Manual Post-Installation Tasks
The following tasks are done within the WordPress jail:
Securing MariaDBAuthentication Unique Keys and SaltsConfigure WordPress for Reverse ProxySetup the WordPress FilesystemConfigure Redis- Configure sSMTP
- Test sSMTP
Configure phpMyAdmin
There is the opportunity to incorporate some of the above within the WordPress script. For more information, refer to the post WordPress Script: Opportunities for Improvement.
1. Securing MariaDB
Edit 2020-10-26: Addressed in installation script version 1.4.6.
Assuming your WordPress jail is named wordpress, note the DB root password cat /root/wordpress_db_password.txt. You will need this to secure the MariaDB.
Use a terminal to enter the jail iocage console wordpress.
Run the script /usr/local/bin/mysql_secure_installation making use of the DB root password noted previously.
Is it worthwhile assimilating this into the WordPress script? I’m not so sure and have therefore left it out.
2. Authentication Unique Keys and Salts
Edit 2020-10-26: Addressed in installation script version 1.4.7.
Click on https://api.wordpress.org/secret-key/1.1/salt/ and then replace the relevant section in wp-config.php.
cd /usr/local/www/wordpress && ee wp-config.php
This is another bit I didn’t think warranted including in the WordPress script.
3. Configure WordPress for Reverse Proxy
Edit 2020-10-18: Addressed in installation script version 1.4.4.
Add these line to the top of the file wp-config.php below <?php.
define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';Now, I’d include this in the script if i knew how to.
Without the code above, attempting to run the WordPress wizard through a reverse proxy gives the following output…
With the code, the screen displays properly…
4. Setup the WordPress Filesystem
Edit 2020-10-18: Addressed in installation script version 1.4.4.
Find the line define('DB_PASSWORD', 'password'); in the file wp-config.php. Paste the following line below it and save the file.
define('FS_METHOD', 'direct');
Again, I’d include this in the script if I knew how to.
5. Configure Redis
Edit 2020-10-18: Addressed in installation script version 1.4.4.
Add the following code above the line /* That's all, stop editing! Happy publishing. */.
/* Set up Redis */
define( 'WP_REDIS_SCHEME', 'unix' );
define( 'WP_REDIS_PATH', '/var/run/redis/redis.sock' );
define( 'WP_REDIS_CLIENT', 'phpredis' );
Now save the file.
Note: For WordPress to use Redis, install and activate the Redis Object Cache plugin. Using the plugin, Enable Object Cache .
Ditto about scripting this in.
6. Configure sSMTP
Edit 2020-10-19: Partially addressed in installation script version 1.4.5.
First, edit the file /etc/mail/mailer.conf:
cd /etc/mail && ee mailer.conf
Locate the following lines:
sendmail /usr/libexec/sendmail/sendmail mailq /usr/libexec/sendmail/sendmail newaliases /usr/libexec/sendmail/sendmail hoststat /usr/libexec/sendmail/sendmail purgestat /usr/libexec/sendmail/sendmail
Replace these lines with:
sendmail /usr/local/sbin/ssmtp send-mail /usr/local/sbin/ssmtp mailq /usr/local/sbin/ssmtp newaliases /usr/local/sbin/ssmtp hoststat /usr/bin/true purgestat /usr/bin/true
Ordinarily, this would lend itself to the use of substitution using SED, however, I’m stumped because of a TAB character between the command and path on each line.
Now edit the file /usr/local/etc/ssmtp/ssmtp.conf:
cd /usr/local/etc/ssmtp && ee ssmtp.conf
Enter your configuration details in the ssmtp.conf file. Modify this example to fit your situation:
MailHub=mail.example.com:465 # Mail server to connect to (port 465 is SMTP/SSL) UseTLS=YES # Enable SSL/TLS AuthUser=john # Username for SMTP AUTH AuthPass=Secret1 # Password for SMTP AUTH FromLineOverride=YES # Force the From: address to the user account Hostname=myhost.example.com # Name of this host RewriteDomain=myhost.example.com # Where the mail will seem to come from Root=postmaster # Mail for root@ is redirected to postmaster@
For example:
7. Test sSMTP
Create a txt file ee test.txt with the following text, but remember to alter the email addresses.
To: [email protected] From: [email protected] Subject: Testmessage This is a test for sending
Run the command:
ssmtp -v [email protected] < test.txt
Status messages should indicated that the mail was sent successfully. If there are no errors, you can then check out [email protected] and make sure that email has been delivered successfully.
But, if you do get errors and don’t receive the email then check /var/log/maillog:
cat /var/log/maillog
Don’t exit the jail just yet.
8. Configure phpMyAdmin
Edit 2020-10-26: Addressed in installation script version 1.4.8.
From a browser, use the WordPress jail IP to go to the address http://jail_ip/phpmyadmin/setup and configure a database server host.
Click New server.
Click Apply.
Click Display.
Copy the text of the generated configuration file and paste it into the file /usr/local/www/phpMyAdmin/config.inc.php.
cd /usr/local/www/phpMyAdmin && ee config.inc.php
Save the file and then exit the jail exit.
Edit 2020/10/26: Using phpMyAdmin 5.0.2, it seems somewhere between MariaDB v10.3.23/PHP v7.4.10 and MariaDB v10.3.24/PHP v7.4.11, db root user can no longer (by default) log in to phpMyAdmin.
Note: Once you’ve placed the WordPress jail behind the reverse proxy, you will be able to log in to phpMyAdmin, with your database root wordpress username and password, using the jail FQDN instead of the jail IP e.g. https://blog.mydomain.com/phpmyadmin. I recommend you set up WordPress beforehand so you have something meaningful to look at in phpMyAdmin.
CAUTION
SECURITY NOTE: phpMyAdmin is an administrative tool that has had several remote vulnerabilities discovered in the past, some allowing remote attackers to execute arbitrary code with the web server’s user credential. All known problems have been fixed, but the FreeBSD Security Team strongly advises that any instance be protected with an additional protection layer, e.g. a different access control mechanism implemented by the web server as shown in the example. Do consider enabling phpMyAdmin only when it is in use.
One way to disable phpMyAdmin is to unlink it in the jail rm /usr/local/www/wordpress/phpmyadmin. This will disable access to phpMyAdmin via the well-known subdirectory path e.g. https://blog.mydomain.com/phpmyadmin. To reenable phpMyAdmin, link the subdirectory path again ln -s /usr/local/www/phpMyAdmin /usr/local/www/wordpress/phpmyadmin. Disable it again when finished.
Refer to Securing your phpMyAdmin installation for other means of securing phpMyAdmin.
Configure the Reverse Proxy
If using Caddy, the code block might look something like:
blog.mydomain.com {
encode gzip
reverse_proxy http://192.168.1.4
}Set up WordPress
You’re now ready to do the famous five-minute WordPress installation. Do this by entering your WordPress site FQDN in a browser e.g. https://blog.mydomain.com
Configure Redis
For WordPress to use Redis, install and activate the Redis Object Cache plugin. Using the plugin, Enable Object Cache.
phpMyAdmin Considerations
Edit 2020-10-26: Addressed in installation script version 1.5.0.
You can log in to phpMyAdmin, with your database wordpress username and password, using the jail FQDN instead of the jail IP e.g. https://blog.mydomain.com/phpmyadmin. Follow the signposts to store phpMyAdmin configuration data in the phpmyadmin database.
References
- How to install WordPress
- Install WordPress with Nginx Reverse Proxy to Apache on Ubuntu 18.04 – Google Cloud
- SecureSSMTP
- Using Gmail SMTP to send email in FreeBSD
- Requirements — phpMyAdmin 5.1.0-dev documentation
- Mujahid Jaleel – My Life, My Blog
- Caching and Redis: Samuel Dowling – How to Install Nextcloud on FreeNAS in an iocage Jail with Hardened Security
- Redis Object Cache plugin for WordPress – Till Kruss
- How to Improve Your Site Performance Using Redis Cache on WordPress
- Some frequently asked questions about Predis
- Administration Over SSL
- Editing wp-config.php
Comments