Differences

This shows you the differences between two versions of the page.

--- computing:selfhostedwp [2023/06/29 06:15] – oemb1905
+++ computing:selfhostedwp [2026/04/12 15:53] (current) – oemb1905
@@ Line 13: / Line 13: @@
 This tutorial is for setting up a self-hosted WordPress instance on Debian GNU/Linux. This tutorial assumes you have some familiarity setting up a LAMP stack. If you need help with that, check out [[https://wiki.haacksnetworking.com/doku.php?id=computing:apachesurvival|Apache Survival]]. Alright, let's install our LAMP stack and required/optional php modules. //Make sure to review what your instance requires and don't install or configure modules you don't need.//
-  sudo apt install apache2 mariadb-server php8.2 php-common php-cgi php-cli php-zip php-mysql php-mbstring php-intl php-fpm php-curl php-gd php-imagick php-xml php-xmlrpc php-soap php-opcache php-apcu php-bcmath memcached wget unzip
+  sudo apt install apache2 mariadb-server php8.4 php-common php-cgi php-cli php-zip php-mysql php-mbstring php-intl php-fpm php-curl php-gd php-imagick php-xml php-xmlrpc php-soap php-opcache php-apcu php-bcmath memcached wget unzip
-Sometimes dpkg can choose which version of php you want and it's not always the version you want. In those cases, you can explicitly specify the version you need as follows:
+Sometimes dpkg can choose which version of php you want and it's not always the version you want. In those cases, you can explicitly specify the version you need. Some packages are only available as ''php-xx'' so run the above command first and then the command below when those situations arise:
-  sudo apt-get install php8.2-{common,cgi,cli,zip,mysql,mbstring,intl,fpm,curl,gd,imagick,xml,xmlrpc,gpm,soap,opcache,apcu,bcmath}
+  sudo apt-get install php8.4-{common,cgi,cli,zip,mysql,mbstring,intl,fpm,curl,gd,imagick,xml,xmlrpc,soap,opcache,apcu,bcmath}
 Apache2 will set up a 000-default.conf automatically and your host should now resolve. Be sure to set up TLS with certbot. Here's my preferred method:
@@ Line 29: / Line 29: @@
   sudo apt remove libapache2-mod-php* --purge
+  sudo apt install php8.4-fpm php8.4-cgi
   sudo a2enmod ssl
   sudo a2enmod headers
   sudo a2enmod cache
   sudo a2enmod rewrite
   sudo a2enmod setenvif
+  sudo a2dismod php8.1
   sudo a2dismod php8.2
+  sudo a2dismod php8.3
   sudo a2dismod mpm_prefork
   sudo a2enmod mpm_event
   sudo a2enmod proxy
   sudo a2enmod proxy_fcgi
-  sudo a2enconf php8.2-fpm
+  sudo a2enconf php8.4-fpm
-  sudo a2enconf php8.2-cgi
+  sudo a2enconf php8.4-cgi
   sudo apache2ctl configtest
   sudo systemctl restart apache2
-  sudo systemctl restart php8.2-fpm
+  sudo systemctl restart php8.4-fpm
 There are two standard ways to configure php-fpm. One of those is to use ProxyPassReverse, however, this will disable the use of .htaccess in your WordPress root which is not ideal. The next common way which I prefer and use here, is to add a FilesMatch condition to your virtual host as follows. Within the <Include> and </Include> portion of your default-ssl.conf virtual host, add something like:
   <FilesMatch ".+\.ph(ar|p|tml)$">
-      SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost"
+      SetHandler "proxy:unix:/run/php/php8.4-fpm.sock|fcgi://localhost"
   </FilesMatch>
@@ Line 97: / Line 100: @@
 Let's now shell into our instance and set up WordPress.
-  ssh root@wordpress.com
+  ssh root@site1.com
-  mkdir Downloads
-  cd ~/Downloads
-  mkdir wpdownload
-  cd wpdownload
   curl -O https://wordpress.org/latest.tar.gz
   tar xzvf latest.tar.gz
-  touch ~/Downloads/wpdownload/wordpress/.htaccess
+  mv wordpress /var/www/site1.com/public_html
-  sudo chmod 640 ~/Downloads/wpdownload/wordpress/.htaccess
-  cp ~/Downloads/wpdownload/wordpress/wp-config-sample.php ~/Downloads/wpdownload/wordpress/wp-config.php
-  mkdir ~/Downloads/wpdownload/wordpress/wp-content/upgrade
 Okay, we will need the files and directories I created once we get it running.  Now, let's move the wordpress directory to the proper location for self-hosting.
   sudo mv ~/Downloads/wpdownload/wordpress /var/www/site1.com/public_html
-When the website is in production, use these permissions:
+Now, create proper permissions for your Word Press directories and files:
-  sudo chown -R www-data:www-data /var/www/wordpress.com/public_html
+  sudo chown -R www-data:www-data /var/www/site1.com/public_html
   sudo find /var/www/site1.com/public_html -type d -exec chmod g+s {} \;
   sudo chmod 755 /var/www/site1.com/public_html/wp-content
@@ Line 144: / Line 140: @@
 After isntalling memcached and enabling those modules, navigate to your web root and adjust your .htaccess as follows:
-  <IfModule mod_expires.c>
+<code>
-          ExpiresActive On
+<IfModule mod_expires.c>
-          ExpiresByType image/jpg "access 1 year"
+    ExpiresActive On
-          ExpiresByType image/jpeg "access 1 year"
+    ExpiresByType image/jpg "access 1 year"
-          ExpiresByType image/gif "access 1 year"
+    ExpiresByType image/jpeg "access 1 year"
-          ExpiresByType image/png "access 1 year"
+    ExpiresByType image/gif "access 1 year"
-          ExpiresByType text/css "access 1 week"
+    ExpiresByType image/png "access 1 year"
-          ExpiresByType text/html "access 1 month"
+    ExpiresByType text/css "access 1 week"
-          ExpiresByType text/x-javascript "access 1 week"
+    ExpiresByType text/html "access 1 month"
-          ExpiresDefault "access 1 month"
+    ExpiresByType text/x-javascript "access 1 week"
-  </IfModule>
+    ExpiresDefault "access 1 month"
+</IfModule>
+</code>
-  <IfModule mod_rewrite.c>
+<code>
-          RewriteEngine On
+<IfModule mod_rewrite.c>
-          RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+    RewriteEngine On
-          RewriteBase /
+    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-          RewriteRule ^index\.php$ - [L]
+    RewriteBase /
-          RewriteCond %{REQUEST_FILENAME} !-f
+    RewriteRule ^index\.php$ - [L]
-          RewriteCond %{REQUEST_FILENAME} !-d
+    RewriteCond %{REQUEST_FILENAME} !-f
-          RewriteRule . /index.php [L]
+    RewriteCond %{REQUEST_FILENAME} !-d
-          <FilesMatch "\.(js|css|jpe?g|png|gif|eot|otf|svg|ttf|woff2?)$">
+    RewriteRule . /index.php [L]
-                  Header set Timing-Allow-Origin "*"
+    <FilesMatch "\.(js|css|jpe?g|png|gif|eot|otf|svg|ttf|woff2?)$">
-          </FilesMatch>
+        Header set Timing-Allow-Origin "*"
-  </IfModule>
+    </FilesMatch>
+</IfModule>
+</code>
+<code>
+<IfModule mod_headers.c>
+    # X-origin core security headers
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    # HSTS
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
+    # Feature Policy
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), fullscreen=*"
+    # Cross Origin Openerand Embedder policies permissive for Gutenberg/iframes
+    Header always set Cross-Origin-Opener-Policy "same-origin-allow-popups"
+    Header always set Cross-Origin-Embedder-Policy "unsafe-none"
+    # Cache and download protections; limited to dynamic files
+    <FilesMatch "\.(php|html)$">
+        Header set X-Download-Options "noopen"
+        Header set X-Permitted-Cross-Domain-Policies "none"
+        Header set Pragma "no-cache"
+        Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
+    </FilesMatch>
+    # Safe CSP for WordPress + Gutenberg
+    <FilesMatch "\.(php|html)$">
+        Header set Content-Security-Policy "default-src 'self' https: data: blob:; \
+            script-src 'self' https: data: blob: 'unsafe-inline' 'unsafe-eval'; \
+            style-src 'self' https: data: 'unsafe-inline'; \
+            img-src 'self' https: data: blob:; \
+            font-src 'self' https: data:; \
+            connect-src 'self' https: data: blob:; \
+            frame-src 'self' https: data: blob:; \
+            media-src 'self' https: data: blob:; \
+            object-src 'none'; \
+            base-uri 'self'; \
+            form-action 'self'; \
+            upgrade-insecure-requests;"
+    </FilesMatch>
+</IfModule>
+</code>
+I was getting a stubborn TLS redirect error for images. To address this, I went into ''/wp-content/themes/mytheme/header.php'' and added:
+  /** added this to secure images **/
+  <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
-  <IfModule mod_headers.c>
-          Header always set X-Content-Type-Options "nosniff"
-          <IfModule mod_setenvif.c>
-                  SetEnvIf Origin "^(.+)$" CORS=$0
-          </IfModule>
-          Header set Access-Control-Allow-Origin %{CORS}e env=CORS
-          Header set Access-Control-Allow-Credentials "true" env=CORS
-          <FilesMatch "\.(php|html)$">
-                  Header set X-Frame-Options "ALLOW"
-                  Header set X-XSS-Protection "0"
-                  Header set X-Download-Options "noopen"
-                  Header set X-Permitted-Cross-Domain-Policies "none"
-                  Header set X-DNS-Prefetch-Control "on"
-                  Header set Pragma "no-cache"
-                  Header set Age "0"
-                  Header set Cache-Control ""
-                  Header set Strict-Transport-Security "max-age=0" env=HTTPS
-                  Header set Referrer-Policy ""
-                  Header set Cross-Origin-Embedder-Policy "unsafe-none"
-                  Header set Cross-Origin-Opener-Policy "unsafe-none"
-                  Header set Report-To '{"max_age": 0, "endpoints": [{"url": ""}]}'
-                  Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"
-                  Header set Referrer-Policy "no-referrer-when-downgrade"
-                  Header set Feature-Policy "camera 'none'; fullscreen 'self'; geolocation *; microphone 'self' https://plaza.pvpfrontier/*"
-          </FilesMatch>
-  </IfModule>
-Personally, I don't think anyone should be using ftp. Sftp is fine, and if someone needs that, here's an example of a simple sftp server using proftp:
+Personally, I don't think anyone should be using ftp. Sftp is fine, and if someone needs that, here's an example of a simple sftp server using proftp. Note: you can also just use ssh nowadays as openssh-server includes a ready made sftp server. I retain this for historical knowledge.
   sudo apt install proftpd ftp ftp-ssl
@@ Line 224: / Line 241: @@
 Refresh WordPress and it should see the sftp server and allow you to make changes that way. Note: The sftp server is public and anyone can access this with proper credentials even if it not for WordPress so use a proper password and make sure your TLS configuration is working. Your instance should now be pretty solid. The only other thing you might want is more than one WordPress site subdomain, for example, site1.cooldomain.com, site2.cooldomain.com, etc. If that's the case, then hop on over to my [[https://wiki.haacksnetworking.com/doku.php?id=computing:wpmultisite|Word Press Multisite]] tutorial.
- --- //[[jonathan@haacksnetworking.org|oemb1905]] 2023/06/29 06:03//
+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2026/04/12 15:47//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools