Install PHP
Install the PHP Packages
sudo apt-get install php5
As of Ubuntu 12 (an maybe even earlier), the installer will automatically restart Apache2 for you.
Verify
Quickly verify that everything works by creating a php info file with your favourite editor,
sudo vi /var/www/info.php # On public site do not use such an obvious file name
Put in the following contents,
<?php phpinfo(); ?>
Save the file and browser to file using a browser. You can use either the IP Address or the valid Domain Name. For example, http://173.194.75.94/info.php or http://www.krypton.com/info.php which should show a purple and grey PHP informational screen.
Secure the Server
The security posture is from an administrative perspective and not for self-serve and shared hosting.
Determine if this actually increases security - http://www.suphp.org/Home.html. suPHP and LiteSpeed make the most sense for shared hosting.
This article indicates that suphp is slow as it makes php run as a cgi. Instead it recommends restrictions using mod_php - http://serverfault.com/questions/279938/should-i-use-suphp-or-mod-php-for-shared-hosting. Along this thread another poster recommends, http://mpm-itk.sesse.net/ which allows vhosts to be run under different uid and gid.
This restricts the php process to specific directories - http://help.godaddy.com/article/1616
Restrict the Execution of PHP to a Specific Folder
Edit, vi /etc/php5/apache2/php.ini to only allow execution of php scripts in the /home directory.
; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; http://php.net/open-basedir open_basedir = /home
This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.
File Permissions
Adapted from the WordPress article Hardening WordPress we take the approach of creating accounts for select developers or release managers.
wp-config.php - holds the database password and should be locked down.
Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and subfolders must be owned by www-data with write access. I'm not sure we will take this approach. I think I'd rather update manually.
Install MySQL
sudo apt-get install mysql-server
For the root administration database password, use the standard password algorithm based on the server name.
Connect PHP to MySQL
Install the necessary libraries so that PHP will be able to connect to MySQL.
sudo apt-get install php5-mysql
Create the Accounts in MySQL
Connect into MySQL,
mysql -u root -p
Enter the following MySQL commands,
CREATE DATABASE wordpresskryptondb; GRANT ALL PRIVILEGES ON wordpresskryptondb.* TO "wpkryptonuser"@"localhost" IDENTIFIED BY "password"; FLUSH PRIVILEGES; EXIT
Explain variables on a table, wordpresskryptondb, wpkryptonuser, localhost, password.
Install WordPress
Using the target application account, in our case we will use serveradmin, download and install WordPress,
su - serveradmin cd ~ wget http://wordpress.org/latest.tar.gz tar -xvpf latest.tar.gz mv wordpress blog # We do not need to make the technology obvious. mv blog /home/www.krypton.com/www/
Repeat for the second instance.
Configure WordPress
- Create config file for database access
- Set URL
- ...
FAQ
Why do some of the php5 installations say to use install libapache2-mod-php5?
No need, it is included with the php5 package.
What is the difference between the php5 and libapache2-mod-php5 packages?
Nothing I can see. It just looks like php5 is an overarching package name.
References
Ubuntu Server Documentation - https://help.ubuntu.com/12.04/serverguide/php5.html
Has some ok details around suPHP - https://help.ubuntu.com/community/ApacheMySQLPHP#Installing_MYSQL_with_PHP_5
Some good notes on securing PHP from Symantec - http://www.symantec.com/connect/articles/securing-php-step-step