Grid Guides

Explore How System On Grid Can Work For You

Grid Guide Topics

How to Configure Secure Updates and Installations in WordPress

Table Of Contents


    ## Table of Contents

    – [Introduction](#introduction
    – [Prerequisites](#prerequisites
    – [How to Configure Secure Updates and Installations in WordPress](#how-to-configure-secure-updates-and-installations-in-wordpress
    – [Setup Secure Updates with SSH Keys](#setup-secure-updates-with-ssh-keys
    – [Create SSH Keys for WordPress User](#create-ssh-keys-for-wordpress-user
    – [Edit WordPress Configuration to Use SSH Keys](#edit-wordpress-configuration-to-use-ssh-keys
    – [Restart Apache Web Server and Test Results](#restart-apache-web-server-and-test-results
    – [Conclusion](#conclusion

    ## Introduction

    [WordPress](https://wordpress.com/ is a free and open-source Content Management System (CMS. It was designed to manage blogs. It is the most popular website management system with serving more than 60 million websites as of 2018. It allows you to develop a website and manage your content without coding. It can also be used to develop an operational website.

    WordPress is a theme based platform which provides you with free and premium themes that can be integrated easily without any programming and designing language. It has a fantastic feature called plugins which can be used to add required modules and extend its functionality. It is multilingual and allows you to translate content in your language.

    ## Prerequisites

    You should have access to an Ubuntu 18.04 server and created a non-root user account with sudo privileges by following our guide, [Initial server setup with Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-do-initial-server-setup-with-ubuntu-18.04.

    You must have installed the LAMP stack. If you don’t have the LAMP stack, follow our guide, How to Install LAMP Stack on Ubuntu 18.04.

    You must have installed WordPress. If you don’t WordPress, follow our guide, [How to Install WordPress with LAMP on Ubuntu 18.04](https://systemongrid.com/support/guides/how-to-install-wordpress-with-lamp-on-ubuntu-18.04.

    ## How to Configure Secure Updates and Installations in WordPress

    In this guide, we use “wp-user” and “www-data” as a WordPress user and Apache Web Server respectively. Make sure you replace them with your WordPress user and your Apache web server.

    ## Setup Secure Updates with SSH Keys

    Create a WordPress user called “wp-user” using the adduser command. This will allow you to have control over the WordPress installation.

    “`
    $ adduser wp-user
    “`

    Then, you will be asked to enter a new password for your WordPress user. Enter a strong password. And, all the remaining fields are optional, you can leave those fields blank by pressing the ENTER button.

    Use the cd command to change the directory to the WordPress installation directory.

    “`
    $ cd /var/www/html/
    “`

    Grant your WordPress user the ownership for everything within this directory.

    “`
    $ chown -R wp-user:wp-user /var/www/html/
    “`

    In the above command, the -R switch is used to change the ownership of the directory and its content.

    ## Create SSH Keys for WordPress User

    Now, use the below command to switch to your WordPress user.

    “`
    $ su – wp-user
    “`

    Use the ssh-keygen command to create SSH keys. In the below command, the -t specifies the type of key to be generated and the -b specifies the number of bits.

    “`
    $ ssh-keygen -t rsa -b 4096
    “`

    You will be asked to enter a location to store SSH keys. You can choose the location, home/wp-user/wp-rsa. Press ENTER for all other fields to create a key without password authentication. Also, enter the file in which you want to save the key (/home/wp-user/.ssh/id_rsa: /home/wp-user/wp_rsa.

    To make permissions secure, you can grant ownership to your WordPress user and group to your Apache web server.

    “`
    $ chown wp-user:www-data /home/wp-user/wp_rsa*
    $ chmod 0640 /home/wp-user/wp_rsa*
    “`

    Create .ssh directory within your Wordress user’s home directory, give it the ownership and essential permissions so that web procedure can log in.

    “`
    $ mkdir /home/wp-user/.ssh
    $ chown wp-user:wp-user /home/wp-user/.ssh
    $ chmod 0700 /home/wp-user/.ssh/
    “`

    Copy the public key and paste it in authorized keys file to allow your WordPress user to log in using these credentials.

    “`
    $ cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys
    “`

    Modify the ownership and permissions of these files to keep them more secure.

    “`
    $ chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys
    $ chmod 0644 /home/wp-user/.ssh/authorized_keys
    “`

    As the keys can only be used for logging in from within your WordPress site, restrict the key usuage to the local machine.

    “`
    $ vi /home/wp-user/.ssh/authorized_keys
    “`

    The file will be opened. Add the below line at the very beginning to restrict the key usage to the local machine.

    “`
    from=”127.0.0.1″ ssh-rsa…
    “`

    Then, save and close the file.

    ## Edit WordPress Configuration to Use SSH Keys

    Install all the essential packages for WordPress to authenticate SSH logins.

    “`
    $ yum update -y
    $ yum install php5-dev libssh2-1-dev libssh2-php
    “`

    Edit the WordPress configuration file and enter your details.

    “`
    $ vi /var/www/html/wp-config.php
    define(‘FTP_PUBKEY’,’/home/wp-user/wp_rsa.pub’;
    define(‘FTP_PRIKEY’,’/home/wp-user/wp_rsa’;
    define(‘FTP_USER’,’wp-user’;
    define(‘FTP_PASS’,”;
    define(‘FTP_HOST’,’127.0.0.1:22′;
    “`

    Then, save and close the configuration file.

    Now, run the below commands to change the access permissions to the file.

    “`
    $ chmod 755 -R /var/www/html/wp-content
    $ chown -R wp-user:www-data /var/www/html/wp-content
    “`

    ## Restart Apache Web Server and Test Results

    After successfully completing the above steps, restart your Apache web server.

    “`
    $ /etc/init.d/httpd restart
    (or
    $ service httpd restart
    “`

    Now, its time to test the results. For that, log in to your WordPress dashboard by opening the following URL in your web browser.

    “`
    yourdomain.com/wp-admin
    “`

    Then, install a new theme to check if the settings are correctly configured. Follow the below steps to install a new theme.

    “`
    Appearance >> Themes >> Install Themes
    “`

    Select one theme, click on the “Activate” button and then the “Visit Site” button to see the results.

    ## Conclusion

    As security is the primary most concern of your site, you need to update your installation, which must be done immediately upon any security release. So, In this guide, we explained to you how to configure secure updates and installations in WordPress.