Wordpress 2023: verschil tussen versies

Uit MakerSpace Leiden
Ga naar: navigatie, zoeken
(Nieuwe pagina aangemaakt met 'New setup for Wordpress 2023. Standard Hetzner setup. Enable firewall. Move SSH to port 2222. apt update apt upgrade apt install apache2 php php...')
 
(Backups)
 
(13 tussenliggende versies door 2 gebruikers niet weergegeven)
Regel 1: Regel 1:
 +
[[Category:Servers network & websites]]
 
New setup for Wordpress 2023.
 
New setup for Wordpress 2023.
  
Regel 7: Regel 8:
 
       apt install apache2 php php-mysql
 
       apt install apache2 php php-mysql
 
       apt install mariadb-server mariadb-client
 
       apt install mariadb-server mariadb-client
 +
 +
Generate a strong password, e.g. with
 +
 +
    openssl rand -base64 32
 +
 +
Then disable external access, remove anon users, etc, etc:
 +
 
       mysql_secure_installation
 
       mysql_secure_installation
  
Create baseline:
+
Create baseline setup with:
  
 
       mysql -u root -p
 
       mysql -u root -p
  
And enter
+
And give the SQL commands:
  
 
       CREATE DATABASE wordpress_db;
 
       CREATE DATABASE wordpress_db;
       CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'XXXX';
+
       CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP';
 
       GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
 
       GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
 
       FLUSH PRIVILEGES;
 
       FLUSH PRIVILEGES;
 
       Exit;
 
       Exit;
  
Fetch the latest Wordpress and check
+
Where 'PPPPP' is that password generated above.
 +
 
 +
Fetch the latest Wordpress and check:
  
 
   cd /tmp && wget https://wordpress.org/latest.tar.gz
 
   cd /tmp && wget https://wordpress.org/latest.tar.gz
 +
  openssl sha256 https://wordpress.org/latest.tar.gz
 +
 +
# Check sha256 against the Wordpress website.
 +
 
   cd /var/www/html
 
   cd /var/www/html
   tar zxf /tmp/latest.tar.gz  
+
   tar zxf /tmp/latest.tar.gz
 
   cp -R wordpress /var/www/html
 
   cp -R wordpress /var/www/html
 +
  rm /tmp/latest.tar.gz
 
   chown -R www-data:www-data /var/www/html/wordpress/
 
   chown -R www-data:www-data /var/www/html/wordpress/
 
   chmod -R 755 /var/www/html/wordpress/
 
   chmod -R 755 /var/www/html/wordpress/
Regel 35: Regel 50:
  
 
   vi sites-enabled/000-default.conf  
 
   vi sites-enabled/000-default.conf  
+
 
 
Add settings to /etc/php/*/php.ini:  
 
Add settings to /etc/php/*/php.ini:  
  
Regel 41: Regel 56:
 
     post_max_size=128M  
 
     post_max_size=128M  
 
     memory_limit=256M
 
     memory_limit=256M
 +
 +
And restart apache
 +
 +
  apachectl restart
 +
 +
Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP).
 +
 +
= Backups =
 +
 +
Backups have been set up as a variation on [[Server backups / Duplicity]]. The main change is that only wordpress and its database are backed up.
 +
 +
The GPG key was set up with the commands:
 +
 +
    mkdir /etc/duplicity
 +
    cd /etc/duplicity
 +
    export GNUPGHOME=`pwd`
 +
    gpg --generate-key
 +
 +
The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with:
 +
 +
    openssl rand -base64 32
 +
 +
Obtain key ID (YYYY in below):
 +
 +
    gpg --list-secret-keys
 +
 +
The trustee decruption key was taken from the [[Server backups / Duplicity]] process and its key id also obtained (XXXX in below):
 +
 +
    gpg --import public-key.###
 +
    gpg --list-keys
 +
 +
Then edit the trust in this key to `ultimate'
 +
   
 +
    gpg --edit-key XXXXXX
 +
    option 5, yes, save
 +
 +
The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu).
 +
 +
  #!/bin/sh
 +
  set -e
 +
  umask 077
 +
 
 +
  DIR=/etc/duplicity
 +
  W=incremental
 +
  if [ $# != 0 ]; then
 +
  W=$1
 +
  shift
 +
  fi
 +
  T=
 +
  if [ $W = full -o $W = incremental ];then
 +
  T=/
 +
  mysqldump --all-databases --single-transaction --quick --lock-tables=false  |\
 +
                gzip -9 > /var/lib/mysql/mysql-dump.gz
 +
  fi
 +
 
 +
  # Verbose level 2 is errors and warnings; this way we skip
 +
  # notices and quell all output if the backup is a success.
 +
  #
 +
  VERBOSE=${VERBOSE:-2}
 +
 
 +
  PASSPHRASE="ZZZZZ" LANG=en_US.UTF8  LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR  \
 +
        PYTHONWARNINGS="ignore::DeprecationWarning" \
 +
  python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \
 +
  \
 +
  -v $VERBOSE \
 +
  --hidden-encrypt-key XXX \
 +
  --sign-key          YYY \
 +
  --ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \
 +
  --no-print-statistics \
 +
  \
 +
        --include /var/www \
 +
        --include /etc \
 +
  --include /var/lib/mysql/mysql-dump.gz \
 +
  --exclude /etc/duplicity/.cache \
 +
  --exclude '**' \
 +
  \
 +
  $T \
 +
  sftp://xxxx@xxxx.com/backups 2>&1 |\
 +
                tee /var/log/last-duplcity-backup.new |\
 +
                grep -v DeprecationWarning | grep -v algorithm=hashes.SHA1
 +
  mv /var/log/last-duplcity-backup.new /var/log/duplicity.log
 +
mv /var/log/duplicity.log.gz /var/log/duplicity.prevlog.gz || true
 +
  gzip /var/log/duplicity.log || true
 +
  exit $?
 +
 +
And the crons where installed:
 +
 +
    MAILTO=noc@makerspaceleiden.nl
 +
    # monthly full, incrementals during the week.
 +
    #
 +
    3 3  1    * * root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh full
 +
    3 3  2-31 * * root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh incremental
 +
    # Half year retention for full; 1 months for the incrementals
 +
    #
 +
    1 1  * * 1 root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-but-n-full 6
 +
    1 2  * * 1 root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-inc-of-but-n-full 1

Huidige versie van 29 jul 2024 om 23:06

New setup for Wordpress 2023.

Standard Hetzner setup. Enable firewall. Move SSH to port 2222. 

     apt update
     apt upgrade
     apt install apache2 php php-mysql
     apt install mariadb-server mariadb-client

Generate a strong password, e.g. with 

   openssl rand -base64 32

Then disable external access, remove anon users, etc, etc: 

     mysql_secure_installation

Create baseline setup with: 

     mysql -u root -p

And give the SQL commands: 

     CREATE DATABASE wordpress_db;
     CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP';
     GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
     FLUSH PRIVILEGES;
     Exit;

Where 'PPPPP' is that password generated above.

Fetch the latest Wordpress and check: 

  cd /tmp && wget https://wordpress.org/latest.tar.gz
  openssl sha256 https://wordpress.org/latest.tar.gz
  1. Check sha256 against the Wordpress website.
  cd /var/www/html
  tar zxf /tmp/latest.tar.gz
  cp -R wordpress /var/www/html
  rm /tmp/latest.tar.gz
  chown -R www-data:www-data /var/www/html/wordpress/
  chmod -R 755 /var/www/html/wordpress/
  mkdir /var/www/html/wordpress/wp-content/uploads
  chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads/

Updated the docroot to Wordpress: 

  vi sites-enabled/000-default.conf

Add settings to /etc/php/*/php.ini: 

   upload_max_filesize=128M 
   post_max_size=128M 
   memory_limit=256M

And restart apache 

  apachectl restart

Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP).

Backups

Backups have been set up as a variation on Server backups / Duplicity. The main change is that only wordpress and its database are backed up.

The GPG key was set up with the commands: 

    mkdir /etc/duplicity
    cd /etc/duplicity
    export GNUPGHOME=`pwd`
    gpg --generate-key

The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with: 

    openssl rand -base64 32

Obtain key ID (YYYY in below): 

    gpg --list-secret-keys

The trustee decruption key was taken from the Server backups / Duplicity process and its key id also obtained (XXXX in below): 

    gpg --import public-key.###
    gpg --list-keys

Then edit the trust in this key to `ultimate' 

    gpg --edit-key XXXXXX
    option 5, yes, save

The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu). 

 #!/bin/sh
 set -e
 umask 077
 
 DIR=/etc/duplicity
 W=incremental
 if [ $# != 0 ]; then
 	W=$1
 	shift
 fi
 T=
 if [ $W = full -o $W = incremental ];then
 	T=/
  	mysqldump --all-databases --single-transaction --quick --lock-tables=false  |\
               gzip -9 > /var/lib/mysql/mysql-dump.gz
 fi
  
  # Verbose level 2 is errors and warnings; this way we skip
  # notices and quell all output if the backup is a success.
  #
  VERBOSE=${VERBOSE:-2}
  
  PASSPHRASE="ZZZZZ" LANG=en_US.UTF8  LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR  \
       PYTHONWARNINGS="ignore::DeprecationWarning" \
 		python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \
 		\
 			-v $VERBOSE \
 			--hidden-encrypt-key XXX \
 			--sign-key           YYY \
 			--ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \
 			--no-print-statistics \
 	\
       --include /var/www \
       --include /etc \
 	--include /var/lib/mysql/mysql-dump.gz \
 	--exclude /etc/duplicity/.cache \
 	--exclude '**' \
 	\
 	$T \
 	sftp://xxxx@xxxx.com/backups 2>&1 |\
               tee /var/log/last-duplcity-backup.new |\
               grep -v DeprecationWarning | grep -v algorithm=hashes.SHA1
 	mv /var/log/last-duplcity-backup.new /var/log/duplicity.log
	mv /var/log/duplicity.log.gz /var/log/duplicity.prevlog.gz || true
 	gzip /var/log/duplicity.log || true
 exit $?

And the crons where installed: 

   MAILTO=noc@makerspaceleiden.nl
   # monthly full, incrementals during the week.
   #
   3 3  1    * *	root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh full
   3 3  2-31 * *	root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh incremental
   # Half year retention for full; 1 months for the incrementals
   #
   1 1  * * 1	 root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-but-n-full 6
   1 2  * * 1	 root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-inc-of-but-n-full 1
Overgenomen van "https://wiki.makerspaceleiden.nl/mediawiki/index.php?title=Wordpress_2023&oldid=15426"