WordPress Script: Post-Installation Tasks

Manual Post-Installation Tasks

The following tasks are done within the WordPress jail:

  1. Securing MariaDB
  2. Authentication Unique Keys and Salts
  3. Configure WordPress for Reverse Proxy
  4. Setup the WordPress Filesystem
  5. Configure Redis
  6. Configure sSMTP
  7. Test sSMTP
  8. Configure phpMyAdmin

There is the opportunity to incorporate some of the above within the WordPress script. For more information, refer to the post WordPress Script: Opportunities for Improvement.

1. Securing MariaDB

Edit 2020-10-26: Addressed in installation script version 1.4.6.

Assuming your WordPress jail is named wordpress, note the DB root password cat /root/wordpress_db_password.txt. You will need this to secure the MariaDB.

Use a terminal to enter the jail iocage console wordpress.

Run the script /usr/local/bin/mysql_secure_installation making use of the DB root password noted previously.

Is it worthwhile assimilating this into the WordPress script? I’m not so sure and have therefore left it out.

2. Authentication Unique Keys and Salts

Edit 2020-10-26: Addressed in installation script version 1.4.7.

Click on https://api.wordpress.org/secret-key/1.1/salt/ and then replace the relevant section in wp-config.php.

cd /usr/local/www/wordpress && ee wp-config.php

This is another bit I didn’t think warranted including in the WordPress script.

3. Configure WordPress for Reverse Proxy

Edit 2020-10-18: Addressed in installation script version 1.4.4.

Add these line to the top of the file wp-config.php below <?php.

define('FORCE_SSL_ADMIN', true); 
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
  $_SERVER['HTTPS']='on';

Now, I’d include this in the script if i knew how to.

Without the code above, attempting to run the WordPress wizard through a reverse proxy gives the following output…

With the code, the screen displays properly…

4. Setup the WordPress Filesystem

Edit 2020-10-18: Addressed in installation script version 1.4.4.

Find the line define('DB_PASSWORD', 'password'); in the file wp-config.php. Paste the following line below it and save the file.

define('FS_METHOD', 'direct');

Again, I’d include this in the script if I knew how to.

5. Configure Redis

Edit 2020-10-18: Addressed in installation script version 1.4.4.

Add the following code above the line /* That's all, stop editing! Happy publishing. */.

/* Set up Redis */
define( 'WP_REDIS_SCHEME', 'unix' );
define( 'WP_REDIS_PATH', '/var/run/redis/redis.sock' );
define( 'WP_REDIS_CLIENT', 'phpredis' );

Now save the file.

Note: For WordPress to use Redis, install and activate the Redis Object Cache plugin. Using the plugin, Enable Object Cache .

Ditto about scripting this in.

6. Configure sSMTP

Edit 2020-10-19: Partially addressed in installation script version 1.4.5.

First, edit the file /etc/mail/mailer.conf:

cd /etc/mail && ee mailer.conf

Locate the following lines:

sendmail        /usr/libexec/sendmail/sendmail
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail

Replace these lines with:

sendmail        /usr/local/sbin/ssmtp
send-mail       /usr/local/sbin/ssmtp
mailq           /usr/local/sbin/ssmtp
newaliases      /usr/local/sbin/ssmtp
hoststat        /usr/bin/true
purgestat       /usr/bin/true

Ordinarily, this would lend itself to the use of substitution using SED, however, I’m stumped because of a TAB character between the command and path on each line.

Now edit the file /usr/local/etc/ssmtp/ssmtp.conf:

cd /usr/local/etc/ssmtp && ee ssmtp.conf

Enter your configuration details in the ssmtp.conf file. Modify this example to fit your situation:

MailHub=mail.example.com:465     # Mail server to connect to (port 465 is SMTP/SSL)
UseTLS=YES                       # Enable SSL/TLS 
AuthUser=john                    # Username for SMTP AUTH
AuthPass=Secret1                 # Password for SMTP AUTH 
FromLineOverride=YES             # Force the From: address to the user account 
Hostname=myhost.example.com      # Name of this host 
RewriteDomain=myhost.example.com # Where the mail will seem to come from 
Root=postmaster                  # Mail for [email protected] is redirected to [email protected]

For example:

7. Test sSMTP

Create a txt file ee test.txt with the following text, but remember to alter the email addresses.

To: [email protected] 
From: [email protected] 
Subject: Testmessage 
This is a test for sending

Run the command:

ssmtp -v [email protected] < test.txt

Status messages should indicated that the mail was sent successfully. If there are no errors, you can then check out [email protected] and make sure that email has been delivered successfully.

But, if you do get errors and don’t receive the email then check /var/log/maillog:

cat /var/log/maillog

Don’t exit the jail just yet.

8. Configure phpMyAdmin

Edit 2020-10-26: Addressed in installation script version 1.4.8.

From a browser, use the WordPress jail IP to go to the address http://jail_ip/phpmyadmin/setup and configure a database server host.

Click New server.

Click Apply.

Click Display.

Copy the text of the generated configuration file and paste it into the file /usr/local/www/phpMyAdmin/config.inc.php.

cd /usr/local/www/phpMyAdmin && ee config.inc.php

Save the file and then exit the jail exit.

Edit 2020/10/26: Using phpMyAdmin 5.0.2, it seems somewhere between MariaDB v10.3.23/PHP v7.4.10 and MariaDB v10.3.24/PHP v7.4.11, db root user can no longer (by default) log in to phpMyAdmin.

Note: Once you’ve placed the WordPress jail behind the reverse proxy, you will be able to log in to phpMyAdmin, with your database root wordpress username and password, using the jail FQDN instead of the jail IP e.g. https://blog.mydomain.com/phpmyadmin. I recommend you set up WordPress beforehand so you have something meaningful to look at in phpMyAdmin.

CAUTION

SECURITY NOTE: phpMyAdmin is an administrative tool that has had several remote vulnerabilities discovered in the past, some allowing remote attackers to execute arbitrary code with the web server’s user credential. All known problems have been fixed, but the FreeBSD Security Team strongly advises that any instance be protected with an additional protection layer, e.g. a different access control mechanism implemented by the web server as shown in the example. Do consider enabling phpMyAdmin only when it is in use.

One way to disable phpMyAdmin is to unlink it in the jail rm /usr/local/www/wordpress/phpmyadmin. This will disable access to phpMyAdmin via the well-known subdirectory path e.g. https://blog.mydomain.com/phpmyadmin. To reenable phpMyAdmin, link the subdirectory path again ln -s /usr/local/www/phpMyAdmin /usr/local/www/wordpress/phpmyadmin. Disable it again when finished.

Refer to Securing your phpMyAdmin installation for other means of securing phpMyAdmin.

Configure the Reverse Proxy

If using Caddy, the code block might look something like:

blog.mydomain.com {
  encode gzip
  reverse_proxy http://192.168.1.4
}

Set up WordPress

You’re now ready to do the famous five-minute WordPress installation. Do this by entering your WordPress site FQDN in a browser e.g. https://blog.mydomain.com

Configure Redis

For WordPress to use Redis, install and activate the Redis Object Cache plugin. Using the plugin, Enable Object Cache.

phpMyAdmin Considerations

Edit 2020-10-26: Addressed in installation script version 1.5.0.

You can log in to phpMyAdmin, with your database wordpress username and password, using the jail FQDN instead of the jail IP e.g. https://blog.mydomain.com/phpmyadmin. Follow the signposts to store phpMyAdmin configuration data in the phpmyadmin database.

References

  1. How to install WordPress
  2. Install WordPress with Nginx Reverse Proxy to Apache on Ubuntu 18.04 – Google Cloud
  3. SecureSSMTP
  4. Using Gmail SMTP to send email in FreeBSD
  5. Requirements — phpMyAdmin 5.1.0-dev documentation
  6. Mujahid Jaleel – My Life, My Blog
  7. Caching and Redis: Samuel Dowling – How to Install Nextcloud on FreeNAS in an iocage Jail with Hardened Security
  8. Redis Object Cache plugin for WordPress – Till Kruss
  9. How to Improve Your Site Performance Using Redis Cache on WordPress
  10. Some frequently asked questions about Predis
  11. Administration Over SSL
  12. Editing wp-config.php

Keep Reading

PreviousNext

Comments

Leave a Reply