Wordpress 2023: verschil tussen versies

Uit MakerSpace Leiden
Ga naar: navigatie, zoeken
(Backups)
(Backups)
 
(5 tussenliggende versies door 2 gebruikers niet weergegeven)
Regel 1: Regel 1:
 +
[[Category:Servers network & websites]]
 
New setup for Wordpress 2023.
 
New setup for Wordpress 2023.
  
Regel 7: Regel 8:
 
       apt install apache2 php php-mysql
 
       apt install apache2 php php-mysql
 
       apt install mariadb-server mariadb-client
 
       apt install mariadb-server mariadb-client
 +
 +
Generate a strong password, e.g. with
 +
 +
    openssl rand -base64 32
  
 
Then disable external access, remove anon users, etc, etc:
 
Then disable external access, remove anon users, etc, etc:
Regel 19: Regel 24:
  
 
       CREATE DATABASE wordpress_db;
 
       CREATE DATABASE wordpress_db;
       CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'XXXX';
+
       CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP';
 
       GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
 
       GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
 
       FLUSH PRIVILEGES;
 
       FLUSH PRIVILEGES;
 
       Exit;
 
       Exit;
 +
 +
Where 'PPPPP' is that password generated above.
  
 
Fetch the latest Wordpress and check:
 
Fetch the latest Wordpress and check:
Regel 49: Regel 56:
 
     post_max_size=128M  
 
     post_max_size=128M  
 
     memory_limit=256M
 
     memory_limit=256M
 +
 +
And restart apache
 +
 +
  apachectl restart
 +
 +
Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP).
  
 
= Backups =
 
= Backups =
  
Backups have been set up as a variation on [[MTA-Backups / Duplicty]]. The main change is that only wordpress and its database are backed up.
+
Backups have been set up as a variation on [[Server backups / Duplicity]]. The main change is that only wordpress and its database are backed up.
  
 
The GPG key was set up with the commands:
 
The GPG key was set up with the commands:
Regel 63: Regel 76:
 
The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with:
 
The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with:
  
     openssl genrsa 1024 | openssl sha256 -binary | base64
+
     openssl rand -base64 32
  
 
Obtain key ID (YYYY in below):
 
Obtain key ID (YYYY in below):
Regel 69: Regel 82:
 
     gpg --list-secret-keys
 
     gpg --list-secret-keys
  
The trustee decruption key was taken from the [[MTA-Backups / Duplicty]] process and its key id also obtained (XXXX in below):
+
The trustee decruption key was taken from the [[Server backups / Duplicity]] process and its key id also obtained (XXXX in below):
  
 +
    gpg --import public-key.###
 
     gpg --list-keys
 
     gpg --list-keys
 +
 +
Then edit the trust in this key to `ultimate'
 +
   
 +
    gpg --edit-key XXXXXX
 +
    option 5, yes, save
  
 
The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu).
 
The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu).

Huidige versie van 29 jul 2024 om 23:06

New setup for Wordpress 2023.

Standard Hetzner setup. Enable firewall. Move SSH to port 2222.

     apt update
     apt upgrade
     apt install apache2 php php-mysql
     apt install mariadb-server mariadb-client

Generate a strong password, e.g. with

   openssl rand -base64 32

Then disable external access, remove anon users, etc, etc:

     mysql_secure_installation

Create baseline setup with:

     mysql -u root -p

And give the SQL commands:

     CREATE DATABASE wordpress_db;
     CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'PPPPP';
     GRANT ALL ON wordpress_db.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
     FLUSH PRIVILEGES;
     Exit;

Where 'PPPPP' is that password generated above.

Fetch the latest Wordpress and check:

  cd /tmp && wget https://wordpress.org/latest.tar.gz
  openssl sha256 https://wordpress.org/latest.tar.gz 
  1. Check sha256 against the Wordpress website.
  cd /var/www/html
  tar zxf /tmp/latest.tar.gz
  cp -R wordpress /var/www/html
  rm /tmp/latest.tar.gz
  chown -R www-data:www-data /var/www/html/wordpress/
  chmod -R 755 /var/www/html/wordpress/
  mkdir /var/www/html/wordpress/wp-content/uploads
  chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads/

Updated the docroot to Wordpress:

  vi sites-enabled/000-default.conf 

Add settings to /etc/php/*/php.ini:

   upload_max_filesize=128M 
   post_max_size=128M 
   memory_limit=256M

And restart apache

  apachectl restart

Then go to the website; and fill out the above details (e.g. wordpress_db, wp_user and password PPPPP).

Backups

Backups have been set up as a variation on Server backups / Duplicity. The main change is that only wordpress and its database are backed up.

The GPG key was set up with the commands:

    mkdir /etc/duplicity
    cd /etc/duplicity
    export GNUPGHOME=`pwd`
    gpg --generate-key

The passphrase is shown as ZZZZ in below. An easy way to generate a strong passphrase is with:

    openssl rand -base64 32

Obtain key ID (YYYY in below):

    gpg --list-secret-keys

The trustee decruption key was taken from the Server backups / Duplicity process and its key id also obtained (XXXX in below):

    gpg --import public-key.###
    gpg --list-keys

Then edit the trust in this key to `ultimate'

    gpg --edit-key XXXXXX
    option 5, yes, save

The standard run.sh script was adapted as per below. Note a different MySQL location (change in ubuntu).

 #!/bin/sh
 set -e
 umask 077
 
 DIR=/etc/duplicity
 W=incremental
 if [ $# != 0 ]; then
 	W=$1
 	shift
 fi
 T=
 if [ $W = full -o $W = incremental ];then
 	T=/
  	mysqldump --all-databases --single-transaction --quick --lock-tables=false  |\
               gzip -9 > /var/lib/mysql/mysql-dump.gz
 fi
  
  # Verbose level 2 is errors and warnings; this way we skip
  # notices and quell all output if the backup is a success.
  #
  VERBOSE=${VERBOSE:-2}
  
  PASSPHRASE="ZZZZZ" LANG=en_US.UTF8  LC_CTYPE=C HOME=$DIR GNUPGHOME=$DIR  \
       PYTHONWARNINGS="ignore::DeprecationWarning" \
 		python3 -W ignore::DeprecationWarning /usr/bin/duplicity $W $* \
 		\
 			-v $VERBOSE \
 			--hidden-encrypt-key XXX \
 			--sign-key           YYY \
 			--ssh-options="-i $DIR/backup.sftp -oUserKnownHostsFile=$DIR/knownhosts" \
 			--no-print-statistics \
 	\
       --include /var/www \
       --include /etc \
 	--include /var/lib/mysql/mysql-dump.gz \
 	--exclude /etc/duplicity/.cache \
 	--exclude '**' \
 	\
 	$T \
 	sftp://xxxx@xxxx.com/backups 2>&1 |\
               tee /var/log/last-duplcity-backup.new |\
               grep -v DeprecationWarning | grep -v algorithm=hashes.SHA1
 	mv /var/log/last-duplcity-backup.new /var/log/duplicity.log
	mv /var/log/duplicity.log.gz /var/log/duplicity.prevlog.gz || true
 	gzip /var/log/duplicity.log || true
 exit $?

And the crons where installed:

   MAILTO=noc@makerspaceleiden.nl
   # monthly full, incrementals during the week.
   #
   3 3  1    * *	root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh full
   3 3  2-31 * *	root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh incremental
   # Half year retention for full; 1 months for the incrementals
   #
   1 1  * * 1	 root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-but-n-full 6
   1 2  * * 1	 root test -x  /etc/duplicity/run.sh && /etc/duplicity/run.sh remove-all-inc-of-but-n-full 1