Install WordPress
WordPress is one of the most popular blogging platforms. It is a free, open-source software package developed in PHP by the WordPress Foundation. Over the years, so many plugins and add-ons have been developed for WordPress that it has become somewhat more of a content management system (CMS) than just a blogging platform. This article covers installing WordPress to a UNPM server.
WordPress can be installed to a website's root directory or to a sub-directory, referred to as /blog/ in this article. Installing to a subdirectory allows for using subdomains such as http://blog.example.com and for having a non-WordPress landing page for the website.
Nginx configuration
The nginx configuration will require a package-configs directory, package-configs files for the HTTP and HTTPS server blocks and making associated entries to the sites-available file.
Create package-configs files
Create the package-configs files wordpress.conf and wordpress_https.conf:
username@servername:~$ sudo nano /etc/nginx/package-configs/wordpress.conf
Add the following:
location /blog/ {
try_files $uri $uri/ /blog/index.php?$args;
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php)$ {
types { }
default_type text/plain;
}
location ~ (index|wp-comments-post|xmlrpc|wp-tinymce).*\.php$ {
include global-configs/php.conf;
}
location ~ wp-cron.php$ {
allow <server IP address>;
deny all;
include global-configs/php.conf;
}
location ~ \.php$ { deny all; }
}
The try_files $uri $uri/ /index.php?$args; directive setting will allow for 'pretty' URLs to work in WordPress.
The wp-cron.php file is necessary for WordPress to function properly, but it is not required that the file be publicly accessible. The <server IP address> should be the server's IP address. Note that WordPress will use an IPv6 address when one is assigned to the server. Check the /etc/hosts file to determine if one is assigned to the server. Also check the error logs to determine if wp-cron.php or any other php file is being blocked when using and logging into WordPress.
Now create the corresponding https version:
username@servername:~$ sudo nano /etc/nginx/package-configs/wordpress_https.conf
Add the following:
location /blog/ {
try_files $uri $uri/ /blog/index.php?$args;
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php)$ {
types { }
default_type text/plain;
}
location ~ (index|wp-comments-post|wp-login|xmlrpc|wp-tinymce|update-core|edit|post-new|edit-tags|post|profile|media-new|user-new|upload|edit-comments|comment|themes|customize|widgets|nav-menus|theme-install|plugins|admin|users|user-edit|tools|import|export|options-general|options-writing|options-reading|options-discussion|options-media|options-permalinks|media-upload).*\.php$ {
include global-configs/php_https.conf;
}
location ~ wp-cron.php$ {
allow <server IP address>;
deny all;
include global-configs/php_https.conf;
}
location ~ \.php$ { deny all; }
}
To install WordPress to the root directory of a site, simply remove /blog from the configuration.
These conf files are based on WordPress 3.7.1. The configuration passes only the specific php files necessary to PHP-FPM for WordPress to function. If a page fails to load correctly, please post the issue to the forums to determine if a PHP file was missed.
Edit sites-available file
Open the sites-available file for the domain:
username@servername:~$ sudo nano /etc/nginx/sites-available/example.com
In the HTTP server block, add:
include package-configs/wordpress.conf;
In the HTTPS server block, add:
include package-configs/wordpress_https.conf;
Test and Restart nginx
Test and restart nginx.
username@servername:~$ sudo nginx -t
username@servername:~$ sudo service nginx restart
Create WordPress database and database user
Create a WordPress database and database user:
username@servername:~$ sudo mysql -uroot -p
MariaDB [(none)]> create database databasename default character set utf8 default collate utf8_general_ci;
MariaDB [(none)]> grant all on databasename.* to 'databasenameusername'@'localhost' identified by 'databasenameusernamepassword';
MariaDB [(none)]> exit
Note that the databasename, databasenameusername and databasenameusernamepassword will be required for the WordPress configuration process.
Install and configure WordPress
Install WordPress
Install WordPress to root directory
Download and extract the latest version of WordPress to the root directory.
username@servername:~$ wget https://wordpress.org/latest.zip
username@servername:~$ unzip -d /var/www/example.com/public/ latest.zip
username@servername:~$ mv /var/www/example.com/public/wordpress/* /var/www/example.com/public/
username@servername:~$ rm wordpress.zip
username@servername:~$ find /var/www/example.com/public/ -type d | xargs chmod 775
username@servername:~$ find /var/www/example.com/public/ -type f | xargs chmod 664
username@servername:~$ sudo chown -R www-data /var/www/example.com/public/
Install WordPress to subdirectory
Download and extract the latest version of WordPress to the subdirectory.
username@servername:~$ wget https://wordpress.org/latest.zip
username@servername:~$ unzip -d /var/www/example.com/public/ latest.zip
username@servername:~$ mv /var/www/example.com/public/wordpress /var/www/example.com/public/blog
username@servername:~$ rm latest.zip
username@servername:~$ find /var/www/example.com/public/blog/ -type d | xargs chmod 775
username@servername:~$ find /var/www/example.com/public/blog/ -type f | xargs chmod 664
username@servername:~$ sudo chown -R www-data /var/www/example.com/public/blog/
Navigate to secure https://www.example.com/wp-admin/install.php or https://www.example.com/blog/wp-admin/install.php depending on the configuration and follow the WordPress installation setup.
Configure WordPress
Securing WordPress
Edit wp-config.php:
username@servername:~$ nano /var/www/example.com/public/blog/wp-config.php
Note that if WordPress is installed to the root directory, /var/www/example.com/public/wp-config.php would be used.
Above the line that reads /* That's all, stop editing! Happy blogging. */, add:
define('FORCE_SSL_ADMIN', true);
define('DISALLOW_FILE_EDIT', true);
FORCE_SSL_ADMIN forces the dashboard to always load through an encrypted session.
DISALLOW_FILE_EDIT prevents editing of PHP files from within WordPress, a potential security threat.
Pretty URLs
Log in to the WordPress dashboard.
Navigate to Settings->Permalinks and select the radio button 'Custom Structure'. There are many different configuration options, though probably the most popularly used is /%year%/%monthnum%/%day%/%postname%/.
WordPress caching
Caching will allow WordPress to perform considerably faster while reducing server load.
Install APC Object Cache Backend
Download the plugin, decompress it, and install it to the /wp-content/ directory:
username@servername:~$ wget https://downloads.wordpress.org/plugin/apc.2.0.6.zip
username@servername:~$ unzip apc.2.0.6.zip
username@servername:~$ mv apc/object-cache.php /var/www/example.com/public/blog/wp-content/
username@servername:~$ rm -rf {apc.2.0.6.zip,apc/}
Note that if WordPress is installed to the root directory, /var/www/example.com/public/ would be used in the third step, and the same applies when installing Batcache.
Install Batcache
Download the plugin, decompress it, and install it to the /wp-content/ directory and edit wp-config.php:
username@servername:~$ wget https://downloads.wordpress.org/plugin/batcache.1.2.zip
username@servername:~$ unzip batcache.1.2.zip
username@servername:~$ mv batcache/advanced-cache.php /var/www/example.com/public/blog/wp-content/
username@servername:~$ sudo chown www-data /var/www/example.com/public/blog/wp-content/{object-cache.php,advanced-cache.php}
username@servername:~$ rm -rf {batcache.1.2.zip,batcache/}
Enable caching in wp-config.php
Edit wp-config.php:
username@servername:~$ nano /var/www/example.com/public/wp-config.php
Above the line that reads /* That's all, stop editing! Happy blogging. */, add:
define('WP_CACHE', true);
Verify caching works
Navigate to a blog page in a browser session that is not logged into WordPress and refresh the page several times. In the page source should be a message similar to:
generated 13 seconds ago
generated in 0.047 seconds
served from batcache in 0.000 seconds
expires in 287 seconds
WYSIWYG editor blank
Occasionally, installs of WordPress will result in a WYSIWYG editor that appears to not function, though it is actually functioning with white letters on a white background, and the buttons above the editor will not be present. If this happens, add define('CONCATENATE_SCRIPTS', false ); above /* That's all, stop editing! Happy blogging. */ in the wp-config.php file.
Plugins
It is generally beyond the scope of this article to discuss plugins, though there are a few useful plugins which are generally desired by many users.
Security
The most common vectors for attack against WordPress come from old plugins. The WordPress.org plugin pages even warn users when a plugin has not been updated for over 2 years.
Another common vector is to brute force WordPress login sites. Installing a plugin such as Limit Login Attempts can reduce the success rate of such attacks, and is particularly useful on sites with many users.
Akismet
Akismet is an anti-spam tool that is invaluable for sites that allow comments. It does require a WordPress.com user account to use and will report some site statistics back to WordPress.com.
Minileven
Minileven is a mobile theme developed for WordPress.com and made available to individual WordPress installations through the Jetpack plugin by WordPress.com. To use this plugin, the server must integrate WordPress.com and will report back various statistics to them. For those not desiring to connect their servers to WordPress.com, it is still possible to install the theme. Install and enable the Jetpack plugin, then through the plugin Activate the Mobile Theme (Minileven), then disable the plugin. Add the Minileven theme to WordPress:
username@servername:~$ cp -r /var/www/example.com/public/blog/wp-content/plugins/jetpack/modules/minileven/theme/pub/minileven/ /var/www/example.com/public/blog/wp-content/themes/
username@servername;~$ sudo chown -R www-data /var/www/example.com/public/blog/wp-content/themes/
Even though the plugin is disabled, WordPress will still notify through the dashboard of when the plugin has an update. After each update, copy the directory again to update Minleven, but note that the location of Minileven in the Jetpack plugin directory will change from time to time.
To accompany Minileven, install the Device Theme Switcher plugin to tell WordPress which theme to serve to which devices.
Analytics tools
Piwik is a powerful open source web analytics tool that can run on a server without using any outside services. Integrating Piwik into WordPress is easy with plugins such as WP Analytics Tracking, a very simple plugin to paste tracking code into a field which the plugin then adds to all WordPress pages.
Change default email sender
By default, WordPress will use the address of wordpress@example.com with the name WordPress to send emails from. This can be change through a number of methods, but perhaps the simplest is to add a statement to the functions.php file used by themes. For this to work, the code will have to be added to every functions.php for every theme used by the site, and added again after a theme is upgraded.
username@servername:~$ nano /var/www/example.com/public/blog/wp-content/themes/themename/functions.php
Paste at the bottom of the file:
/** changing default wordpres email settings */
add_filter('wp_mail_from', 'new_mail_from');
add_filter('wp_mail_from_name', 'new_mail_from_name');
function new_mail_from($old) {
return 'address@example.com';
}
function new_mail_from_name($old) {
return 'emailname';
}