WordPress on AWS EC2 – part 7

What else need your WordPress?

WordPress use some additional modules for Apache and PHP. Unfortunately I haven’t found many information about what is actually needed and for what purpose. There are some articles on this subject, but they’re quite old. In this section I’ll show you couple of WordPress features which don’t work in our environment and how to fix it.

Pretty URLs

So let’s begin with turning on preety URLs. This feature help us make our URLs more readable and SEO friendly. In our WordPress Dashboard find tab Settings->Permalinks. There let’s choose one of option we like and save settings. Let’s go back to home page and try to click on post title. Whoops…

In this case the problem is disabled rewrite module in Apache. Let’s enable it:

Much better now. 🙂

ec2_wordpress_permalinks2

wp_mail

In previous part I wrote that our WordPress can’t send emails and I suggest installing plugin which allows us send messages through SMTP. Let’s install it then from dashboard. We can of course do it also using WP-CLI or upload files manually. Before we proceed to plugin installation, let’s install first another PHP module. It’s not necessary now because WordPress can work without it, but some plugins could not.

Okay, now we can install Easy WP SMTP (or any other with similar functionality). Configuration is very straightforward – just like configuration any e-mail client like Outlook or Thunderbird.

ec2_smtp

This plugin have feature which help us examine if everything is correct by sending test email. If you’re using another plugin which doesn’t have this kind of functionality you can for example change password for your user. WordPress should automatically send e-mail with information about password change to e-mail address attached to your account.

Images scaling and cropping

When we upload image to our WordPress media library, they are automatically processed and we can use different image sizes in our posts. Additionally we can use built-in image editor which help us crop image for example. So at least it should work that way but now if we try to put image into post we can use only full image size.

ec2_wordpress_image_size

This is because we don’t have PHP module called imagick. Let’s install it then. We’ll also install module called GD. In fact for WordPress itself imagick is sufficient, but some plugins could use GD for image manipulation.

Now if you upload new image it should be possible to use different image sizes and built-in image editor.

ec_wordpress_image_size2

Additional modules

Some plugins are using module called mcrypt so we can install it by the way:

This set of extensions should be sufficient in most cases.

So we actually done. In last part I’ll summarize everything what we’ve done and make some additional comments.

Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 8

WordPress on AWS EC2 – part 5

Apache, PHP, MySQL

To launch WordPress we need to have some additional tools. First of all we need to install server which will pending requests from users browsers and sending them responses. WordPress is written in PHP so we also need to install interpreter of this language. Last but not least we need database server because our blog can’t work without it. WordPress is designed to work with MySQL so we need to install this one.

Apache installation

To install apache you need to SSH your instance and run following command:

sudo apt-get update && sudo apt-get install apache2

As I mention in previous part sudo apt-get update will fetch information about software available in Ubuntu repository. The && operator stands as: “if command on the left side will ran successfully, run command on the right side”. Command sudo apt-get install apache2 launch installation of package apache2.

After this operation when you type IP address of your instance to browser address bar, following page should appears. This indicates that our server works. 🙂

ec2_apache

Before we continue it’s worth to look if apache is using mpm-events module instead of mpm-prefork. It’s about performance. My installation has this module installed and activated by default. You can check this with command which lists all loaded modules:

sudo apache2ctl -M

If you don’t have it you can install it manually:

sudo apt-get install apache2-mpm-event
sudo a2enmod mpm_event
sudo service apache2 restart

PHP Installation

In Ubuntu 14.04 repository newest PHP version is 5.5.9. If you want to install newer version like 5.6.x you should use additional repositories.

As I mention at the beginning of the series I want to use PHP5-FPM. It’s mainly because of performance. Here you can read comparison of mod_php and php-fpm. To install run the command:

sudo apt-get install php5-fpm

Żeby taka instalacja PHP chciała współpracować z apachem musimy doinstalować do niego dodatkowy moduł. Ze względu na zawiłości licencyjne, jest on dostępny w repozytorium multiverse, które domyślnie jest wyłączone, więc najpierw musimy je włączyć. O różnicach między repozytoriami można poczytać tutaj. Otwórzmy w ulubionym edytorze tekstowym plik /etc/apt/sources.list (ja korzystam z nano)…

To get this installation to work with apache we should install another apache module. Because of license incompatibilities this module is available in multiverse repository which is disabled by default so we need to enable it. About differences between types of repositories you can read here. Please open file /etc/apt/sources.list in your favorite text editor (I will use nano).

sudo nano /etc/apt/sources.list

We should uncomment appropriate lines (URLs can be different for different regions):

ec2_sources

Now we can run command

sudo apt-get update
sudo apt-get install libapache2-mod-fastcgi

After installation module should be enabled automatically and apache should be restarted.

ec2_fcgi

If that is not true in your case, you can anytime enable module and restart server yourself running following commands:

sudo a2enmod fastcgi
sudo service apache2 restart

CAUTION!
If you have had installed mod_php previously you should turn it off. You can do this similarly:

sudo a2dismod php5
sudo service apache2 restart

Now we’ll configure apache a bit. I assume that only one site will be running on our instance. Configuration provided below is very simple then. Let’s enable another two modules which we’ll need:

sudo a2enmod alias actions
sudo service apache2 restart

Now we should create configuration file which tells apache what should be done with PHP files. All of apache configuration files are stored in /etc/apache2/conf-available directory so we put our file here also. I will name it php5-fpm.conf. We can do this for example with nano:

sudo nano /etc/apache2/conf-available/php5-fpm.conf

Next we put this content to the file:

Couple words of explanation:
IfModule checks if module is active and if yes performs instructions in block.
AddHandler tells apache which action it should take for described files – in this case for files with php extension, action php5-fcgi will be fired
Action defines program to which request will be passed when action is fired – in this case for action php5-fcgi request will be routed to /php5-fcgi path
Alias is used to map paths – in this case we define that path /php5-fcgi from previous line is actually /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer indicates how to handle file which we catch with the above lines – in this case it will be run by server pending on unix socket on /var/run/php5-fpm.sock path. This path is defined in php-fpm configuration file. You can find it here: /etc/php5/fpm/pool.d/www.conf. Option -pass-header gives us ability to pass to the script http headers which won’t be passed by default. For example Authorization Header.
Directory defines path in which following settings will apply.
Require all granted gives permission to read localization by all – we need to add this line because otherwise we’ll see “Access denied” instead of results of any PHP script.

Nie pozostało nam nic innego, jak zapisać konfigurację, włączyć ją i przetestować czy wszystko działa. Zapisujemy plik, wychodzimy z edytora, wydajemy polecenia:

There’s nothing else to do except saving configuration. Now we should enable it and test if everything works.

sudo a2enconf php5-fpm
sudo service apache2 reload

Teraz utwórzmy plik php, dzięki któremu przetestujemy to, co do tej pory zrobiliśmy. Domyślna konfiguracja apache-a kieruje nas na ścieżkę /var/www/html, więc tam też utworzymy nasz plik:

Let’s create PHP file so we can test our work so far:

sudo nano /var/www/html/info.php

Save, and navigate to your server in browser. In my case URL will be: http://52.29.70.252/info.php. We should see well known PHP Info page. 🙂

ec2_phpinfo

MySQL Installation

This should be easy. Let’s run MySQL installation. We additionally install php module which will be used for communication with database.

sudo apt-get install mysql-server php5-mysql

During installation we’ll be asked about creating password for root user of our database. We can create it now or leave it blank. We’ll back to this step in a moment.

When installation is complete we should run script which prepares our database to work which means for example creating appropriate directory structure.

sudo mysql_install_db

Last step is to run script which help us secure our server a bit.

sudo mysql_secure_installation

In first step we’ll be asked about current root password. If we set this during installation we need to provide it. If not we just hit enter.

Second step is to set root password. If you already set it you can change it in this step.

Third step gives us ability to delete anonymous user. In other words there will be no possibility to log in to database without having an account. Of course we confirm.

In fourth step we can define if root can or cannot login from another computer than this where server is running. Let’s disable remote login.

W fifth step we can delete “test” database which is created during installation and is available for everyone. Confirm deletion.

Last step is to flush privileges table. Confirm.

So… that’s all! We have almost everything which we need to launch our WordPress. See you in next part. 🙂

Part 1
Part 2
Part 3
Part 4
Part 6
Part 7
Part 8

WordPress on AWS EC2 – part 4

How to make your instance more secure?

This post is obviously not complete security guide and it’s not meant to be. However I want to talk about some basics which I think are minimum in subject of securing our Linux. I must emphasize that you have complete control of your instance and it’s your responsibility to take care about security of your data and your site users. I definitely encourage to constantly learn about server administration.

Updates

One of the most important things are regular updates of the system and other installed software. Unfortunately vulnerabilities happened everywhere (famous example of vulnerability in OpenSSL library from 2014) so we should install every security updates as fast as possible. Before we continue let’s update our system.

The first step will be following command:

sudo apt-get update

In this way we ensure that our system “knows” about all the updates available but nothing will be installed yet.

Next we can do this:

sudo apt-get upgrade

or this:

sudo apt-get dist-upgrade

There is significant difference between those two. In first case only packages that were already installed will be updated. However common practice is that one package depends on others. If new version of installed software depends on package which was not required previously and this package is not available in system, update will fail. All information about the problems will be printed to the console.

In second case dependencies are resolved automatically and some packages can be deleted or new packages can be installed. Now it really doesn’t matter because we just launch our instance and we don’t using it for any purpose yet. However when we start web server, database and our site will be made public, we won’t want something stop working because of update. It doesn’t mean of course that we shouldn’t update our system. It only means that we always need to know what we are doing and why. We probably should consider launching stage environment and check any modifications there first. In AWS ecosystem it’s really easy to duplicate EC2 instance.

Some of you probably notice that though installation of all updates, OpenSSL library which I mention remains in version 1.0.1f, which is theoretically vulnerable to HeartBleed attack. In fact it’s not true. This version was patched by Ubuntu maintainers the same day which vulnerability was disclosed. More information here.

Now we should reboot our instance.

sudo reboot

When you run this command your connection will be interrupted. Wait minute or two and try to connect again.

Change the default SSH port

It’s worth to consider change the default SSH port from 22 to some other number grater than 1023. Many bots which are used to automatic attacks search for open SSH port, but they limit themselves to default port. It of course won’t stop all intrusion attempts but can help reduce the number of them. We can change port in SSH configuration file. We must edit it as root so we run command:

sudo nano /etc/ssh/sshd_config

Of course you can use your favorite text editor instead of nano. 🙂
Lets find following line in file

Port 22

and change the value to something else, for example:

Port 56321

ec2_custom_ssh_2

Now save changes (in nano ctrl+O and confirm hitting enter) and exit editor (in nano ctrl+X). We should restart SSH service to reload configuration:

sudo service ssh restart

Our current connection should not be interrupted but from now on every new connection to our instance must be on port which we put to config file. As you remember we define some security rules in our EC2 dashboard so we need to go back there and open up this port.

In group “Network & Security” we need to find tab called “Security Groups” and then right click group which our instance belongs to. From menu choose “Edit inbound rules”. Now in place of SSH we select “Custom TCP Rule” and enter the new port number. Remember to save the changes.

ec2_custom_ssh

Powinno być już możliwe nawiązanie nowego połączenia. Jeśli łączymy się z konsoli musimy dodać parametr “-p” i dopisać po nim numer portu, a więc w moim przypadku będzie to:

Now we should be able to start new connection. If you’re using console you should add “-p” followed by port number. In my case it will be:

ssh -i ~/.ssh/test1-keys.pem ubuntu@52.29.70.252 -p 56321

If you’re connecting by putty, find on list of saved sessions your instance and load settings. Now you should change port number and save your session again.

ec2_custom_ssh_3

Summary

After this part our system is up to date and SSH works on different than default port number. As I mention it’s not guarantee that you are 100% secure. I recommend that you read about some tools which can help you in process of hardening your system. In next part we’ll install software which is essential to run our virtual machine as web server.

Part 1
Part 2
Part 3
Part 5
Part 6
Part 7
Part 8