How to setup WordPress on Linux with Apache + Lets Encrypt Certs on Azure/AWS/GCP
To setup or install WordPress on any of the cloud platforms, the best way is to deploy using our image in any of the cloud marketplaces. It comes preinstalled on Ubuntu, running Apache web server, PHP, ProFTPd server, making it easy to upload files to your server. Webmin control panel, an easy to use GUI to manage your server via a GUI. Let’s Encrypt certificates, Create free SSL certificates for your websites. MariaDB server, create as many databases as you need and optimised for speed and performance.
Setup WordPress on Azure VM
Deploy WordPress on Ubuntu 20.04 LTS on Azure
Deploy WordPress on Ubuntu 18.04 LTS on Azure
Setup WordPress on AWS EC2
Deploy WordPress on Ubuntu 20.04 LTS on AWS
Deploy WordPress on Ubuntu 18.04 LTS on AWS
Setup WordPress on GCP VM
Deploy WordPress on Ubuntu 20.04 LTS on GCP
Deploy WordPress on Ubuntu 18.04 LTS on GCP
Getting Started
Once your WordPress server has been deployed, the following links explain how to connect to a Linux VM:
- How to connect to a Linux VM on Azure
- How to connect to a Linux VM on AWS
- How to connect to a Linux VM on GCP
Once connected and logged in, the following section explains how to start using WordPress.
Configure MySQL
Once logged in via your SSH terminal, the first step is to get the MySQL configuration ready.
Run the following command in order to start the MySQL configuration:
sudo mysql_secure_installation
Leave the first response blank and press enter. You should reply with y (yes) to the rest of the prompts, and configure a root password when prompted to do so. This setup only takes a moment to complete.
Create MySQL database for WordPress
The next steps is to create a MySQL database and user that will store your WordPress installation.
Note: If you receive an error message when copying and pasting the commands below, it will be to do with the quotations ‘ ‘ not being recognised, because the format changes when coping from our webpage into your terminal, so you may have to manually retype the quotes ‘ ‘
Step 1 – Open up MySQL with the root user:
sudo mysql
Step 2 – Create a new database for WordPress
CREATE DATABASE wordpress_db;
Step 3 – Create MySQL User for WordPress database. Replace the my_password text below with a secure password of your choice.
CREATE USER ‘wordpress_user’@’localhost’ IDENTIFIED BY ‘my_password‘;
Step 4 – Give the WordPress user full permissions on the WordPress database
GRANT ALL PRIVILEGES ON wordpress_db.* to wordpress_user@’localhost’;
Step 5 – Save changes you’ve made and exit the MariaDB
FLUSH PRIVILEGES;
exit
Configure Apache Web Server
Apache has been installed and its what will be hosting your websites. Edit the following Apache config file and enter details about the website you would like to host:
Step 1 – Update WordPress.conf with domain name
sudo nano /etc/apache2/sites-available/wordpress.conf
Within this file, update the following fields with your domain name (replace yoursite.com with your domain name). If you don’t have a domain name, put servers ip address instead:
ServerName yoursite.com
ServerAlias www.yoursite.com
As you can also see from the conf file (DocumentRoot), the default WordPress installation on the server is (/var/www/wordpress). This is where your WordPress files are located on the server.
Once changes have been made press Ctrl+O to save changes and then Ctrl + X to exit
Step 2 – Enable site in Apache
Now we enable the website in Apache and disable the default site
sudo a2ensite wordpress.conf
sudo a2dissite 000-default.conf
Step 3 – Restart Apache Services
Next we reload Apache for the new changes to take effect
sudo systemctl reload apache2
Step 4 – Give Apache user ownership of WordPress directory
sudo chown -R www-data.www-data /var/www/wordpress
WordPress Installation / Configuration
You are now ready to start the WordPress installation. There are 2 ways to do this.
Using the sites IP address, or using the sites domain name.
In order to use the sites domain name, you will need to update your domain servers A record to point to your servers public IP address. Go to your domain registrar and they will have instructions on how to do this. It normally takes DNS propagation to update on the internet within 24 hours.
Here is an example of how the record looks from a domain registrar:
In my example we will continue the installation using the sites public IP address. You can also use the sites private IP address, if this site is only to be used internally. BUT to use the sites IP address to complete the installation, make sure in the WordPress.conf under ServerName / ServerAlias has the servers public IP, as shown in my wordpress.conf. You can then update it later once your domains DNS has fully propagated
Browse to your servers PublicIP or domain name and you will see the WordPress installation screen. Add the WordPress database and user we created earlier and press submit and follow the onscreen instructions on setting up and creating an admin user etc.
That’s it, your WordPress site installation is now complete. If you need to manually upload files to your server (e.g WordPress themes, plugins etc), scroll down to our – Setting up FTP Users section below, which explains how to do this. Follow the next step on how to setup SSL certificates for your website.
Setup Let’s Encrypt Certificate for WordPress Website
Let’s Encrypt provides many ways to challenge you to validate that you own the domain you want to provide SSL certificates for. You will not be able to generate certificates if you can’t prove that you own the domain you want to secure.
First make sure that your domain name is pointing to your servers public IP address. Go to your domain registrar and update the domains A record to point to your servers public IP address. Your domain registrar will have documentation on how to do this. Once DNS has been updated and propagated and you can access your site via its domain name, you can now install a SSL certificate.
Run the following command to start the certificate creation process:
sudo certbot --apacheIn the first step, you need to type a valid email address. The email address is required for notifications and security notices regarding your website’s certificate.
Output: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): you@domain.com
The next step is to confirm that you agree to the Let’s Encrypt terms of service. If you want to confirm, just type A and then press [ENTER]:
Output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
If you want to share the provided email address with the EFF (Electronic Frontier Foundation) to receive news and other information, you can type Y. If you do not want to receive this type of email, you can type N and submit your answer by typing [ENTER].
Output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
Now you need to select the domain you would like to activate HTTPS for. The domains and subdomains listed on your command prompt are automatically obtained from your Apache virtual host configuration. Type the numbers separated by commas and/or spaces, or if you’d like to enable HTTPS for all of the domains or subdomains, you can leave the prompt blank. Either way, you then press [ENTER] to proceed to the next step.
Output: Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: domain.com 2: www.domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
The output will be similar to this:
Output: Obtaining a new certificate Performing the following challenges: http-01 challenge for domain.com http-01 challenge for www.domain.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/domain.com-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.com-le-ssl.conf Enabling available site: /etc/apache2/sites-available/domain.com-le-ssl.conf
Certbot provides HTTPS redirection as an option that you can enable. In this step, the script will prompt you to select if you want the entire HTTP traffic to be redirected to HTTPS or to keep the current configuration. Select 1 if you do not want redirection or 2 to enable redirection, then press [ENTER].
Output: Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Your SSL certificate is now installed and loaded in the Apache configuration. You will see output similar to the following:
Output: Redirecting vhost in /etc/apache2/sites-enabled/domain.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://domain.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2021-09-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
SSL certificates provided by Let’s Encrypt are valid only for 90 days. The Certbot we have installed will set a cronjob that will take care of renewing any SSL certificate that is within thirty days of expiration. To check the status of this service, you can execute the command:
sudo systemctl status certbot.timerOutput: ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Thu 2021-06-11 11:33:00 UTC; 1h 37min ago Trigger: Thu 2021-06-11 15:52:01 UTC; 2h 41min left Triggers: ● certbot.service
or you can list all of the timers with:
sudo systemctl list-timersYou can test automatic renewal for your certificates by executing this command:
sudo certbot renew --dry-runand the command to renew the SSL certificate can be found in one of the following locations:
/etc/crontab/
/etc/cron.*/*Congratulations! You have successfully installed a free Let’s Encrypt SSL certificate for your domain.
Use Webmin to manage server
Webmin is a great GUI to manage your server. It comes pre installed and allows you to manage your server via a web portal.
Browse to the following and login with your servers root user and password:
http://PublicIP:10000
Or
http://PrivateIP:10000
Setting up FTP Users with ProFTPd
If you need to upload files to your WordPress directory, you can use the servers installed Pro FPTd module.
Apache keeps the sites websites files in the following directory /var/www
You can manage ProFTPd from within Webmin. Login to Webmin via the servers IP (http://publicIP:10000) with the servers root user/password.
Once logged in, press ‘Refresh Modules‘ at the bottom of the menu
Under Servers you should see ProFTPd Server once you refresh modules
Step 1 – Set FTP Directory
The first step is to set the FTP directory to (var/www/wordpress) for your first website. Click on ‘Files and Directories‘ and add the WordPress directory as below and then save changes
Step 2 – Create FTP Users
Next is to create a user. By default the root user is disabled from using FTP.
To create a user you can use
Webmin by clicking on ‘System / Users and Groups / Create a new user‘
Next we need to give this user permission to write to the WordPress directory (/var/www/wordpress)
From your SSH terminal run the following command
sudo chown -R username /var/www/wordpress
You should now be able to use an FTP client and connect to your server and see the WordPress directory:
Note: If you receive an error when trying to connect or upload it might be because of any firewalls you have in place. Refer to the section below on Firewall rules.
WordPress Firewall Rules
This solution requires the following firewall rules:
- TCP 80 – HTTP
- TCP 443 – HTTPS
- TCP 10000 – Webmin
- TCP 21 – FTP
- TCP 49152-65534 – Passive FTP Range
By default these rules are enabled if you deploy with the security group provided, except Azure for the Passive FTP Range. The links below explain how to modify / create firewall rules depending on which cloud platform you are using.
To setup AWS firewall rules refer to – AWS Security Groups
To setup Azure firewall rules refer to – Azure Network Security Groups
To setup Google GCP firewall rules refer to – Creating GCP Firewalls
For Azure customers, you will have to manually add the Passive FTP Range if you are using Azure Security Groups- Click on your ‘Networking / Add inbound port rule‘ under your VM properties as shown below. You will need to reboot your VM once the changes have been applied.. AWS/GCP customers should be ok. If not check your firewall rules also.
Add More Websites to Apache
If you are planning of hosting more websites on this Apache server, it’s best practice to configure a new Apache site file for your other WordPress sites. This will allow you more flexibility in the future if you want to host multiple websites or make changes to where the WordPress directory is installed, etc.
Copy the default Apache configuration into a new file with the following command:
sudo cp /etc/apache2/sites-available/wordpress.conf /etc/apache2/sites-available/wordpress2.conf
Then edit the file in the same we did in the previous section above (Configure Apache Web Server)
Make sure to update a new installation path for WordPress for this new site. The first site installation is (/var/www/wordpress), so for example, for your 2nd website change to (/var/www/wordpress2)
Within the wordpress2.conf update all references to the installation path.
Download WordPress for newly created website. Now you will need to download WordPress and install into your new installation path (/var/www/wordpress2)
Run the following commands:
Download the latest version of WordPress
sudo wget -O /tmp/wordpress.tar.gz https://wordpress.org/latest.tar.gz
Create new site directory
sudo mkdir /var/www/wordpress2
Extract the tar archive into your WordPress site directory
sudo tar -xzvf /tmp/wordpress.tar.gz -C /var/www/wordpress2
Copy WordPress files to the root of your site directory
sudo cp -RT /var/www/wordpress2/wordpress/ /var/www/wordpress2
Give the Apache user ownership of the site directory:
sudo chown -R www-data.www-data /var/www/wordpress2
Then you will want to create a new MySQL database and user for your WordPress installation. Refer to the previous section above on instructions on this step (Create MySQL Database for WordPress). Once database is created, you are ready to start the WordPress configuration by browsing to your domain name (you may need to wait for DNS propagation to complete if your WordPress install screen isn’t showing up yet).
Support / Documentation
If you have any issues with the installation of this WordPress solution, please contact us and we will assist as much as we can
For further documentation on using the installed features, refer to the following:
Apache Documentation:
https://ubuntu.com/server/docs/web-servers-apache
ProFTPd Server Documentation
https://doxfer.webmin.com/Webmin/ProFTPD_Server
Webmin Documentation
https://www.webmin.com/docs.html
Let’s Encrypt Documentation
Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.
