Setting up a secure WordPress server

As you know this website is no slouch and here is why – by using NGINX, HTTP2 and SSL along with a CDN like Cloudflare you can create a very quick and easy to manage site with very little work. My site in particular moves around (it is my sandbox really) however it is currently hosted on a cheap VPS at Amazon AWS and as you know – it is quite quick even under load. So, if you’ll like to follow suit then follow this simple guide to get a basic SSL encrypted WordPress site up and running in no time!

You’ll need:
– A Virtual Machine hosted somewhere. For a first VPS I’d recommend either Linode or Amazon AWS.
– Some Patience, especially if you’re new to Linux.
– A domain name – I recommend https://metaname.net for your domain name needs.

Getting Started:

You’ll want to provision your VM with the Ubuntu 16.04 LTS 64bit from your provider – this will also work on Ubuntu 14.04 and Debian 8. LTS stands for long term support as this version is fully supported up until April 2021 making it ideal for server-based environments. Personally, I run Debian on all my servers.

Now, by default most providers will give you full root access and no, you don’t want this. So, using your favourite SSH program (Putty for Windows or just the SSH command in OSX/Linux) let’s fix this:

apt-get install mosh ufw sudo
adduser user
adduser user sudo 
# Replace user with the username you desire.

Set a secure password. Now, you’ll want to edit /etc/ssh/sshd_config via a text editor like Nano (nano /etc/ssh/sshd_config) and change the port to something other than 22 (in this example I’m going to use 2222) and set PermitRootLogin to no. Save and exit this and then run “service ssh restart” – to test everything works login to your new user in another SSH window and run “sudo -s” to verify you’ve still got root access. If this succeeds then close your main root session. Now, we’ve also installed Mosh above which is a far quicker way of using a virtual machine so using a Mosh client you can connect to your host using your custom SSH port.

Moving on…

It’s now time to set up your web server. Now, this part is quite easy. Instead of going through the absolute hell of configuring NGINX, MySQL and PHP etc by hand there is now a script that makes it easy and that is called EasyEngine.

So, let’s get this setup:

# Install EasyEngine:
wget -qO ee rt.cx/ee && sudo bash ee
# Setup your new site - replace "example.com" with your domain name:
sudo ee site create example.com --wpfc --hhvm --letsencrypt
# Secure everything:
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 2222/tcp # Replace 2222 with your SSH port.
ufw allow 6000:6100/udp
ufw enable

During the script it’ll also post your WordPress admin user and admin password. Ensure you note these down and browse to your site at https://example.org/wp-admin/ to configure your new beast.

So if you’re just wanting a simple no-frills WordPress site you can essentially stop here. You’ll also need to add the A and AAAA record of your host to your domain provider by following their instructions. Essentially running “ifconfig” will give you your IPv4 and IPv6 addresses to add.

Some light reading:

What are A and AAAA records? https://classicyuppie.com/dns-crash-course-a-aaaa-ptr-records/

Conclusion:

So, now you’ve actually got a secure and fast WordPress site to get you started. This site is also encrypted with Letsencrypt (Free SSL) making it rather secure. There is more finetuning you can do by following the Wiki articles on the Easyengine website however this is a good start to get a secured SSL WordPress site up and running.

You can also secure your site further via Cloudflare and more firewall rules by following my guide here: https://murfy.nz/2015/12/cloudflare-site-security/

  • philipnewmannz

    How reliable is VirtWire’s VM platform. I’ve experienced issues in the past with some of the cheaper VM providers.

  • Paul Bolger

    Nice write up – ee rocks!

    One minor point: shouldn’t the port for Mosh be 60000:61000?

    • michaelmurfy

      Good point. You could do “ufw allow mosh” instead.