www.bonsaiframework.com
Page tree

Versions Compared

Old Version 41

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 42

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

This article is in process of being written by Tin.

Install PHP

Install the PHP Packages

...

Code Block
languagesql
EXIT

Setup WordPress

WordPress is incredibly easy to setup and there are many shorter tutorials than this.

This tutorial, takes a more secure approach

Warning

WordPress out of the box can be very quickly broken into. In fact, I personally go so far as to keep the Ubuntu firewall up with port 80 or 443 closed until WordPress is completely hardened. When the setup steps required using the browser, I use ssh tunnelling to access 80 securely. A writeup of using ssh tunnelling should be added to the Bonsai Framework and linked or included here.

Install WordPress

Using a staff account, download and install WordPress,

...

FieldValueComment
Site TitleKryptonWe like to reference our domain name.
UsernamePRDRGH01APP1Do NOT use setupadmin

You probably do not want to use the default admin for username. WordPress (as of Sep 2012) out of the box, has no facilities to stop dictionary attacks against the administration system. Admin will be the first username guessed by automated attacks.Here the BonsaiFramework uses the hostname as the Bonsai Framework naming standard is not easily guessable but relevant to the administrator

Also keep in mind that anything you put here will show up in the default site generated after the setup and publicly accessible anyway.

Password 

As mentioned, WordPress has no facilities to stop dictionary attacks. On top of that, the default setup exposes your administrator account name on the Internet.

Choose a very very long and complex password. (Anyone know of a good site that shows how quickly an entered password would be broken with a dictionary attack, put the link here)

Your E-mailadmin@bonsaiframework.comEven in a small company you should have a general support email box that only administrators have access to. Use that rather than your personal email address. This email address will be used for password recovery purposes.
Privacy This depends on the purpose of your website. Unless this is a private site that should not show up on Google, leave it checked.

Click, "Install WordPress" which should result in a success screen. Click At this point you are actually done the setup. Do not click "Log In".

Customize WordPress

At this point WordPress is already working. There are two urls to take note of,

URLPurpose
http://www.krypton.com/blog/You can hit this url right now and see a default working site. This url is hit
http://www.krypton.com/blog/wp-admin/ 

 

Clicking "Log In" will take you to the Word Press Administration url.

 

Warning

Past this point is not yet organized or complete.

Lock Down WordPress

WordPress and PHP simply due to the model is inherently insecure when compared to more Enterprise solutions.

...

Code Block
languagesql
SHOW GRANTS FOR 'wpkryptonuser'@'localhost';

 

File Permissions

...

Warning

I need to work out what folders explicitly need permissions to perform uploads and plugin updates. Still to finalize placement of this section.

Fom the WordPress article Hardening WordPress we might want to take the approach of creating accounts for select developers or release managers.

wp-config.php - holds the database password and should be locked down .(it is thanks to the ACLs)

Info

Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and sub-folders must be owned by www-data with write access. I'm not sure we will take this approach. I think I'd rather update manually.

...

Writing Next Topics

  • Repeat for the second instance.

FAQ

Why do some of the php5 installations say to use install libapache2-mod-php5?

...