Wordpress2023: verschil tussen versies
(Nieuwe pagina aangemaakt met 'New setup for Wordpress 2023. Standard Hetzner setup. Enable firewall. Move SSH to port 2222. apt update apt upgrade apt install apache2 php php...') |
(→Backups) |
||
| (10 tussenliggende versies door dezelfde gebruiker niet weergegeven) | |||
| Regel 7: | Regel 7: | ||
apt install apache2 php php-mysql | apt install apache2 php php-mysql | ||
apt install mariadb-server mariadb-client | apt install mariadb-server mariadb-client | ||
| + | |||
| + | Generate a strong password, e.g. with | ||
| + | |||
| + | openssl rand -base64 32 | ||
| + | |||
| + | Then disable external access, remove anon users, etc, etc: | ||
| + | |||
mysql_secure_installation | mysql_secure_installation | ||
| − | Create baseline: | + | Create baseline setup with: |
mysql -u root -p | mysql -u root -p | ||
| − | And | + | And give the SQL commands: |
CREATE DATABASE wordpress_db; | CREATE DATABASE wordpress_db; | ||
| − | CREATE USER 'wp_user'@'localhost' IDENTIFIED BY ' | + | CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP'; |
GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password'; | GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password'; | ||
FLUSH PRIVILEGES; | FLUSH PRIVILEGES; | ||
Exit; | Exit; | ||
| − | Fetch the latest Wordpress and check | + | Where 'PPPPP' is that password generated above. |
| + | |||
| + | Fetch the latest Wordpress and check: | ||
cd /tmp && wget https://wordpress.org/latest.tar.gz | cd /tmp && wget https://wordpress.org/latest.tar.gz | ||
| + | openssl sha256 https://wordpress.org/latest.tar.gz | ||
| + | |||
| + | # Check sha256 against the Wordpress website. | ||
| + | |||
cd /var/www/html | cd /var/www/html | ||
| − | tar zxf /tmp/latest.tar.gz | + | tar zxf /tmp/latest.tar.gz |
cp -R wordpress /var/www/html | cp -R wordpress /var/www/html | ||
| + | rm /tmp/latest.tar.gz | ||
chown -R www-data:www-data /var/www/html/wordpress/ | chown -R www-data:www-data /var/www/html/wordpress/ | ||
chmod -R 755 /var/www/html/wordpress/ | chmod -R 755 /var/www/html/wordpress/ | ||
| Regel 35: | Regel 49: | ||
vi sites-enabled/000-default.conf | vi sites-enabled/000-default.conf | ||
| − | + | ||
Add settings to /etc/php/*/php.ini: | Add settings to /etc/php/*/php.ini: | ||
| Regel 41: | Regel 55: | ||
post_max_size=128M | post_max_size=128M | ||
memory_limit=256M | memory_limit=256M | ||
| + | |||
| + | And restart apache | ||
| + | |||
| + | apachectl restart | ||
| + | |||
| + | Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP). | ||
| + | |||
| + | = Backups = | ||
| + | |||
| + | Backups have been set up as a variation on [[MTA-Backups / Duplicty]]. The main change is that only wordpress and its database are backed up. | ||
| + | |||
| + | The GPG key was set up with the commands: | ||
| + | |||
| + | mkdir /etc/duplicity | ||
| + | cd /etc/duplicity | ||
| + | export GNUPGHOME=`pwd` | ||
| + | gpg --generate-key | ||
| + | |||
| + | The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with: | ||
| + | |||
| + | openssl rand -base64 32 | ||
| + | |||
| + | Obtain key ID (YYYY in below): | ||
| + | |||
| + | gpg --list-secret-keys | ||
| + | |||
| + | The trustee decruption key was taken from the [[MTA-Backups / Duplicty]] process and its key id also obtained (XXXX in below): | ||
| + | |||
| + | gpg --import public-key.### | ||
| + | gpg --list-keys | ||
| + | |||
| + | Then edit the trust in this key to `ultimate' | ||
| + | |||
| + | gpg --edit-key XXXXXX | ||
| + | option 5, yes, save | ||
| + | |||
| + | The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu). | ||
| + | |||
| + | #!/bin/sh | ||
| + | set -e | ||
| + | umask 077 | ||
| + | |||
| + | DIR=/etc/duplicity | ||
| + | W=incremental | ||
| + | if [ $# != 0 ]; then | ||
| + | W=$1 | ||
| + | shift | ||
| + | fi | ||
| + | T= | ||
| + | if [ $W = full -o $W = incremental ];then | ||
| + | T=/ | ||
| + | mysqldump --all-databases --single-transaction --quick --lock-tables=false |\ | ||
| + | gzip -9 > /var/lib/mysql/mysql-dump.gz | ||
| + | fi | ||
| + | |||
| + | # Verbose level 2 is errors and warnings; this way we skip | ||
| + | # notices and quell all output if the backup is a success. | ||
| + | # | ||
| + | VERBOSE=${VERBOSE:-2} | ||
| + | |||
| + | PASSPHRASE="ZZZZZ" LANG=en_US.UTF8 LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR \ | ||
| + | PYTHONWARNINGS="ignore::DeprecationWarning" \ | ||
| + | python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \ | ||
| + | \ | ||
| + | -v $VERBOSE \ | ||
| + | --hidden-encrypt-key XXX \ | ||
| + | --sign-key YYY \ | ||
| + | --ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \ | ||
| + | --no-print-statistics \ | ||
| + | \ | ||
| + | --include /var/www \ | ||
| + | --include /etc \ | ||
| + | --include /var/lib/mysql/mysql-dump.gz \ | ||
| + | --exclude /etc/duplicity/.cache \ | ||
| + | --exclude '**' \ | ||
| + | \ | ||
| + | $T \ | ||
| + | sftp://xxxx@xxxx.com/backups 2>&1 |\ | ||
| + | tee /var/log/last-duplcity-backup.new |\ | ||
| + | grep -v DeprecationWarning | grep -v algorithm=hashes.SHA1 | ||
| + | mv /var/log/last-duplcity-backup.new /var/log/duplicity.log | ||
| + | mv /var/log/duplicity.log.gz /var/log/duplicity.prevlog.gz || true | ||
| + | gzip /var/log/duplicity.log || true | ||
| + | exit $? | ||
| + | |||
| + | And the crons where installed: | ||
| + | |||
| + | MAILTO=noc@makerspaceleiden.nl | ||
| + | # monthly full, incrementals during the week. | ||
| + | # | ||
| + | 3 3 1 * * root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh full | ||
| + | 3 3 2-31 * * root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh incremental | ||
| + | # Half year retention for full; 1 months for the incrementals | ||
| + | # | ||
| + | 1 1 * * 1 root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-but-n-full 6 | ||
| + | 1 2 * * 1 root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-inc-of-but-n-full 1 | ||
Huidige versie van 25 okt 2023 om 17:22
New setup for Wordpress 2023.
Standard Hetzner setup. Enable firewall. Move SSH to port 2222.
apt update
apt upgrade
apt install apache2 php php-mysql
apt install mariadb-server mariadb-client
Generate a strong password, e.g. with
openssl rand -base64 32
Then disable external access, remove anon users, etc, etc:
mysql_secure_installation
Create baseline setup with:
mysql -u root -p
And give the SQL commands:
CREATE DATABASE wordpress_db;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP';
GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
Exit;
Where 'PPPPP' is that password generated above.
Fetch the latest Wordpress and check:
cd /tmp && wget https://wordpress.org/latest.tar.gz openssl sha256 https://wordpress.org/latest.tar.gz
- Check sha256 against the Wordpress website.
cd /var/www/html tar zxf /tmp/latest.tar.gz cp -R wordpress /var/www/html rm /tmp/latest.tar.gz chown -R www-data:www-data /var/www/html/wordpress/ chmod -R 755 /var/www/html/wordpress/ mkdir /var/www/html/wordpress/wp-content/uploads chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads/
Updated the docroot to Wordpress:
vi sites-enabled/000-default.conf
Add settings to /etc/php/*/php.ini:
upload_max_filesize=128M post_max_size=128M memory_limit=256M
And restart apache
apachectl restart
Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP).
Backups
Backups have been set up as a variation on MTA-Backups / Duplicty. The main change is that only wordpress and its database are backed up.
The GPG key was set up with the commands:
mkdir /etc/duplicity
cd /etc/duplicity
export GNUPGHOME=`pwd`
gpg --generate-key
The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with:
openssl rand -base64 32
Obtain key ID (YYYY in below):
gpg --list-secret-keys
The trustee decruption key was taken from the MTA-Backups / Duplicty process and its key id also obtained (XXXX in below):
gpg --import public-key.###
gpg --list-keys
Then edit the trust in this key to `ultimate'
gpg --edit-key XXXXXX
option 5, yes, save
The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu).
#!/bin/sh
set -e
umask 077
DIR=/etc/duplicity
W=incremental
if [ $# != 0 ]; then
W=$1
shift
fi
T=
if [ $W = full -o $W = incremental ];then
T=/
mysqldump --all-databases --single-transaction --quick --lock-tables=false |\
gzip -9 > /var/lib/mysql/mysql-dump.gz
fi
# Verbose level 2 is errors and warnings; this way we skip
# notices and quell all output if the backup is a success.
#
VERBOSE=${VERBOSE:-2}
PASSPHRASE="ZZZZZ" LANG=en_US.UTF8 LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR \
PYTHONWARNINGS="ignore::DeprecationWarning" \
python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \
\
-v $VERBOSE \
--hidden-encrypt-key XXX \
--sign-key YYY \
--ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \
--no-print-statistics \
\
--include /var/www \
--include /etc \
--include /var/lib/mysql/mysql-dump.gz \
--exclude /etc/duplicity/.cache \
--exclude '**' \
\
$T \
sftp://xxxx@xxxx.com/backups 2>&1 |\
tee /var/log/last-duplcity-backup.new |\
grep -v DeprecationWarning | grep -v algorithm=hashes.SHA1
mv /var/log/last-duplcity-backup.new /var/log/duplicity.log
mv /var/log/duplicity.log.gz /var/log/duplicity.prevlog.gz || true
gzip /var/log/duplicity.log || true
exit $?
And the crons where installed:
MAILTO=noc@makerspaceleiden.nl # monthly full, incrementals during the week. # 3 3 1 * * root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh full 3 3 2-31 * * root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh incremental # Half year retention for full; 1 months for the incrementals # 1 1 * * 1 root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-but-n-full 6 1 2 * * 1 root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-inc-of-but-n-full 1
