Updated 28-Jun-2024
This assumes a current configuration of: - Amazon Linux (6.x RHEL series) - Apache 2.4 - PHP 5.6 + Opcache - Oracle MySQL 5.7 Installation up to this point is encompassed by: - OpenVPN on Amazon Linux EC2, basic configuration and securing an EC2 instance - Amazon Linux, Apache, MySQL, and PHP, installing and configuring
Install WordPress from Subversion
This is the standard quick install. It is advised to do the most recent stable version, and not the main branch, which can break (more) things. First, install subversion:
yum -y install svn
For Debian:
apt-get install -y subversion
Visit Installing WordPress with Subversion, and look for a command line that looks like the following.
svn co https://core.svn.wordpress.org/tags/5.0.2 .
The final number will change over time. Currently the options for GIT are a bit malnourished.
Create Database and User
Log into mysql
sudo mysql -u root -p
Create database
CREATE DATABASE database DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
Create user and grant access to the database (change username and password as appropriate).
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
GRANT ALL on database.* to 'user'@'localhost';
flush privileges;
exit;
Create wp-config.php
First, copy the sample file into a config file
cp /var/www/html/wp-config-sample.php /var/www/html/wp-config.php
Next edit the four parts of the file:
nano /var/www/classic/wp-config.php
Change these: - Database Name - User Name - Password - Table prefix Also add the following at the end
/** to set update method, rather than changing file access */
define('FS_METHOD','direct');
Save and restart /index.php
Multisite
WordPress Multisite has advantages (and some disadvantages). The process to change a single site into multisite has several steps. - Disable all plugins - edit wp-config.php to include the following
sudo nano /var/www/html/wp-config.php
Add the following:
/* Multisite */
define( 'WP_ALLOW_MULTISITE', true );
Note that this will then allow you to take the next steps. - Administration > Tools > Network Setup - Configure for subdomains - Once completed, copy the text for .htaccess into httpd.conf (usually this redirection is safe for single site domains as well.
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
- Comment out the above item entered into wp-config.php, and instead replace with:
define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', true);
define('DOMAIN_CURRENT_SITE', 'host.domain.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);
define( 'SUNRISE', 'on' );
Note: It is very important to place this where it indicates, just before stop editing below - copy the sunrise.php file to /wp-content/. - restart Apache - Install and enable WordPress MU Domain Mapping - change the settings in > Network Admin > Settings > Domain Mapping to 2,5 (the opposite of the default) - Add domains to the mapping as desired - Set redirections and site defaults to their desired domain name
Reset Filesystem Security Script
Filesystem security can get wonky especially with WordPress plugin and theme updates and manual file copying and editing. There are two things to do: - Make a script that backs up essential configuration files - Make a script that resets all the security in the file paths This is an example of the second:
chown -R username:apache /var/www
find /var/www/html -type d -exec chmod 2775 {} \;
find /var/www/html -type d -exec chmod g+s {} \;
find /var/www/html -type f -exec chmod 0664 {} \;
chown username:username /var/www/html/.b*
chmod 700 /var/www/html/.b*
chown username:username /var/www/html/.profile
chown username:username /var/www/html/.ssh
chmod 1700 /var/www/html/.ssh
chmod 600 /var/www/html/.ssh/authorized_keys
echo ' ';
echo '***************************************************';
echo 'changed ownership and security on wordpress install';
echo '***************************************************';
echo ' ';
PHP Session Handling
WordPress does not use PHP Sessions, and plugins need not, therefore:
- Eradicate plugins which use @session_start();
which includes (as per latest scan):
- wp-affiliate-platform,
- wp-spamshield,
- woocommerce-amazon-s3-storage, and
- php-compatibility-checker (which is only needed for testing, in any case)
cd /var/www/html
grep -r 'session_start'
Caching Configuration in WordPress
W3 Total Cache
General Settings
- Page Cache, Disk: Enhanced
- Minify (disabled)
- Database Cache, Disk
- Object Cache (disabled)
- Browser Cache (disabled, we do this manually in httpd.conf)
- CDN (disabled)
- Use single network configuration file
- Purge Policy: Posts page, Post page
Page Cache
- Cache posts, SSL, Don't cache logged in
- Prime page cache, 900, 10
- Preload post cache upon publish
- Sitemaps regular expression [a-z0-9_\-]*sitemaps\/[a-z0-9_\-]*\.(xml|xsl|html?)(\.gz)?
- Rejected Cookies:
wptouch_switch_toggle
ap_id
cart_in_use
eMember_in_use
- Never Cache the Following Pages
wp-.*\.php
index\.php
[a-z0-9_\-]*sitemap[a-z0-9_\-]*\.(xml|xsl|html?)(\.gz)?
favorites\.php
cart
checkout
shop
/shop*
- Note: must include any changes to permalinks and the pages above Database Cache
- Don't cache for logged in
- Ignore Query Stems
gdsr_
wp_rg_
_wp_session_
_wc_session_
Autoptimize
- Optimize HTML, Keep HTML Comments
- Optimize Javascript, aggregate inline JS
- Optimize CSS, Remove Google Fonts
- Save aggregated as static files = uncheck
Further Security and Performance Optimization
Exotic Performance Tuning
- Brotli Compression
- HTTP/2
- SPDY
- Prefetching Gzip
- Speed ordering ssl cert session handling
- Cache Primer, see this and this
- OCSP Stapling
- HTTP Strict Transport Security (HSTS)
Testing Tools
- KeyCDN Speed Test
- HTTP Header Test
- TLS Logjam vulnerability test
- SSL Freak vulnerability test
- Chrome Browser Flush Cache
- GTMetrix Speed Test
- Varvy SEO, Pagespeed and Mobile tests
- Redbot HTTP Headers/Comments
Code Cleanup
A good part of speed issues is the actual site code (php/js/css/html) and when it comes to WordPress, especially WordPress plugins, there are a lot of potential conflicts. Blocking JS and CSS is a big part of the problem, as well as removing all the default crap that is not needed (such as various webfonts). - Clean up nonblocking Javascript and CSS - Too many CSS files and embedded CSS in HTML, and too many JS files - Google's Accelerated Mobile Pages - Cache-aware websites