This is an old revision of the document!
selfhostedwp
This tutorial is for setting up a self-hosted WordPress instance on Debian GNU/Linux. This tutorial assumes you already have a LAMP stack with active TLS. If not, you should read the Apache Survival tutorial first. Once you do that, begin with some common php extensions needed for Word Press to function well:
sudo apt install php-common php-cgi php-cli php-zip php-mysql php-mbstring php-intl php-fpm php-curl php-gd php-imagick php-xml php-xmlrpc php-soap php-opcache php-apcu php-bcmath memcached wget unzip
Alternately, you can specify the php version as follows:
sudo apt-get install php8.2-{common,cgi,cli,zip,mysql,mbstring,intl,fpm,curl,gd,imagick,xml,xmlrpc,gpm,soap,opcache,apcu,bcmath}
Okay, let's now enable fast cgi and rewrite php modules and then check your config.
sudo a2enmod rewrite sudo a2enmod proxy_fcgi sudo a2enconf php7.3-fpm sudo apache2ctl configtest
Move index.php to the top priority as follows:
sudo nano /etc/apache2/mods-enabled/dir.conf <DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm>
Optionally, we can install phpmyadmin, and if you do, you should secure as follows:
sudo htpasswd -c /etc/apache2/.phpmyadmin phpmyadmin sudo nano /usr/share/phpmyadmin/.htaccess
Enter the following in the file that opens:
<AuthType Basic> <AuthName "Restricted Files"> <AuthUserFile /etc/apache2/.phpmyadmin> <Require valid-user>
Close and save the file. Let's set up a database now for the WordPress instance:
sudo mysql -u root -p CREATE DATABASE databasename DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; GRANT ALL ON databasename.* TO 'databaseuser'@'localhost' IDENTIFIED BY 'passwordhere'; FLUSH PRIVILEGES; EXIT;
Next up, it is time to allow overrides in your primary apache configuration:
sudo nano /etc/apache2/apache2.conf <Directory /var/www/> <AllowOverride All>
If you have not set the fully qualified domain name, you may get an error - that can safely be ignored unless you desire it. If you want to get rid of that, navigate to /etc/apache2/apache.conf
and enter a ServerName
. Otherwise, time to download Word Press:
cd ~/Downloads mkdir wpdownload cd wpdownload curl -O https://wordpress.org/latest.tar.gz tar xzvf latest.tar.gz touch ~/Downloads/wpdownload/wordpress/.htaccess sudo chmod 640 ~/Downloads/wpdownload/wordpress/.htaccess cp ~/Downloads/wpdownload/wordpress/wp-config-sample.php ~/Downloads/wpdownload/wordpress/wp-config.php mkdir ~/Downloads/wpdownload/wordpress/wp-content/upgrade
Okay, we will need the files and directories I created once we get it running. Now, let's move the wordpress directory to the proper location for self-hosting.
sudo mv ~/Downloads/wpdownload/wordpress /var/www/site1.com/public_html
Now, let's set up permissions and ownership:
sudo chown -R www-data:www-data /var/www/site1.com/public_html sudo find /var/www/site1.com/public_html -type d -exec chmod g+s {} \; sudo chmod 755 /var/www/site1.com/public_html/wp-content sudo chmod -R 755 /var/www/site1.com/public_html/wp-content/themes sudo chmod -R 755 /var/www/site1.com/public_html/wp-content/plugins
Ok, time to grab 'secure values' from WP.com and then set up wp-config.php
for the installation, and also enter in the database credentials from above:
curl -s https://api.wordpress.org/secret-key/1.1/salt/ sudo nano /var/www/site1.com/public_html/wp-config.php
Let's also add the following line to the wp-config.php
file for updates. Note: This only needs to be added if you are not using libapachemod sfaik.
sudo nano /var/www/site1.com/public_html/wp-config.php <define('FS_METHOD','direct');>
Visit wordpress site and configure by opening a web browser of your choice and entering site1.com. If you need more than one site, but do not want to set up a separate virtual host, for example using subdomain.site1.com
, then you should read Word Press Multisite. Optimizing WP is a different matter, for caching and header security, and other best practices, consider the following.
apt install memcached nano /etc/default/memcached a2enmod cache
Put this snippet under #Include /etc/proftpd/tls.conf
and then restart the service:
sudo systemctl restart proftpd.service
Optimizing and securing WordPress usually boils down to some cache and header settings. Cache and/or page expiry settings:
apt install memcached nano /etc/default/memcached a2enmod cache a2enmod expires
<IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/gif "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType text/css "access 1 week" ExpiresByType text/html "access 1 month" ExpiresByType text/x-javascript "access 1 week" ExpiresDefault "access 1 month" </IfModule>
Enable re-writes:
a2enmod rewrite <IfModule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] <FilesMatch "\.(js|css|jpe?g|png|gif|eot|otf|svg|ttf|woff2?)$"> Header set Timing-Allow-Origin "*" </FilesMatch> </IfModule>
Enable headers:
a2enmod headers <IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" <IfModule mod_setenvif.c> SetEnvIf Origin "^(.+)$" CORS=$0 </IfModule> Header set Access-Control-Allow-Origin %{CORS}e env=CORS Header set Access-Control-Allow-Credentials "true" env=CORS <FilesMatch "\.(php|html)$"> Header set X-Frame-Options "ALLOW" Header set X-XSS-Protection "0" Header set X-Download-Options "noopen" Header set X-Permitted-Cross-Domain-Policies "none" Header set X-DNS-Prefetch-Control "on" Header set Pragma "no-cache" Header set Age "0" Header set Cache-Control "" Header set Strict-Transport-Security "max-age=0" env=HTTPS Header set Referrer-Policy "" Header set Cross-Origin-Embedder-Policy "unsafe-none" Header set Cross-Origin-Opener-Policy "unsafe-none" Header set Report-To '{"max_age": 0, "endpoints": [{"url": ""}]}' Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'" Header set Referrer-Policy "no-referrer-when-downgrade" Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://plaza.pvpfrontier/*" </FilesMatch> </IfModule>
Personally, I don't think anyone should be using ftp or even sftp right now, but many still do. If so, here's how to make an sftp server for updating WordPress that way:
You can optionally require an sftp server instead of using the default installer. Here's an example using proftp, which is still maintained:
sudo apt install proftpd ftp ftp-ssl cd /etc/proftpd sudo openssl req -new -x509 -days 7305 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem sudo nano /etc/proftpd/proftpd.conf a2enmod tls <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd-tls.log TLSProtocol TLSv1 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off TLSOptions NoSessionReuseRequired </IfModule>
— oemb1905 2023/06/29 04:09