Wordpress 2023: verschil tussen versies
(→Backups) |
(→Backups) |
||
| (6 tussenliggende versies door 2 gebruikers niet weergegeven) | |||
| Regel 1: | Regel 1: | ||
| + | [[Category:Servers network & websites]] | ||
New setup for Wordpress 2023. | New setup for Wordpress 2023. | ||
| Regel 7: | Regel 8: | ||
apt install apache2 php php-mysql | apt install apache2 php php-mysql | ||
apt install mariadb-server mariadb-client | apt install mariadb-server mariadb-client | ||
| + | |||
| + | Generate a strong password, e.g. with | ||
| + | |||
| + | openssl rand -base64 32 | ||
Then disable external access, remove anon users, etc, etc: | Then disable external access, remove anon users, etc, etc: | ||
| Regel 19: | Regel 24: | ||
CREATE DATABASE wordpress_db; | CREATE DATABASE wordpress_db; | ||
| − | CREATE USER 'wp_user'@'localhost' IDENTIFIED BY ' | + | CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP'; |
GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password'; | GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password'; | ||
FLUSH PRIVILEGES; | FLUSH PRIVILEGES; | ||
Exit; | Exit; | ||
| + | |||
| + | Where 'PPPPP' is that password generated above. | ||
Fetch the latest Wordpress and check: | Fetch the latest Wordpress and check: | ||
| Regel 49: | Regel 56: | ||
post_max_size=128M | post_max_size=128M | ||
memory_limit=256M | memory_limit=256M | ||
| + | |||
| + | And restart apache | ||
| + | |||
| + | apachectl restart | ||
| + | |||
| + | Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP). | ||
= Backups = | = Backups = | ||
| − | Backups have been set up as a variation on [[ | + | Backups have been set up as a variation on [[Server backups / Duplicity]]. The main change is that only wordpress and its database are backed up. |
The GPG key was set up with the commands: | The GPG key was set up with the commands: | ||
| Regel 61: | Regel 74: | ||
gpg --generate-key | gpg --generate-key | ||
| − | Obtain key ID: | + | The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with: |
| + | |||
| + | openssl rand -base64 32 | ||
| + | |||
| + | Obtain key ID (YYYY in below): | ||
gpg --list-secret-keys | gpg --list-secret-keys | ||
| − | The trustee decruption key was taken from the [[ | + | The trustee decruption key was taken from the [[Server backups / Duplicity]] process and its key id also obtained (XXXX in below): |
| + | gpg --import public-key.### | ||
gpg --list-keys | gpg --list-keys | ||
| − | The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu | + | Then edit the trust in this key to `ultimate' |
| + | |||
| + | gpg --edit-key XXXXXX | ||
| + | option 5, yes, save | ||
| + | |||
| + | The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu). | ||
#!/bin/sh | #!/bin/sh | ||
| Regel 93: | Regel 116: | ||
VERBOSE=${VERBOSE:-2} | VERBOSE=${VERBOSE:-2} | ||
| − | PASSPHRASE=" | + | PASSPHRASE="ZZZZZ" LANG=en_US.UTF8 LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR \ |
PYTHONWARNINGS="ignore::DeprecationWarning" \ | PYTHONWARNINGS="ignore::DeprecationWarning" \ | ||
python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \ | python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \ | ||
| Regel 99: | Regel 122: | ||
-v $VERBOSE \ | -v $VERBOSE \ | ||
--hidden-encrypt-key XXX \ | --hidden-encrypt-key XXX \ | ||
| − | --sign-key | + | --sign-key YYY \ |
| − | |||
--ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \ | --ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \ | ||
--no-print-statistics \ | --no-print-statistics \ | ||
Huidige versie van 29 jul 2024 om 23:06
New setup for Wordpress 2023.
Standard Hetzner setup. Enable firewall. Move SSH to port 2222.
apt update
apt upgrade
apt install apache2 php php-mysql
apt install mariadb-server mariadb-client
Generate a strong password, e.g. with
openssl rand -base64 32
Then disable external access, remove anon users, etc, etc:
mysql_secure_installation
Create baseline setup with:
mysql -u root -p
And give the SQL commands:
CREATE DATABASE wordpress_db;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP';
GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
Exit;
Where 'PPPPP' is that password generated above.
Fetch the latest Wordpress and check:
cd /tmp && wget https://wordpress.org/latest.tar.gz openssl sha256 https://wordpress.org/latest.tar.gz
- Check sha256 against the Wordpress website.
cd /var/www/html tar zxf /tmp/latest.tar.gz cp -R wordpress /var/www/html rm /tmp/latest.tar.gz chown -R www-data:www-data /var/www/html/wordpress/ chmod -R 755 /var/www/html/wordpress/ mkdir /var/www/html/wordpress/wp-content/uploads chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads/
Updated the docroot to Wordpress:
vi sites-enabled/000-default.conf
Add settings to /etc/php/*/php.ini:
upload_max_filesize=128M post_max_size=128M memory_limit=256M
And restart apache
apachectl restart
Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP).
Backups
Backups have been set up as a variation on Server backups / Duplicity. The main change is that only wordpress and its database are backed up.
The GPG key was set up with the commands:
mkdir /etc/duplicity
cd /etc/duplicity
export GNUPGHOME=`pwd`
gpg --generate-key
The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with:
openssl rand -base64 32
Obtain key ID (YYYY in below):
gpg --list-secret-keys
The trustee decruption key was taken from the Server backups / Duplicity process and its key id also obtained (XXXX in below):
gpg --import public-key.###
gpg --list-keys
Then edit the trust in this key to `ultimate'
gpg --edit-key XXXXXX
option 5, yes, save
The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu).
#!/bin/sh
set -e
umask 077
DIR=/etc/duplicity
W=incremental
if [ $# != 0 ]; then
W=$1
shift
fi
T=
if [ $W = full -o $W = incremental ];then
T=/
mysqldump --all-databases --single-transaction --quick --lock-tables=false |\
gzip -9 > /var/lib/mysql/mysql-dump.gz
fi
# Verbose level 2 is errors and warnings; this way we skip
# notices and quell all output if the backup is a success.
#
VERBOSE=${VERBOSE:-2}
PASSPHRASE="ZZZZZ" LANG=en_US.UTF8 LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR \
PYTHONWARNINGS="ignore::DeprecationWarning" \
python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \
\
-v $VERBOSE \
--hidden-encrypt-key XXX \
--sign-key YYY \
--ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \
--no-print-statistics \
\
--include /var/www \
--include /etc \
--include /var/lib/mysql/mysql-dump.gz \
--exclude /etc/duplicity/.cache \
--exclude '**' \
\
$T \
sftp://xxxx@xxxx.com/backups 2>&1 |\
tee /var/log/last-duplcity-backup.new |\
grep -v DeprecationWarning | grep -v algorithm=hashes.SHA1
mv /var/log/last-duplcity-backup.new /var/log/duplicity.log
mv /var/log/duplicity.log.gz /var/log/duplicity.prevlog.gz || true
gzip /var/log/duplicity.log || true
exit $?
And the crons where installed:
MAILTO=noc@makerspaceleiden.nl # monthly full, incrementals during the week. # 3 3 1 * * root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh full 3 3 2-31 * * root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh incremental # Half year retention for full; 1 months for the incrementals # 1 1 * * 1 root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-but-n-full 6 1 2 * * 1 root test -x /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-inc-of-but-n-full 1
