How to Configure Secure Updates and Installations in WordPress
WordPress is the most popular Content Management System used today. It is very simple, powerful and easy to manage. WordPress provides a wide range of plugins and most of them are free to use. You must install LAMP stack and WordPress before proceeding. You need to login as root or as a privileged user to perform these steps. Please note that you need to replace “wp-user” with your WordPress user and www-data with your Apache web user.
Set Up Secure Updates with SSH
Create a user called wp-user. This allows you to control a WordPress installation using the adduser command.
$ adduser wp-user
You will be asked to set new password for wp-user. You can leave all fields blank and press “ENTER” through all prompts.
Change the directory to WordPress installation directory using cd command.
$ cd /var/www/html/
Grant wp-user ownership for everything under this directory. The -R switch is used to change the ownership of directories and their contents recursively.
$ chown -R wp-user:wp-user /var/www/html/
Create SSH Keys for WordPress User
Switch to the WordPress user by using the below command
$ su – wp-user
The SSH key can be created using the ssh-keygen command. The type of key to be generated is specified with -t option and the number of bits is specified with -b option.
$ ssh-keygen -t rsa -b 4096
You will be asked to give the location to store SSH keys. You can choose /home/wp-user/wp-rsa and press enter for all prompts to create a key without password authentication. Enter the file in which to save the key (/home/wp-user/.ssh/id_rsa): /home/wp-user/wp_rsa
Exit out into your normal user (root) account:
You can grant ownership and group to wp-user and apache web user respectively to make permissions secure.
$ chown wp-user:www-data /home/wp-user/wp_rsa*
$ chmod 0640 /home/wp-user/wp_rsa*
You need to create .ssh directory under wp-user home directory and give it appropriate permissions and ownership so that web process can log in.
$ mkdir /home/wp-user/.ssh
$ chown wp-user:wp-user /home/wp-user/.ssh
$ chmod 0700 /home/wp-user/.ssh/
Copy the public key into authorized keys file so that the user can log in using these credentials.
$ cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys
You need to adjust the permissions and ownership of these files can be accessed, while remaining secure:
$ chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys
$ chmod 0644 /home/wp-user/.ssh/authorized_keys
Since these keys will only be used for logging in from within the WordPress site, which is on the same computer, we can restrict the login to this server:
$ vi /home/wp-user/.ssh/authorized_keys
At the very beginning of the file, before any of the other text, add the portion given below to restrict the key usage to the local computer:
Save and close the file.
Modify WordPress Configuration to Use Keys
Install the packages necessary for WordPress to authenticate SSH logins:
$ yum update -y
$ yum install php5-dev libssh2-1-dev libssh2-php
Edit the WordPress configuration file and set the values.
$ vi /var/www/html/wp-config.php
Save and close the configuration file.
$ chmod 755 -R /var/www/html/wp-content
$ chown -R wp-user:www-data /var/www/html/wp-content
After completing the above steps successfully, you need to restart Apache.
$ /etc/init.d/httpd restart
$ service httpd restart
Test the results
Login to your WordPress Dashboard by visiting your site in a browser at the following URL
You can check the settings are correctly configured by attempting to install a new theme. Please follow the below steps to install theme:
Navigate to Appearance >> Themes >> Install Themes
Search for a theme or click on “Featured” themes and click on install. It should successfully log in, download, and install the package using your key files. You can click on “Activate” to switch to new theme and then click “visit site” to see the results.
If you need any further assistance please contact our support department.