FTP_PUBKEY','/home/wp-user/.ssh/id_rsa.pub'); | ||
| + | define('FTP_PRIKEY','/home/wp-user/.ssh/id_rsa'); | ||
| + | define('FTP_USER','wp-user'); | ||
| + | define('FTP_PASS',''); | ||
| + | define('FTP_HOST','localhost:22');</nowiki> | ||
| + | |||
| + | =Configure Folders and Permissions= | ||
| + | Wordpress needs the appropriate permissions setup in order to load content properly, as well as to perform updates properly.<br> | ||
| + | |||
| + | To determine what user/group your httpd uses, you can run this command. | ||
| + | <nowiki>~$ egrep -i '^user|^group' /etc/httpd/conf/httpd.conf | ||
| + | User apache | ||
| + | Group apache</nowiki> | ||
| + | |||
| + | Create the upload directory | ||
| + | <nowiki>~$ mkdir /var/www/html/website.com/wp-content/uploads </nowiki> | ||
| + | Set ownership and file/folder permissions | ||
| + | <nowiki>~$ sudo chown apache:apache -R /var/www/html/website.com/* | ||
| + | ~$ sudo find /var/www/html/website.com/ -type d -exec chmod 755 {} \; | ||
| + | ~$ sudo find /var/www/html/website.com/ -type f -exec chmod 644 {} \; </nowiki> | ||
| + | |||
| + | =Configuring Email= | ||
| + | ==SELinux== | ||
| + | With SELinux enabled, I found that I needed to grant httpd permission to both send mail and make network connections. | ||
| + | <br>Check if sendmail and network connections are allowed for HTTPD | ||
| + | <nowiki>~$ getsebool httpd_can_sendmail | ||
| + | httpd_can_sendmail --> off | ||
| + | ~$ getsebool httpd_can_network_connect | ||
| + | httpd_can_network_connect --> off</nowiki> | ||
| + | <br>Allow HTTPD sendmail and network connections. These commands can take some time, they took me around 30 seconds each to complete. | ||
| + | <nowiki>~$ setsebool -P httpd_can_sendmail 1 | ||
| + | ~$ setsebool -P httpd_can_network_connect 1</nowiki> | ||
| + | |||
| + | ==WP Mail SMTP== | ||
| + | While wordpress does have a default PHP Mailer built in, if you have security restrictions or are behind a dynamic ip (residential), you will need to be able to send mail through a SMTP server rather than directly out. I've found that [https://wordpress.org/plugins/wp-mail-smtp/ this wordpress plug in, WP Mail SMTP] did the job very well.<br> | ||
| + | When configuring it, make sure not to enter in your password (it is not needed to save the other settings). Instead you will want to put the password in a secure location, such as <code>wp-config.php</code> | ||
| + | <nowiki>~$ vim /var/www/html/website.com/wp-config.php | ||
| + | ... | ||
| + | /** Email Authentication */ | ||
| + | define( 'WPMS_ON', true ); | ||
| + | define( 'WPMS_SMTP_PASS', 'your email password' );</nowiki> | ||
| + | |||
| + | ==Sending custom domain email using Gmail== | ||
| + | Gmail allows you to send mail as any other email address so long as you can complete these requirements: | ||
| + | *have an active gmail account | ||
| + | *be able to receive an email at the alternate email address and click the corresponding confirmation link | ||
| + | To do this, you can [https://productforums.google.com/forum/#!topic/gmail/R4vrbItLTX0 follow these steps] | ||
| + | #log into your gmail account and go to app passwords. | ||
| + | #create a new mail app password; copy the 16 digit app password | ||
| + | #go to the gmail settings and select the option to add another email address you own, making sure to specify a different "reply-to" address. | ||
| + | #when you add the account, gmail will send a confirmation email to the alternate email address. You will have to log into that mailbox and click the confirmation link. | ||
| + | That's it, you're done! You can now send mail through SMTP (or Gmail) as your new alternate address. Since you selected that the "reply-to" address would be the same as your alternate, all email will return to that address, so make sure you have your forwards in place properly. | ||
| + | |||
| + | |||
| + | =Increase Max Upload Size= | ||
| + | None of the suggestions online worked for me, but I found that this did:<br> | ||
| + | Find <code>php.ini</code> location | ||
| + | <nowiki>~$ php -i | grep "Loaded Configuration File" | ||
| + | Loaded Configuration File => /etc/php.ini</nowiki> | ||
| + | Find and change <code>upload_max_filesize</code> | ||
| + | <nowiki>~$ sudo vim /etc/php.ini | ||
| + | ... | ||
| + | ; Maximum allowed size for uploaded files. | ||
| + | ; http://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize | ||
| + | upload_max_filesize = 10M</nowiki> | ||
| + | Additional knowledge: For list of php settings and values, create a file within your site's root directory and add this line: | ||
| + | <nowiki>~$ sudo vim /var/www/html/website.com/info.php | ||
| + | <?php phpinfo(); ?></nowiki> | ||
| + | Now browse to your website and load the new file: <code>www.website.com/info.php</code> | ||
| + | |||
| + | =Hardening= | ||
| + | Here are some basic recommended hardening steps recommended by Automattic | ||
| + | |||
| + | ==Disable File Editting== | ||
| + | <nowiki>~$ vim /var/www/html/website.com/wp-config.php | ||
| + | ## Disable Editing in Dashboard | ||
| + | define('DISALLOW_FILE_EDIT', true);</nowiki> | ||
| + | |||
| + | ==2 Factor Authentication== | ||
| + | Here is a recommended plugin for 2 factor authentication which works with Authy/Google Authenticator clients.<br> | ||
| + | [https://wordpress.org/plugins/miniorange-2-factor-authentication/ https://wordpress.org/plugins/miniorange-2-factor-authentication/] | ||
| + | |||
| + | =Debugging= | ||
| + | In the case that you need to debug, find these lines (or add them) and set them to <code>true</code> | ||
| + | <nowiki>~$ sudo vim /var/www/html/website.com/wp-config.php | ||
| + | ... | ||
| + | /** If debugging is needed, set these to true */ | ||
| + | define('WP_DEBUG', true); | ||
| + | define('WP_DEBUG_LOG', true);</nowiki> | ||
| + | If the errors are logged, you will see a new file called <code>debug.log</code> get created here | ||
| + | <nowiki>~$ ls /var/www/html/website.com/wp-content/debug.log | ||
| + | /var/www/html/website.com/wp-content/debug.log</nowiki> | ||
Latest revision as of 07:03, 11 February 2018
Ubuntu Installation | CentOS Installation
Installation done on CentOS 6.9
Contents |
[edit] Download required packages
~$ sudo yum install mysql-server php php-mysql -y mod_ssl
[edit] Date
Make sure your date/time is set correctly
~$ date -s "5 FEB 2018 18:54:00"
[edit] Setup MySQL
Start MySQL
~$ sudo service mysqld start
Set the root password
~$ sudo /usr/bin/mysql_secure_installation Enter current password for root (enter for none): Set root password? [Y/n] y Remove anonymous users? [Y/n] y Disallow root login remotely? [Y/n] y Remove test database and access to it? [Y/n] y Reload privilege tables now? [Y/n] y
[edit] Configure MySQL
~$ mysql -u root -p ~$ mysql> CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'THISpasswordSHOULDbeCHANGED'; ~$ mysql> CREATE DATABASE wordpress; ~$ mysql> GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'wordpressuserpassword' WITH GRANT OPTION;
[edit] Install Wordpress
~$ sudo mkdir /opt/wordpress && sudo wget -O /opt/wordpress/wordpress-4.9.2.tar.gz https://wordpress.org/latest.tar.gz ~$ mkdir /var/www/html/website.com ~$ tar -C /var/www/html/website.com/ -zxf /opt/wordpress/wordpress-4.9.2.tar.gz ~$ sudo cp -r /var/www/html/website.com/wordpress/* /var/www/html/website.com/ ~$ sudo rm -r var/www/html/website.com/wordpress/
[edit] Configure Wordpress
~$ cp /var/www/html/website.com/wp-config-sample.php /var/www/html/website.com/wp-config.php
~$ ~$ vim /var/www/html/website.com/wp-config.php
...
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
it would also be a good idea to SALT your authentication and cookies. go to https://api.wordpress.org/secret-key/1.1/salt/ and it will auto generate random salts. You can change these at any time to invalidate all cookies given out forcing users to log back in.
~$ vim /var/www/html/website.com/wp-config.php
...
define('AUTH_KEY', 'mMHx%-{<+&.P~c27Yw;jQ*,bp*%W4vPF#/vo_[Q`My07j*zXj27PRumC-|4mhCV)');
define('SECURE_AUTH_KEY', 'cu#`Jh,?^}jh%~#NE/:hzB<iCMf$@D| 4/ov|-OHrA=`/%? k15|T}k^kl2%ZaGP');
define('LOGGED_IN_KEY', 'w!Ur~brqVe~B]-M^^YQ]gc[oo9oKsg.M//TH=k#mf_#Kq>AKbMih|B(8yuE`~dlI');
define('NONCE_KEY', '(+1vx]Q;)%&3Z}j1[${Q#/F5i465kTrOEG{hyM<|dv hfV2U%|@M6m|Fn9EnE1}^');
define('AUTH_SALT', 'W((kWAX/0`-VZ`#30)0]:&D}c0KZg|aMhF5=L6wtJotRA2}DeD;,(YC_m67aq) W');
define('SECURE_AUTH_SALT', 'D?fyi DhO&98g,R^+h[= XyeEp+Y?WcNDUv@!:1^PoNUD4xa|ko/a}mK*0i!w3{b');
define('LOGGED_IN_SALT', '}=JeV6A!uhkMC2hYH2Bwr-ME%|nnr!rvPH9Lt/S8Z%i>Z5s=<%x4F[NsUl3`Q.m{');
define('NONCE_SALT', 'H4{=At.DFY+rUv{~L|fKbn/]W_UY-`EcUc`Su$LU|wdI@qi/>*z~g!qB+;/K|asG');
[edit] HTTPD Configuration
If you've already got a site setup, you may already have httpd configured. If not, it's fairly easy.
If you're going with a subsite configuration, the virutalhost file is going to be simple and only point to the site's root directory.
[edit] HTTP
~$ sudo vim /etc/httpd/conf.d/website.com.conf
add:
<VirtualHost *:80>
ServerName website.com
ServerAdmin [email protected]
DocumentRoot /var/www/html/website.com/
TransferLog /var/log/httpd/website.com-access_log
ErrorLog /var/log/httpd/website.com-error_log
</VirtualHost>
[edit] HTTPS
~$ sudo vim /etc/httpd/conf.d/website.com.conf
add:
Listen 443
<VirtualHost *:443>
LoadModule ssl_module modules/mod_ssl.so
ServerName website.com
ServerAdmin [email protected]
DocumentRoot /var/www/html/website.com
TransferLog /var/log/httpd/website.com-access_log
ErrorLog /var/log/httpd/website.com-error_log
LogLevel debug
#SSL
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
[edit] Update Configuration
With the site up and running, we need to configure wordpress to be able to do its own updates.
[edit] SSH Keys
First we want to create a new user and the corresponding SSH keys it will be using (no password).
~$ sudo adduser wp-user ~$ sudo su - wp-user ~$ ssh-keygen -t rsa -b 4096 hit enter through the passphrase prompts It should then confirm it has created the keys and their location. default is: /home/wp-user/.ssh/id_rsa and /home/wp-user/.ssh/id_rsa.pub
[edit] wp-config.php
Next we need to update the wordpress configuration file with the settings needed to use this new user and ssh keys. You will need to add the following lines:
~$ sudo vim /var/www/html/website.com/wp-config.php
...
/** Update authentication */
define('FS_METHOD', 'direct');
define('FTP_BASE', '/var/www/html/website.com/');
define('FTP_CONTENT_DIR', '/var/www/html/website.com/wp-content/');
define('FTP_PLUGIN_DIR', '/var/www/html/website.com/wp-content/plugins/');
define('FTP_THEMES_DIR', '/var/www/html/website.com/wp-content/themes/');
define('FTP_PUBKEY','/home/wp-user/.ssh/id_rsa.pub');
define('FTP_PRIKEY','/home/wp-user/.ssh/id_rsa');
define('FTP_USER','wp-user');
define('FTP_PASS','');
define('FTP_HOST','localhost:22');
[edit] Configure Folders and Permissions
Wordpress needs the appropriate permissions setup in order to load content properly, as well as to perform updates properly.
To determine what user/group your httpd uses, you can run this command.
~$ egrep -i '^user|^group' /etc/httpd/conf/httpd.conf User apache Group apache
Create the upload directory
~$ mkdir /var/www/html/website.com/wp-content/uploads
Set ownership and file/folder permissions
~$ sudo chown apache:apache -R /var/www/html/website.com/*
~$ sudo find /var/www/html/website.com/ -type d -exec chmod 755 {} \;
~$ sudo find /var/www/html/website.com/ -type f -exec chmod 644 {} \;
[edit] Configuring Email
[edit] SELinux
With SELinux enabled, I found that I needed to grant httpd permission to both send mail and make network connections.
Check if sendmail and network connections are allowed for HTTPD
~$ getsebool httpd_can_sendmail httpd_can_sendmail --> off ~$ getsebool httpd_can_network_connect httpd_can_network_connect --> off
Allow HTTPD sendmail and network connections. These commands can take some time, they took me around 30 seconds each to complete.
~$ setsebool -P httpd_can_sendmail 1 ~$ setsebool -P httpd_can_network_connect 1
[edit] WP Mail SMTP
While wordpress does have a default PHP Mailer built in, if you have security restrictions or are behind a dynamic ip (residential), you will need to be able to send mail through a SMTP server rather than directly out. I've found that this wordpress plug in, WP Mail SMTP did the job very well.
When configuring it, make sure not to enter in your password (it is not needed to save the other settings). Instead you will want to put the password in a secure location, such as wp-config.php
~$ vim /var/www/html/website.com/wp-config.php ... /** Email Authentication */ define( 'WPMS_ON', true ); define( 'WPMS_SMTP_PASS', 'your email password' );
[edit] Sending custom domain email using Gmail
Gmail allows you to send mail as any other email address so long as you can complete these requirements:
- have an active gmail account
- be able to receive an email at the alternate email address and click the corresponding confirmation link
To do this, you can follow these steps
- log into your gmail account and go to app passwords.
- create a new mail app password; copy the 16 digit app password
- go to the gmail settings and select the option to add another email address you own, making sure to specify a different "reply-to" address.
- when you add the account, gmail will send a confirmation email to the alternate email address. You will have to log into that mailbox and click the confirmation link.
That's it, you're done! You can now send mail through SMTP (or Gmail) as your new alternate address. Since you selected that the "reply-to" address would be the same as your alternate, all email will return to that address, so make sure you have your forwards in place properly.
[edit] Increase Max Upload Size
None of the suggestions online worked for me, but I found that this did:
Find php.ini location
~$ php -i | grep "Loaded Configuration File" Loaded Configuration File => /etc/php.ini
Find and change upload_max_filesize
~$ sudo vim /etc/php.ini ... ; Maximum allowed size for uploaded files. ; http://www.php.net/manual/en/ini.core.php#ini.upload-max-filesize upload_max_filesize = 10M
Additional knowledge: For list of php settings and values, create a file within your site's root directory and add this line:
~$ sudo vim /var/www/html/website.com/info.php <?php phpinfo(); ?>
Now browse to your website and load the new file: www.website.com/info.php
[edit] Hardening
Here are some basic recommended hardening steps recommended by Automattic
[edit] Disable File Editting
~$ vim /var/www/html/website.com/wp-config.php
## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);
[edit] 2 Factor Authentication
Here is a recommended plugin for 2 factor authentication which works with Authy/Google Authenticator clients.
https://wordpress.org/plugins/miniorange-2-factor-authentication/
[edit] Debugging
In the case that you need to debug, find these lines (or add them) and set them to true
~$ sudo vim /var/www/html/website.com/wp-config.php
...
/** If debugging is needed, set these to true */
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
If the errors are logged, you will see a new file called debug.log get created here
~$ ls /var/www/html/website.com/wp-content/debug.log /var/www/html/website.com/wp-content/debug.log
