Install WordPress On CentOS 7

LPIC-2 [ Yaser Rahmati | یاسر رحمتی ]

1. Server Preparation

Step 1: Update

sudo yum update
  • Update the repository and all packages to their latest versions with yum command.

    • The system should give you a listing of the packages to be downloaded, as well as the disk space required.

    • The system will prompt you to confirm this is OK – press y, and the system will continue with the download and installation.

Step 2: Reset the root password

passwd
  • The system should prompt you to enter and confirm a new password.

Step 3: Apache installation

yum -y install httpd
  • The system should download and install the Apache software packages.

Step 4: Apache configuration

  • Check service status. {active (running)}

systemctl status httpd.service
  • If Apache service is not running, start it manually.

systemctl start httpd.service
  • Enable httpd service on system boot.

systemctl enable httpd

Step 5: Firewall Configuration to open port 80

  • Check all the allowed services.

sudo firewall-cmd --list-all
  • Add HTTP service or port 80.

sudo firewall-cmd --add-service=http --permanent
  • Restart firewalld

sudo firewall-cmd --reload
  • Check the firewalld services again and You should see http service allowed

sudo firewall-cmd --list-all

Step 6: nmap (optional)

  • Install nmap

sudo yum install nmap
  • Check opening ports in server.

nmap -sT 127.0.0.1

Step 7: net-tools (optional)

  • Execute the following command in order to install ifconfig on CentOS 7:

yum install net-tools

Step 8: PHP

  • Install yum-utils and enable EPEL repository.

yum install epel-release yum-utils -y
  • Download and Install remirepo using yum command.

yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Based on your requirement, configure the PHP 7.x repository.

  • To configure PHP 7.1 repository, use below command,

yum-config-manager --enable remi-php71
  • To configure PHP 7.2 repository, use below command,

yum-config-manager --enable remi-php72
  • To configure PHP 7.3 repository, use below command,

yum-config-manager --enable remi-php73
  • To configure PHP 7.4 repository, use below command,

yum-config-manager --enable remi-php74
  • Install PHP 7.4 along with dependencies.

yum install php php-common php-opcache php-mcrypt php-cli php-gd php-curl php-mysql -y
  • Verify the PHP version.

[root@rahmati ~]# php -v
PHP 7.4.4 (cli) (built: Mar 17 2020 10:40:21) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.4, Copyright (c), by Zend Technologies
[root@rahmati ~]#

Step 9: vim (optional)

  • Run the following command to install vim on CentOS.

yum install vim

Step 10: PHP timezone

  • Modify the PHP time Zone by editing the php.ini file.

vim /etc/php.ini

date.timezone = Asia/Tehran

Step 11: MariaDB

  • First: To see what your hostname currently is, issue the hostnamectl status command.

[root@ip208 ~]# hostnamectl
   Static hostname: ip208.ip-79-137-121.eu
         Icon name: computer
           Chassis: n/a
        Machine ID: 5aea01f793c74dc9b7f628e85ce895f7
           Boot ID: bb55cfb94f21496a9b913358a31171e2
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-229.el7.x86_64
      Architecture: x86_64
  • Second: Setting up MariaDB Repositories

  • Copy and paste it into a file under /etc/yum.repos.d/MariaDB.repo .

vim /etc/yum.repos.d/MariaDB.repo
# MariaDB 10.4 CentOS repository list - created 2020-08-25 19:38 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1
  • Third: Install MariaDB

sudo yum install MariaDB-server MariaDB-client
  • Forth: Start the MariaDB service

systemctl start mariadb
  • Fifth: Enable MariaDB on system boot.

systemctl enable mariadb
  • Sixth: Checking the Status of the MariaDB Server Process.

systemctl status mariadb
  • Seventh: Secure MariaDB

[root@ip208 ~]# sudo mysql_secure_installation

[...]

Enter current password for root (enter for none):
Switch to unix_socket authentication [Y/n] n
Change the root password? [Y/n] n
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y

[...]
  • Eighth: Creating a WordPress Database

# mysql -u root -p

mysql> CREATE DATABASE wordpress CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
mysql> CREATE USER wpuser@localhost IDENTIFIED BY "your_password";
mysql> GRANT ALL ON wordpress.* TO wpuser@localhost;
mysql> FLUSH PRIVILEGES;
mysql> exit

Step 12: wget, unzip

  • Install wget and unzip that are needed for the installation further:

yum install wget unzip

2. Install WordPress

Step 13: WordPress

cd ~
wget http://fa.wordpress.org/wordpress-5.3-fa_IR.tar.gz
  • Third: let’s unzip that tar file.

tar -xzvf  wordpress-5.3-fa_IR.tar.gz
  • Forth: rysnc will safely copy all of the contents from the directory you unpacked to the document root at /var/www/html/ .

sudo rsync -avP ~/wordpress/ /var/www/html/
  • Fifth: Create the upload directory manually.

mkdir /var/www/html/wp-content/uploads
  • Sixth: Now we need to assign the correct ownership and permissions to our WordPress files and folders. This will increase security while still allowing WordPress to function as intended. To do this, we’ll use chown to grant ownership to Apache’s user and group:

sudo chown -R apache:apache /var/www/html
chcon -R --reference /var/www/ /var/www/html
  • Seventh: Configure WordPress

Enter the WordPress directory.

cd /var/www/html

Rename wp-config-sample.php into wp-config.php .

mv wp-config-sample.php wp-config.php

Open the WordPress configuration file and change the database values.

# vim wp-config.php



[...]

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'wpuser');

/** MySQL database password */
define('DB_PASSWORD', 'your_password');

[...] 
  • Eighth: Through wp-admin and verification

In your web browser, navigate to your server’s domain name or public IP address:

http://server_domain_name_or_IP/wp-admin

Step 14: Fix the upload_max_filesize Error in WordPress

Most hosting providers set limits to the PHP memory designated for running applications and scripts. The uploaded file exceeds the upload_max_filesize directive in php.ini is an error that occurs on your WordPress site when you upload a file that exceeds the limitations set by your webserver.

  • Navigate to your php.ini file and edit it.

vim /etc/php.in
  • Locate the upload_max_filesize and increase it by changing its number. You can also boost a few other limitations, as shown below:

[...]

upload_max_filesize = 256M 
post_max_size = 256M 
memory_limit = 512M 
max_execution_time = 180

[...]

3. WordPress Hardening

Step 15: How to configure automatic updates

  • WordPress is an open-source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

  • WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

  • If you’d rather not do it manually, you can configure automatic updates. To auto-upgrade WordPress core, insert this code into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );
  • For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );
  • For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

Step 16: Backup Your WordPress Site with UpdraftPlus

As a website owner, these are some common scenarios when you may lose your data:

  1. Your website can get hacked and hackers may destroy your data.

  2. Your hosting provider can lose your data

  3. Your host reserves the right to terminate your account and delete all your data.

  • The first thing you need to do is install and activate the UpdraftPlus plugin.

  • First, you need to choose a backup schedule for your files. Files include your WordPress themes, plugins, images, and other uploads.

  • It is a bad idea to save your backups on the same location as your website. Losing your website means you will also lose access to your backup files. UpdraftPlus allows you to save your backups to several cloud storage services including Dropbox, Google Drive, Microsoft OneDrive, and many others. You can also send your backups to an email address.

Step 17: Limit Login Attempts

  • By default, WordPress allows users to try to login as many times as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

  • First, you need to install and activate the Login LockDown plugin. Upon activation, visit Settings » Login LockDown page to setup the plugin.

Spet 18: Change or omit the “admin” username

  • By default, WordPress gives the primary domain account the username “admin”. Leaving the username as “admin” is an instant security threat to your site. If an attacker wants to crack the code, half of the puzzle is already solved and all that’s left to guess is your password.

  • Removing or changing the “admin” username is the next step to improving site security. To do this, simply go to the “users” section of the WordPress admin panel and rename or delete the “admin” account or username.

Step 19: Hide Your WordPress Version

If you defer WordPress updates, you should consider hiding your WordPress version because it leaves footprints, telling the hacker useful information about your site.

There are three areas where your WordPress version number will be hidden:

1. The generator meta tag in the header:

<meta name="generator" content="WordPress 4.0" />

2. Query strings on scripts and styles:

subscriptions.css?ver=4.0

3. Generator tag in RSS feeds:

http://wordpress.org/?v=4.0

To get rid of your WordPress version number in all three areas, add this code to your functions.php file:

/* Hide WP version strings from scripts and styles
 * @return {string} $src
 * @filter script_loader_src
 * @filter style_loader_src
 */
function fjarrett_remove_wp_version_strings( $src ) {
 global $wp_version;
 parse_str(parse_url($src, PHP_URL_QUERY), $query);
 if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
 $src = remove_query_arg('ver', $src);
 }
 return $src;
}
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );

/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return '';
}
add_filter('the_generator', 'wpmudev_remove_version');

In addition, you should also make sure your readme.html file is removed from your install, as this exposes your version number.

Step 20: Hide PHP Errors

  • PHP has built-in debugging capabilities and you can display the error messages generated by PHP on the front-end of your site by adding define( 'WP_DEBUG', true); to your site’s wp-config.php file. It’s a really useful tool for theme and plugin developers.

  • However, you should never display PHP errors on a public-facing site.

    In some cases, displaying PHP errors can provide information that a sophisticated hacker can use to compromise your site. The simple solution is to set WP_DEBUG to false.

Step 21: Disable File Editing

  • WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

  • You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Step 22: Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

4. Apache web server Hardening

Step 23: Hide Apache Version and Operating System

To hide those details, add the two lines in Apache config file /etc/httpd/conf/httpd.conf .

# Removes version info
ServerSignature Off 

#Changes header to production, removing OS detail
ServerTokens Prod 

Then reload Apache:

sudo systemctl reload httpd

Step 24: Secure Apache using mod_security and mod_evasive modules

1.Mod_security:

Acts as a firewall for web servers and applications, providing protection against brute force attacks. It just needs to be installed, then restart apache service and starts to work out the magic.

sudo yum install mod_security -y
sudo systemctl restart httpd

2.Mod_evasive:

Detects and provides protection against DDOS and HTTP brute force attacks. It detects attacks whenever: so many requests are directed to a page several times per second; temporarily blacklisted IP still tries to make new request; child process attempts making more than 50 concurrent requests. It just needs to be installed, then restart apache service and starts to work out the magic.

sudo yum install mod_evasive -y
sudo systemctl restart httpd

Step 25: Disable Trace HTTP Request

By default, Trace HTTP Request is enabled allowing for Cross-Site Tracing. This enables a hacker to easily steal cookie information. Disabling Trace HTTP Request makes the mod_proxy and core server return “405 – Method Not Allowed” error message to clients. Trace request is disabled by adding the line below in the config file.

# vim /etc/httpd/conf/httpd.conf


[...]
TraceEnable off
[...]

Step 26: Disable Directory Browsing

In order to do so, you first need to open it with the command:

vim /etc/httpd/conf/httpd.conf

Then find the line:

[...]

Options Indexes FollowSymLinks

[...]

Change that line to:

[...]

Options FollowSymLinks

[...]

Lastly, save and exit the file, and restart Apache server with this command:

sudo service httpd restart

Keywords

yaser rahmati , یاسر رحمتی , PHP timezone , php.ini , vim , CentOS , epel , remi , net-tools , ifconfig , firewalld , port 80 , HTTP , RHEL , Apache , CentOS 7 , date.timezone = Asia/Tehran , sudo yum update , wget , WordPress , mysql -u root -p , repository , unzip , httpd.conf , MariaDB , Harden the Apache web server , Mod_security , mysql , wp-config.php , Mod_evasive , GNU

Website : www.yaser-rahmati.ir

Instagram : https://www.instagram.com/yaser.rahmati/

Linkedin : https://www.linkedin.com/in/yaserrahmati/

Last updated