How to Configure Secure Updates and Installations in WordPress

Posted at January 28, 2017 at 11:39 am by Jithin

WordPress is the most popular Content Management System used today. It is very simple, powerful and easy to manage. WordPress provides a wide range of plugins and most of them are free to use. You must install LAMP stack and WordPress before proceeding. You need to login as root or as a privileged user to perform these steps. Please note that you need to replace “wp-user” with your WordPress user and www-data with your Apache web user.

 

Set Up Secure Updates with SSH

Create a user called wp-user. This allows you to control a WordPress installation using the adduser command.

$ adduser wp-user

You will be asked to set new password for wp-user. You can leave all fields blank and press “ENTER” through all prompts.

Change the directory to WordPress installation directory using cd command.

$ cd /var/www/html/

Grant wp-user ownership for everything under this directory. The -R switch is used to change the ownership of directories and their contents recursively.

$ chown -R wp-user:wp-user /var/www/html/

 

Create SSH Keys for WordPress User

Switch to the WordPress user by using the below command

$ su – wp-user

The SSH key can be created using the ssh-keygen command. The type of key to be generated is specified with -t option and the number of bits is specified with -b option.

$ ssh-keygen -t rsa -b 4096

You will be asked to give the location to store SSH keys. You can choose /home/wp-user/wp-rsa and press enter for all prompts to create a key without password authentication. Enter the file in which to save the key (/home/wp-user/.ssh/id_rsa): /home/wp-user/wp_rsa

Exit out into your normal user (root) account:

$ exit

You can grant ownership and group to wp-user and apache web user respectively to make permissions secure.

$ chown wp-user:www-data /home/wp-user/wp_rsa*

$ chmod 0640 /home/wp-user/wp_rsa*

You need to create .ssh directory under wp-user home directory and give it appropriate permissions and ownership so that web process can log in.

$ mkdir /home/wp-user/.ssh

$ chown wp-user:wp-user /home/wp-user/.ssh

$ chmod 0700 /home/wp-user/.ssh/

Copy the public key into authorized keys file so that the user can log in using these credentials.

$ cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys

You need to adjust the permissions and ownership of these files can be accessed, while remaining secure:

$ chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys

$ chmod 0644 /home/wp-user/.ssh/authorized_keys

Since these keys will only be used for logging in from within the WordPress site, which is on the same computer, we can restrict the login to this server:

$ vi /home/wp-user/.ssh/authorized_keys

At the very beginning of the file, before any of the other text, add the portion given below to restrict the key usage to the local computer:

from=”127.0.0.1″ ssh-rsa…

Save and close the file.

 

Modify WordPress Configuration to Use Keys

Install the packages necessary for WordPress to authenticate SSH logins:

$ yum update -y

$ yum install php5-dev libssh2-1-dev libssh2-php

Edit the WordPress configuration file and set the values.

$ vi /var/www/html/wp-config.php

define(‘FTP_PUBKEY’,’/home/wp-user/wp_rsa.pub’);

define(‘FTP_PRIKEY’,’/home/wp-user/wp_rsa’);

define(‘FTP_USER’,’wp-user’);

define(‘FTP_PASS’,”);

define(‘FTP_HOST’,’127.0.0.1:22′);

Save and close the configuration file.

$ chmod 755 -R /var/www/html/wp-content

$ chown -R wp-user:www-data /var/www/html/wp-content

 

Restart Apache

After completing the above steps successfully, you need to restart Apache.

$ /etc/init.d/httpd restart

or

$ service httpd restart

 

Test the results

Login to your WordPress Dashboard by visiting your site in a browser at the following URL

yourdomain.com/wp-admin

You can check the settings are correctly configured by attempting to install a new theme. Please follow the below steps to install theme:

Navigate to Appearance >> Themes >> Install Themes

Search for a theme or click on “Featured” themes and click on install. It should successfully log in, download, and install the package using your key files. You can click on “Activate” to switch to new theme and then click “visit site” to see the results.

 

If you need any further assistance please contact our support department.

 

 

0.00 avg. rating (0% score) - 0 votes

You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply