Table of Contents |
---|
Introduction
As an application, WordPress is easy to use and feature rich. It has an established community, and in my opinion, the best selection of themes and the most usable blogging cms software package available.
...
Initially I tried to make this work with ACL permissions, but the technology does not work as you would expect and not workable. Instead, I will be looking at container technology to segregate accounts by container and mount file systems between containers.
Install Packages
Install the packages to run WordPress,
...
During the MySQL install, you will be prompted for the root administration database password. If following the Bonsai Framework, use your standard password algorithm based on the server name.
Directory and Permission Structure
This approach is more secure than most WordPress default setups. However, it has some limitations around the security, namely administration of this directory structure is restricted to serveradmin.
...
If you want to grant ssh access, then wait for my next article which would allow this, but would require an additional layer of security.
Permission and Group Structure
We want website hosting for two different clients, The Daily Planet and LexCorp. Employees from the respective companies will admin through their respective wordpress instances. Here is how the top level structure looks,
Directories required for PHP,
PHP Directory | Ownership | Files and Directory Permissions | Comment |
---|---|---|---|
/opt/web/ | serveradmin:www-data | serveradmin:www-data rwXr-X--- | Main folder for all web related work. |
/opt/web/php/ | serveradmin:www-data | serveradmin:www-data rwXr-X--- | Top level folder for PHP. |
/opt/web/php/tmp/ | serveradmin:www-data | serveradmin:www-data rwXrwX--- | PHP requires write access to this folder for temporary files. |
/opt/web/php/logs/ | serveradmin:www-data | serveradmin:www-data rwXrwX--- | PHP requires write access to this folder for log files. |
These directories are for WordPress,
WordPress Directory | Files and Directory Permissions | Comment |
---|---|---|
/opt/web/php/dailyplanet.com/ | serveradmin:www-data rwXr-X--- | Top level folder named by domain name. |
/opt/web/php/dailyplanet.com/blog/ | serveradmin:www-data rwXr-X--- | Location of WordPress instance for the domain name. We are using this folder rather than just the domain name to allow for more advanced configuration (such as separating the website with static content). |
/opt/web/php/dailyplanet.com/blog/wp-admin/ | www-data:serveradmin rwXrwX--- | Plugins and custom changes managed through the WordPress interface and requires write access. In addition, WordPress verifies the user it is running as (in this case www-data) is the owner of this directory. So we must change the user for this directory. There is a workaround if you prefer not to change the user to www-data. |
/opt/web/php/dailyplanet.com/blog/wp-content/ | www-data:serveradmin rwXrwX--- | Plugins and custom changes managed through the WordPress interface and requires write access. In addition, WordPress verifies the user it is running as (in this case www-data) is the owner of this directory. So we must change the user for this directory. There is a workaround if you prefer not to change the user to www-data. |
web Folder
This is where everything starts for web related work,
...
Note |
---|
If we wanted to grant basic ssh access to manage static content we could separate out another directory using the Apache directory directive here. That would also require loosening of the web folder to allow other. |
php Folders
This is where all php code will execute. In php centric applications this will also be considered the web root for static files too and reflected in the virtual host configuration,
...
Finally logoff and log back in with your staff account for the group changes to take effect.
Configure PHP to Use Specified Folders
Edit php.ini to make use of the folders.
Code Block | ||
---|---|---|
| ||
sudo vi /etc/php5/apache2/php.ini |
Set Running Directory
Search for the open_basedir line and modify to include the directories setup for WordPress,
...
This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.
Set Temp Directory
Because open_basedir has been set, WordPress no longer has access to the general temporary folder it expects which is required for certain operations (for example to upload plugins through the Administrator web interface).
...
Code Block |
---|
; Temporary directory for HTTP uploaded files (will use system default if not ; specified). ; http://php.net/upload-tmp-dir upload_tmp_dir = /opt/web/php/tmp/ |
Increasing The Upload Limit
The default upload limit is 2mb, the limit must be increased for uploads higher than 2mb or else they will fail when you try to upload.
...
Code Block | ||
---|---|---|
| ||
; Maximum size of POST data that PHP will accept. ; http://php.net/post-max-size post_max_size = 2M |
Make Changes Take Effect
Restart Apache for the changes to take effect,
...
You will now find that php scripts will only run in the designated directories specified in php.ini.
Setup Website Root
Each website will have it's own root folder under /opt/web/php/,
Code Block | ||
---|---|---|
| ||
sudo mkdir /opt/web/php/dailyplanet.com sudo chown -R serveradmin:www-data /opt/web/php/dailyplanet.com/ sudo chmod -R u+rwX,g+r-w+X,o-rwX /opt/web/php/dailyplanet.com/ |
Setup Apache Virtual Host
Setup your Apache Virtual Hosts with the website root.
Setup WordPress
Make sure you are logged in a sudo enabled user. Setup WordPress as follows,
...
Code Block | ||
---|---|---|
| ||
sudo chown -R www-data:serveradmin /opt/web/php/dailyplanet.com/blog/wp-admin/ sudo chown -R www-data:serveradmin /opt/web/php/dailyplanet.com/blog/wp-content/ sudo chmod -R g+w /opt/web/php/dailyplanet.com/blog/wp-admin/ sudo chmod -R g+w /opt/web/php/dailyplanet.com/blog/wp-content/ |
Configure MySQL
Secure MySQL
As a staff user run the Secure Installation script included with MySQL,
...
For now that's it to securing MySQL.
Connect
Connect into MySQL,
Code Block | ||
---|---|---|
| ||
mysql -u root -p |
...
The remainder of this section happens inside of the mysql shell.
Create the WordPress Database and Accounts in MySQL
List the databases to makes sure what you want to create does not already exists,
...
Tip |
---|
Database Admins will not like granting all privileges. After the initial setup is done we will restrict to more minimal privileges. |
Exit MySQL Shell
Exit the MySQL shell,
Code Block | ||
---|---|---|
| ||
EXIT |
Configure WordPress
Create Config File for Database Access
Launch a browser and hit the WordPress setup page for your machine at http://dailyplanet.com/blog/wp-admin/install.php and you will be prompted to create a configuration file.
...
Enter the required information and click "Submit",
Field | Value | Comment |
---|---|---|
Database Name | wpdailyplanetdb | The Bonsai Framewok appraoch is to base the user name on the site's primary domain name. |
User Name | wpdpdbuser |
Password |
This is the application password set during the wpdailyplanetdb database creation step. | ||
Database Host | localhost | Address of the database server. In this example, the database is on the same server so use localhost is used. |
Table Prefix | bf_ | The Bonsai Framework approach generally does not encourage changing an application's table prefix. However, given the architecture of WordPress and popularity it is recommended to change the prefix to something other than wp_ to make the system less susceptible to attacks. |
It is expected that you will receive a message that WordPress can not write the wp-config file and the following prompt will appear on screen,
...
Finally enter the site information,
Field | Value | Comment |
---|---|---|
Site Title | dailyplanet | We like to reference our domain name. |
Username | tempadmin | You probably do not want to use the default admin for username. WordPress (as of Sep 2012) out of the box, has no facilities to stop dictionary attacks against the administration system. Admin will be the first username guessed by automated attacks. Because the username put here will show up in the default site generated, this will be a temporary administrator account. |
Password |
As mentioned, WordPress has no facilities to stop dictionary attacks. On top of that, the default setup exposes your administrator account name on the Internet. Choose a very very long and complex password. (Anyone know of a good site that shows how quickly an entered password would be broken with a dictionary attack, put the link here) | |
Your E-mail |
Whatever email is chosen here, it will not be the final one used by the real administrator account. Keeping in mind that WordPress does not allow duplicate emails, in this example, the administrator will use a personal email and then use a proper email account when the real administrator account is created. | |
Privacy |
This depends on the purpose of your website. Unless this is a private site that should not show up on Google, leave it checked. |
Click, "Install WordPress" which should result in a success screen. At this point you are actually done the setup. Do not click "Log In".
If everything went well you will see a "Success!" message.
Customize WordPress
At this point WordPress is already working. There are two urls to take note of,
URL | Area | Purpose |
---|---|---|
http://www.dailyplanet.com/blog/ | Public | You can hit this url right now and see a default working site. This url is where your users will enter. |
http://www.dailyplanet.com/blog/wp-admin/ | Administration | This url results from clicking the "Log In" button after the WordPress install is complete. It can also be accessed through the Public homepage by click "Log In" located at the bottom right under "META". The Administration area allows the customization and configuration of WordPress. Also, once logged into the administration, if you browse to the public area, you will see additional buttons and options to create posts and edit the website contents. |
http://www.dailyplanet.com/ | Public | If WordPress is your main website you should configure Apache to redirect to http://www.dailyplanet.com/blog/. |
If you have the Install WordPress Success Screen still up, click "Log In" will take you to the Word Press Administration url or use the url in the table above.
Minimal Security - Block Login Attacks
WordPress out of the box can be easily broken into with a brute force dictionary attack for the following combined reasons,
...
For a more secure setup, consider Installing one of these plugins,
Plugin | Description | Notes |
---|---|---|
Google Authenticator | The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. The very first time your browser visits the website, it will require two-factor. Subsequent visits with the browser will not. The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts. | Make sure time is synced with same time servers across the phone and server. For example, my iphone was off by 2 minutes because it was set manually to Toronto. Best thing to do is turn on the 4 minute drift allowance. When setting the password make sure there are no spaces otherwise the barcode will not work. |
BAW More Secure Login | Grid Cards |
Login Security Solution | Adds some common defences against brute force attacks. | Most useful feature is that it blocks user for x number of minutes progressively as more attempts are tried. Also blocks by cookie and ip address. |
Anti-Spam | Stops the spam comments that show up on your blog promoting other websites while filtering out real comments | Have yet to see a comment from a spammer |
bodi0`s Bots visits counter | This logs the bots that visit your site and gives the option to block/unblock by editing the .htaccess file | Its an interesting tool to see what bots visit your site |
Limit Login Attempts | This lets you limit login attempts and logs the IP and username of those who get banned | Think of fail2ban in wordpress its a lot easier to edit too than the actual fail2ban plugin |
P3 (Plugin Performance Profiler) | This is a plugin that tests page performance and records what plugin is taking the most time and it has 2 versions of scanning automatic and manual. | This is really useful if your blog is taking an unusually long amount of time to load and you have no clue why |
WP-Mail-SMTP | If you cannot get Mail() to work in php you can install this plugin to use SMTP instead. | To setup to use Google use: |
Should have link to how to ssh in to disable plugins if they misbehave.
Set Up Users
The default user created is an administrator and has more privileges than necessary. The very first step is to create users with specific roles provided by WordPress. The roles are outlined below in order of most privileges to least.
Keep in mind that when creating accounts, Wordpress requires unique email addresses.
Role | Description | Sample User Name |
---|---|---|
Administrator | Administrators have access to all the administration features. | setupadmin |
Editor | Editors can publish posts, manage posts as well as manage other people’s posts, etc. | perrywhite |
Author | Authors can publish and manage their own posts, and are able to upload files. | clarkkent, loislane |
Contributor | Contributors can write and manage their posts but not publish posts or upload media files. | jimmyolsen |
Subscriber | Subscribers can read comments/comment/receive newsletters, etc. but cannot create regular site content. | lexluthor |
Create your first user,
Field | Value | Comment |
---|---|---|
Site Title | dailyplanet | We like to reference our domain name. |
Username | setupadmin | This will be the real administration account. |
Password |
As mentioned, WordPress has no facilities to stop dictionary attacks. On top of that, the default setup exposes your administrator account name on the Internet. Choose a very very long and complex password. (Anyone know of a good site that shows how quickly an entered password would be broken with a dictionary attack, put the link here). | ||
Your E-mail | admin@bonsaiframework.com | If there is more than one administrator, you should have a general support email box that only administrators have access to. This email address will be used for password recovery purposes. |
FAQ
Why do some of the php5 installations say to use install libapache2-mod-php5?
...
Nothing I can see. It just looks like php5 is an overarching package name.
References
Setup
Ubuntu Server Documentation - https://help.ubuntu.com/12.04/serverguide/php5.html
Security
Has some ok details around suPHP - https://help.ubuntu.com/community/ApacheMySQLPHP#Installing_MYSQL_with_PHP_5
...