CentOS 6.x on VMware Player: Part 6

Note these documents are subject to update, this one was last edited 05/28/2014

Part 6: Installing WordPress

  • Note that many things in this WordPress installation are dependent on configurations in previous parts of this series.
  • Firefox your way to wordpress.org and download the .zip version of WordPress.
  • Choose Save File then OK.
  • # cp /home/you/Downloads/wordpress-3.9.zip /www/yourdomain.com
  • # cd /www/yourdomain.com
  • # unzip ./w* ; cd wordpress ; mv * .. ; cd .. ; rm -fr wordpress
  • # cp -a wp-config-sample.php wp-config.php
  • # chown -R apache ../*
  • # mysql -uroot -pyourpassword
  • mysql> create database databasename;
  • mysql> use databasename;
  • mysql> grant all on *.* to wp_service@’localhost’ identified by ‘password’;
  • mysql> flush privileges;
  • mysql> exit
  • # vi wp-config.php
  • These lines need to be edited with the database, service user and password made above, do not use root.

  • Save and exit the file.
  • Browse to your site address and you should now see something like this:

centos6.08

  • VERY IMPORTANT: Fill out the obvious and for Username do NOT use admin, administrator, root, your name, name of the site or domain name. I highly recommend you use something cryptic and impossible to guess for the Username.
  • Think of the WordPress Username as the 1st password the hacker bots have to guess. Towards the end of this post we will fix up the publicly displayed name associated with your Username.
  • Go ahead Install and in 1 or 2 seconds you should have Success! Go ahead and login.

centos6.09

  • On to configuring MultiSite, Dashboard > Settings > PermaLinks
  • Choose Day and name. Select Save Changes.
  • Be sure all plugins are deactivated.
  • # vi wp-config.php — above the line /* That’s all, stop editing! Happy blogging. */ insert:

  • Refresh your browser to continue.
  • Dashboard > Tools > Network Setup – choose sub-domains and Select Install.
  • Add the following to your wp-config.php file above the line reading /* That’s all, stop editing! Happy blogging. */

  • Add the following to your .htaccess file in /www/yourdomain.com/, replacing other WordPress rules:

  • After completing these steps, log in again using the link provided. You might have to clear your browser’s cache and cookies in order to log in.
  • Here are the plugins I’ll recommend for security and functionality:
  • Dashboard > Plugins > Add New > WordPress MU Domain Mapping > Install Now > Network Activate.
    • Priority install and essential plugin for managing multiple domains.
    • # cp -a /www/yourdomain.com/wp-content/plugins/wordpress-mu-domain-mapping/sunrise.php /www/yourdomain.com/wp-content
    • Dashboard > Settings > Domain Mapping > Put in your Server IP Address and check Permanent redirect then Save.
    • Dashboard > Settings > Domains – you can add additional domains here, do not add your base domain.
  • Dashboard > Plugins > Add New > WangGuard > Install Now > Network Activate.
    • Priority install and a great essential plugin. It will save you from tons of annoying bot logins. Not only is WangGuard my #1 favorite plugin but my #1 favorite plugin developer. José at WangGuard gives amazingly personally attentive support.
    • Get (free) or enter an existing WangGuard API key good for all sites at Dashboard > WangGuard > Configuration.
  • Dashboard > Plugins > Add New > Login Security Solution > Install Now > Network Activate.
    • Priority install and essential plugin.
    • Requires very strong passwords, repels brute force login attacks, prevents login information disclosures, expires idle sessions, notifies admins of attacks and breaches, permits administrators to disable logins for maintenance or emergency reasons and reset all passwords.
  • Dashboard > Plugins > Askimet > Network Activate.
    • Priority install and essential plugin.
    • Every individual site will have to get (free) or enter an existing API key at Site Dashboard > Settings > Askimet.
    • This plugin will protect you from spam comments etc.
  • I’m sure you’re anxious to add content to WordPress however I highly recommend you install and configure the above priority installs first. The plugins below may or may not be applicable to your site plans.
  • Dashboard > Plugins > Add New > Multisite User Management > Install Now > Network Activate.
    • Essential for Multisite.
  • Dashboard > Plugins > Add New > Simple Access Control > Install Now > Network Activate.
    • This will allow you to set whether users must be logged in or not to view individual pages. The settings are in page edit mode.
  • Dashboard > Plugins > Add New > WordPress Importer > Install Now > Network Activate.
    • This will allow you to import site content from various platforms including WordPress.
  • Dashboard > Plugins > Add New > WP Crontrol > Install Now > Network Activate.
    • Gives you some control and visibility into the cron job scheduling process on WordPress. Ultimately WordPress cron is worthy of being ditched for a Linux cron especially on busy sites.
  • Dashboard > Plugins > Add New > bbPress > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > GD bbPress Attachments > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > GD bbPress Tools > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Contact Form 7 > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Page Links To > Install Now > Network Activate.
  • Dashboard > Plugins > Add New > Twitter Profile Field > Install Now > Network Activate.
  • Now to fix a huge security hole in WordPress, for any user that has any kind of admin privileges go and edit the users Nickname and Display name publicly as to something completely unrelated to the Username.
  • Then be sure to go to a MySQL prompt or in MySQL Workbench and execute something like the following for every user with admin privileges:

  • VERY IMPORTANT: The ‘shadowshift’ portion of the update above I would recommend being exactly the same as your profile Nickname and Display name publicly. I stress all 3 of these name versions should be nothing like your Username.
  • Otherwise anyone will be able to see the real Username used to login and have half the equation to hack admin accounts even if it is highly unlikely mathematically for them to brute force a good password.
  • Example: http://shadowshift.com/author/shadowshift Trust me, bots will scrape this URL from Google for your Username.
  • The net effect of this change is all day and night hackers and bots try to guess the password of an account that does not exist, in this case: shadowshift – a great URL and a lousy Username.
  • OK Installing WordPress is done for now but I do expect to update this substantially over time so be sure and check back.

If you have any questions or suggestions don’t hesitate to reach out to me!