How to setup WordPress on Linux with Apache + Lets Encrypt Certs on Azure/AWS/GCP

To setup or install WordPress on any of the cloud platforms, the best way is to deploy using our image in any of the cloud marketplaces.  It comes preinstalled on Ubuntu, running Apache web server, PHP, ProFTPd server, making it easy to upload files to your server. Webmin control panel, an easy to use GUI to manage your server via a GUI. Let’s Encrypt certificates, Create free SSL certificates for your websites.  MariaDB server, create as many databases as you need and optimised for speed and performance. 

Getting Started

 

Once your WordPress server has been deployed, the following links explain how to connect to a Linux VM:

 

 

Once connected and logged in, the following section explains how to start using WordPress. 

Configure MySQL

 

Once logged in via your SSH terminal, the first step is to get the MySQL configuration ready.

 

Run the following command in order to start the MySQL configuration:

 

sudo mysql_secure_installation

 

Leave the first response blank and press enter. You should reply with y (yes) to the rest of the prompts, and configure a root password when prompted to do so. This setup only takes a moment to complete.

MySQL-Secure-Installation

 

Create MySQL database for WordPress

 

The next steps is to create a MySQL database and user that will store your WordPress installation.

 

Note: If you receive an error message when copying and pasting the commands below, it will be to do with the quotations ‘ ‘ not being recognised, because the format changes when coping from our webpage into your terminal, so you may have to manually retype the quotes ‘ ‘

 

Step 1 – Open up MySQL with the root user:

 

sudo mysql

 
Step 2 – Create a new database for WordPress

 

CREATE DATABASE wordpress_db;

 
Step 3 – Create MySQL User for WordPress database.  Replace the my_password text below with a secure password of your choice.

 

CREATE USER ‘wordpress_user’@’localhost’ IDENTIFIED BY ‘my_password‘;

 
Step 4 – Give the WordPress user full permissions on the WordPress database

 

GRANT ALL PRIVILEGES ON wordpress_db.* to wordpress_user@’localhost’;

 
Step 5 – Save changes you’ve made and exit the MariaDB

 

FLUSH PRIVILEGES;

exit

Create-WordPress-Database

Configure Apache Web Server

 

Apache has been installed and its what will be hosting your websites.  Edit the following Apache config file and enter details about the website you would like to host:

 

Step 1 – Update WordPress.conf with domain name

 

sudo nano /etc/apache2/sites-available/wordpress.conf

 

Within this file, update the following fields with your domain name (replace yoursite.com with your domain name). If you don’t have a domain name, put servers ip address instead:

 

ServerName yoursite.com

ServerAlias www.yoursite.com

 

As you can also see from the conf file (DocumentRoot), the default WordPress installation on the server is (/var/www/wordpress). This is where your WordPress files are located on the server.

WordPress_Conf

 

Once changes have been made press Ctrl+O to save changes and then Ctrl + X to exit

 
Step 2 – Enable site in Apache

 

Now we enable the website in Apache and disable the default site

 

sudo a2ensite wordpress.conf

sudo a2dissite 000-default.conf

 
Step 3 – Restart Apache Services

 

Next we reload Apache for the new changes to take effect

 

sudo systemctl reload apache2

 

Step 4 – Give Apache user ownership of WordPress directory

 

sudo chown -R www-data.www-data /var/www/wordpress

WordPress Installation / Configuration

 

You are now ready to start the WordPress installation. There are 2 ways to do this.

 

Using the sites IP address, or using the sites domain name.

 

In order to use the sites domain name, you will need to update your domain servers A record to point to your servers public IP address. Go to your domain registrar and they will have instructions on how to do this. It normally takes DNS propagation to update on the internet within 24 hours.

 

Here is an example of how the record looks from a domain registrar:

DNS A Record

 

In my example we will continue the installation using the sites public IP address. You can also use the sites private IP address, if this site is only to be used internally. BUT to use the sites IP address to complete the installation, make sure in the WordPress.conf under ServerName / ServerAlias has the servers public IP, as shown in my wordpress.conf. You can then update it later once your domains DNS has fully propagated

WP-Conf-IP

 

Browse to your servers PublicIP or domain name and you will see the WordPress installation screen.  Add the WordPress database and user we created earlier and press submit and follow the onscreen instructions on setting up and creating an admin user etc.

Install-WordPress-on-Ubuntu

 

Setup-WordPress-Linux

 

That’s it, your WordPress site installation is now complete. If you need to manually upload files to your server (e.g WordPress themes, plugins etc), scroll down to our – Setting up FTP Users section below, which explains how to do this. Follow the next step on how to setup SSL certificates for your website.

Setup Let’s Encrypt Certificate for WordPress Website

 

Let’s Encrypt provides many ways to challenge you to validate that you own the domain you want to provide SSL certificates for. You will not be able to generate certificates if you can’t prove that you own the domain you want to secure.

 

First make sure that your domain name is pointing to your servers public IP address. Go to your domain registrar and update the domains A record to point to your servers public IP address. Your domain registrar will have documentation on how to do this.  Once DNS has been updated and propagated and you can access your site via its domain name, you can now install a SSL certificate.

Run the following command to start the certificate creation process:

sudo certbot --apache

In the first step, you need to type a valid email address. The email address is required for notifications and security notices regarding your website’s certificate.

Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): you@domain.com

The next step is to confirm that you agree to the Let’s Encrypt terms of service. If you want to confirm, just type A and then press [ENTER]:

Output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

If you want to share the provided email address with the EFF (Electronic Frontier Foundation) to receive news and other information, you can type Y. If you do not want to receive this type of email, you can type N and submit your answer by typing [ENTER].

Output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Now you need to select the domain you would like to activate HTTPS for. The domains and subdomains listed on your command prompt are automatically obtained from your Apache virtual host configuration. Type the numbers separated by commas and/or spaces, or if you’d like to enable HTTPS for all of the domains or subdomains, you can leave the prompt blank. Either way, you then press [ENTER] to proceed to the next step.

Output:
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: domain.com
2: www.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

The output will be similar to this:

Output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/domain.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/domain.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/domain.com-le-ssl.conf

Certbot provides HTTPS redirection as an option that you can enable. In this step, the script will prompt you to select if you want the entire HTTP traffic to be redirected to HTTPS or to keep the current configuration. Select 1 if you do not want redirection or 2 to enable redirection, then press [ENTER].

Output:
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Your SSL certificate is now installed and loaded in the Apache configuration. You will see output similar to the following:

Output:
Redirecting vhost in /etc/apache2/sites-enabled/domain.com.conf to ssl vhost in /etc/apache2/sites-available/domain.com-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem
Your cert will expire on 2021-09-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

SSL certificates provided by Let’s Encrypt are valid only for 90 days. The Certbot we have installed will set a cronjob that will take care of renewing any SSL certificate that is within thirty days of expiration. To check the status of this service, you can execute the command:

sudo systemctl status certbot.timer
Output:
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
Active: active (waiting) since Thu 2021-06-11 11:33:00 UTC; 1h 37min ago
Trigger: Thu 2021-06-11 15:52:01 UTC; 2h 41min left
Triggers: ● certbot.service

or you can list all of the timers with:

sudo systemctl list-timers

You can test automatic renewal for your certificates by executing this command:

sudo certbot renew --dry-run

and the command to renew the SSL certificate can be found in one of the following locations:

/etc/crontab/
/etc/cron.*/*

Congratulations! You have successfully installed a free Let’s Encrypt SSL certificate for your domain.

Use Webmin to manage server

 

Webmin is a great GUI to manage your server. It comes pre installed and allows you to manage your server via a web portal.

 

Browse to the following and login with your servers root user and password:

 

http://PublicIP:10000

Or

http://PrivateIP:10000

 

Webmin-login

Setting up FTP Users with ProFTPd

 

If you need to upload files to your WordPress directory, you can use the servers installed Pro FPTd module.

 

Apache keeps the sites websites files in the following directory /var/www

 

You can manage ProFTPd from within Webmin. Login to Webmin via the servers IP (http://publicIP:10000) with the servers root user/password.

Once logged in, press ‘Refresh Modules‘ at the bottom of the menu

 

Under Servers you should see ProFTPd Server once you refresh modules

Pro-FTP-ServerPNG

 

Step 1 – Set FTP Directory

 

The first step is to set the FTP directory to (var/www/wordpress) for your first website. Click on ‘Files and Directories‘ and add the WordPress directory as below and then save changes

Pro-FTPd-Wordpress-Directory

 

Step 2 – Create FTP Users

 

Next is to create a user. By default the root user is disabled from using FTP.

To create a user you can use

Webmin by clicking on ‘System / Users and Groups / Create a new user

Webmin-Create-User

 

Webmin-Create-Username

 

Next we need to give this user permission to write to the WordPress directory (/var/www/wordpress)

 

From your SSH terminal run the following command

 

sudo chown -R username /var/www/wordpress

Give-User-Permission-on-Wordpress-Folder

 

You should now be able to use an FTP client and connect to your server and see the WordPress directory:

FTP-Client

 

Note: If you receive an error when trying to connect or upload it might be because of any firewalls you have in place. Refer to the section below on Firewall rules.

 

WordPress Firewall Rules

 

This solution requires the following firewall rules:

 

  • TCP 80 – HTTP
  • TCP 443 – HTTPS
  • TCP 10000 – Webmin
  • TCP 21 – FTP
  • TCP 49152-65534 – Passive FTP Range

 

By default these rules are enabled if you deploy with the security group provided, except Azure for the Passive FTP Range.  The links below explain how to modify / create firewall rules depending on which cloud platform you are using.

 

To setup AWS firewall rules refer to – AWS Security Groups

To setup Azure firewall rules refer to – Azure Network Security Groups

To setup Google GCP firewall rules refer to – Creating GCP Firewalls

 

For Azure customers, you will have to manually add the Passive FTP Range if you are using Azure Security Groups- Click on your ‘Networking / Add inbound port rule‘ under your VM properties as shown below. You will need to reboot your VM once the changes have been applied..  AWS/GCP customers should be ok. If not check your firewall rules also.

Passive-Port-Range

Add More Websites to Apache

 

If you are planning of hosting more websites on this Apache server, it’s best practice to configure a new Apache site file for your other WordPress sites. This will allow you more flexibility in the future if you want to host multiple websites or make changes to where the WordPress directory is installed, etc.

 

Copy the default Apache configuration into a new file with the following command:

 

sudo cp /etc/apache2/sites-available/wordpress.conf /etc/apache2/sites-available/wordpress2.conf

 

Then edit the file in the same we did in the previous section above (Configure Apache Web Server)

 

Make sure to update a new installation path for WordPress for this new site. The first site installation is (/var/www/wordpress), so for example, for your 2nd website change to (/var/www/wordpress2)

 

Within the wordpress2.conf update all references to the installation path.

 

Download WordPress for newly created website.  Now you will need to download WordPress and install into your new installation path (/var/www/wordpress2)

 

Run the following commands:

 

Download the latest version of WordPress

sudo wget -O /tmp/wordpress.tar.gz https://wordpress.org/latest.tar.gz

 

Create new site directory

sudo mkdir /var/www/wordpress2

 

Extract the tar archive into your WordPress site directory

sudo tar -xzvf /tmp/wordpress.tar.gz -C /var/www/wordpress2

 

Copy WordPress files to the root of your site directory

sudo cp -RT /var/www/wordpress2/wordpress/ /var/www/wordpress2

 

Give the Apache user ownership of the site directory:

sudo chown -R www-data.www-data /var/www/wordpress2

 

Then you will want to create a new MySQL database and user for your WordPress installation. Refer to the previous section above on instructions on this step (Create MySQL Database for WordPress). Once database is created, you are ready to start the WordPress configuration by browsing to your domain name (you may need to wait for DNS propagation to complete if your WordPress install screen isn’t showing up yet).

Support / Documentation

 

If you have any issues with the installation of this WordPress solution, please contact us and we will assist as much as we can

 

For further documentation on using the installed features, refer to the following:

 

Apache Documentation:

https://ubuntu.com/server/docs/web-servers-apache

 

ProFTPd Server Documentation

https://doxfer.webmin.com/Webmin/ProFTPD_Server

http://www.proftpd.org/docs/

 

Webmin Documentation

https://www.webmin.com/docs.html

 

Let’s Encrypt Documentation

https://letsencrypt.org/docs/

 

Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. No warrantee of any kind, express or implied, is included with this software. Use at your risk, responsibility for damages (if any) to anyone resulting from the use of this software rest entirely with the user. The author is not responsible for any damage that its use could cause.

Andrew Fitzgerald

Cloud Solution Architect. Helping customers transform their business to the cloud. 20 years experience working in complex infrastructure environments and a Microsoft Certified Solutions Expert on everything Cloud

No Comments

Post a Comment

Comment
Name
Email
Website