Re: wordpress, again
Glenn,
I notice you're still having problems, so, for what it's worth....
I've had Wordpress running on Debian, with Apache for years, and
recently did a reinstall after getting hacked. Here's the step by step
that I jotted down:
0. Caveat, this is running under Lenny, in a Xen VM - that shouldn't
effect anything, but you never know:
1. Prerequisites
- apache w/ mod_rewrite, php, mysql - all installed from Debian packages
with apt
- running as www:www
2. Set up DNS records for site
3. Download and install Wordpress (I've never had any luck with the
packaged version)
- as root
cd /var
wget http://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz
mv wordpress gd
- seemed to untar as www-data:www-data, but you may need to
chmod -R www-data:www-data ./<site>
4. Set up database using mysqladmin (note: php_myadmin makes things
slightly easier)
mysql -p <youradminpassword>
CREATE DATABASE <sitename>;
GRANT ALL PRIVILEGES ON <sitename>.* to <you>@localhost IDENTIFIED BY
'<password>';
FLUSH PRIVILEGES;
4. Set up Apache
----------- my /etc/apache2/sites/<site> file (note: provides both http:
and https: access) ---------------
----------- note: needs to have your site's info inserted
<VirtualHost x.x.x.x:80>
ServerAdmin webmaster@<site>.org
ServerName <site>.org
DocumentRoot /var/<site>/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/<site>/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
<VirtualHost x.x.x.x:443>
ServerAdmin webmaster@<site>.org
ServerName <site>.org
DocumentRoot /var/<site>/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/<site>/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
</VirtualHost>
----------------------------------------
a2ensite <site>
/etc/init.d/apache2 reload
5. Set up Wordpress via installer URL
6. A little hardening
see
http://www.slideshare.net/williamsba/now-thats-what-i-call-wordpress-security-2010
for some good guidnace
chmod 644 wp-config.php
mv wp-config.php ../
note: left wp-content directory in its normal place (I think moving it
screws up my https: setup)
installed, set up, activated:
- Akismet (spam filtering)
- Better WP Security (NOTE: Includes a database backup function)
- Exploit Scanner
- Jetpack
- VSF Simple Block (blocks IP addresses)
- Wordfence (NOT activated, I use it's scanner occasionally)
- Wordpress Firewall 2 (does some automatic blocking of IP addressees
based on behavior)
- WP Security Scan (also NOT activated, I use it's security scanner
periodically)
- configure things, including backups (I use Better WP Security for the
database backup, my overall system backup for the static files in /var)
7. And, of course, update everything through the Wordpress dashboard,
and then re-run security scans.
Hope this helps.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
Reply to: