Install WordPress On CentOS 7
LPIC-2 [ Yaser Rahmati | یاسر رحمتی ]
1. Server Preparation
Step 1: Update
Update the repository and all packages to their latest versions with
yum
command.The system should give you a listing of the packages to be downloaded, as well as the disk space required.
The system will prompt you to confirm this is OK – press
y
, and the system will continue with the download and installation.
Step 2: Reset the root password
The system should prompt you to enter and confirm a new password.
Step 3: Apache installation
The system should download and install the Apache software packages.
Step 4: Apache configuration
Check service status. {active (running)}
If Apache service is not running, start it manually.
Enable
httpd
service on system boot.
Step 5: Firewall Configuration to open port 80
Check all the allowed services.
Add HTTP service or port 80.
Restart
firewalld
Check the
firewalld
services again and You should seehttp
service allowed
Step 6: nmap (optional)
Install
nmap
Check opening ports in server.
Step 7: net-tools (optional)
Execute the following command in order to install
ifconfig
on CentOS 7:
Step 8: PHP
Install
yum-utils
and enableEPEL
repository.
Download and Install
remirepo
using yum command.
Based on your requirement, configure the PHP 7.x repository.
To configure PHP 7.1 repository, use below command,
To configure PHP 7.2 repository, use below command,
To configure PHP 7.3 repository, use below command,
To configure PHP 7.4 repository, use below command,
Install PHP 7.4 along with
dependencies
.
Verify the PHP version.
Step 9: vim (optional)
Run the following command to install vim on CentOS.
Step 10: PHP timezone
Modify the PHP time Zone by editing the
php.ini
file.
date.timezone = Asia/Tehran
Step 11: MariaDB
First: To see what your hostname currently is, issue the
hostnamectl
status command.
Second: Setting up MariaDB Repositories
Copy and paste it into a file under
/etc/yum.repos.d/MariaDB.repo
.
Third: Install MariaDB
Forth: Start the MariaDB service
Fifth: Enable MariaDB on system boot.
Sixth: Checking the Status of the MariaDB Server Process.
Seventh: Secure MariaDB
Eighth: Creating a WordPress Database
Step 12: wget
, unzip
wget
, unzip
Install
wget
andunzip
that are needed for the installation further:
2. Install WordPress
Step 13: WordPress
First: Download WordPress
URL 1 (en version) : https://wordpress.org/download/
URL 2 (fa version) : http://wp-persian.com/download/
Second: Download WordPress in server
Third: let’s unzip that
tar
file.
Forth:
rysnc
will safely copy all of the contents from the directory you unpacked to the document root at/var/www/html/
.
Fifth: Create the upload directory manually.
Sixth: Now we need to assign the correct ownership and permissions to our WordPress files and folders. This will increase security while still allowing WordPress to function as intended. To do this, we’ll use
chown
to grant ownership to Apache’s user and group:
Seventh: Configure WordPress
Enter the WordPress directory.
Rename wp-config-sample.php
into wp-config.php
.
Open the WordPress configuration file and change the database values.
Eighth: Through
wp-admin
and verification
In your web browser, navigate to your server’s domain name or public IP address:
Step 14: Fix the upload_max_filesize Error in WordPress
Most hosting providers set limits to the PHP memory designated for running applications and scripts. The uploaded file exceeds the upload_max_filesize directive in php.ini is an error that occurs on your WordPress site when you upload a file that exceeds the limitations set by your webserver.
Navigate to your php.ini file and edit it.
Locate the upload_max_filesize and increase it by changing its number. You can also boost a few other limitations, as shown below:
3. WordPress Hardening
Step 15: How to configure automatic updates
WordPress is an open-source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.
If you’d rather not do it manually, you can configure automatic updates. To auto-upgrade WordPress core, insert this code into your
wp-config.php
file:
For plugins, use:
For themes, use:
Step 16: Backup Your WordPress Site with UpdraftPlus
UpdraftPlus
As a website owner, these are some common scenarios when you may lose your data:
Your website can get hacked and hackers may destroy your data.
Your hosting provider can lose your data
Your host reserves the right to terminate your account and delete all your data.
The first thing you need to do is install and activate the UpdraftPlus plugin.
First, you need to choose a backup schedule for your files. Files include your WordPress themes, plugins, images, and other uploads.
It is a bad idea to save your backups on the same location as your website. Losing your website means you will also lose access to your backup files. UpdraftPlus allows you to save your backups to several cloud storage services including
Dropbox
,Google Drive
,Microsoft OneDrive
, and many others. You can also send your backups to an email address.
Step 17: Limit Login Attempts
By default, WordPress allows users to try to login as many times as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.
First, you need to install and activate the Login LockDown plugin. Upon activation, visit Settings » Login LockDown page to setup the plugin.
Spet 18: Change or omit the “admin” username
By default, WordPress gives the primary domain account the username “
admin
”. Leaving the username as “admin
” is an instant security threat to your site. If an attacker wants to crack the code, half of the puzzle is already solved and all that’s left to guess is your password.Removing or changing the “admin” username is the next step to improving site security. To do this, simply go to the “
users
” section of the WordPress admin panel and rename or delete the “admin
” account or username.
Step 19: Hide Your WordPress Version
If you defer WordPress updates, you should consider hiding your WordPress version because it leaves footprints, telling the hacker useful information about your site.
There are three areas where your WordPress version number will be hidden:
1. The generator meta tag in the header:
2. Query strings on scripts and styles:
3. Generator tag in RSS feeds:
To get rid of your WordPress version number in all three areas, add this code to your functions.php
file:
In addition, you should also make sure your readme.html
file is removed from your install, as this exposes your version number.
Step 20: Hide PHP Errors
PHP has built-in debugging capabilities and you can display the error messages generated by PHP on the front-end of your site by adding
define( 'WP_DEBUG', true);
to your site’s wp-config.php file. It’s a really useful tool for theme and plugin developers.However, you should never display PHP errors on a public-facing site.
In some cases, displaying PHP errors can provide information that a sophisticated hacker can use to compromise your site. The simple solution is to set
WP_DEBUG
to false.
Step 21: Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your
wp-config.php
file.
Step 22: Change WordPress Database Prefix
By default, WordPress uses wp_
as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.
4. Apache web server Hardening
Step 23: Hide Apache Version and Operating System
To hide those details, add the two lines in Apache config file /etc/httpd/conf/httpd.conf
.
Then reload Apache:
Step 24: Secure Apache using mod_security
and mod_evasive
modules
mod_security
and mod_evasive
modules1.Mod_security:
Acts as a firewall for web servers and applications, providing protection against brute force attacks. It just needs to be installed, then restart apache
service and starts to work out the magic.
2.Mod_evasive:
Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make new request; child process attempts making more than 50 concurrent requests. It just needs to be installed, then restart apache
service and starts to work out the magic.
Step 25: Disable Trace HTTP Request
By default, Trace HTTP Request is enabled allowing for Cross-Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 – Method Not Allowed” error message to clients. Trace request is disabled by adding the line below in the config file.
Step 26: Disable Directory Browsing
In order to do so, you first need to open it with the command:
Then find the line:
Change that line to:
Lastly, save and exit the file, and restart Apache server with this command:
Keywords
yaser rahmati
, یاسر رحمتی
, PHP timezone
, php.ini
, vim
, CentOS
, epel
, remi
, net-tools
, ifconfig
, firewalld
, port 80
, HTTP
, RHEL
, Apache
, CentOS 7
, date.timezone = Asia/Tehran
, sudo yum update
, wget
, WordPress
, mysql -u root -p
, repository
, unzip
, httpd.conf
, MariaDB
, Harden the Apache web server
, Mod_security
, mysql
, wp-config.php
, Mod_evasive
, GNU
Website : www.yaser-rahmati.ir
Instagram : https://www.instagram.com/yaser.rahmati/
Linkedin : https://www.linkedin.com/in/yaserrahmati/
Last updated