Scripted WordPress Installation (for Reverse Proxy) 2.3.5

Update the Caddy webserver to:

1. Use ISO 8601 time-stamping for logging.
2. Harden WordPress
3. Mitigate spam attacks on WordPress

Refer to the Caddyfile at https://github.com/basilhendroff/truenas-iocage-wordpress/blob/master/includes/Caddyfile for the latest changes. If you've used an earlier version of the WordPress script and would like to take advantage of these improvements, reflect any changes in /usr/local/www/Caddyfile in your WordPress jail.

The password text file located in /root contains the WordPress site administrator password for MariaDB. With this update, the installation script backs the password file up to the WordPress site root.

If you've used a previous version of this script, you may need to take action. Consider the following scenario:

You regularly back up the datasets for your WordPress sites, but you haven't backed up the password files in /root. If you lose the system, you may be able to restore the WordPress sites, but, without the password files, you will no longer have administrator access to MariaDB.

The recommended course of action is to copy each site password file to its respective WordPress site root. For example, for a single WordPress site, assuming you've used the script defaults, the password file path will be /root/wordpress_db_password.txt and assuming your pool is named tank, the path to the site root will be /mnt/tank/apps/wordpress. Copy the password file there e.g.

Code:

cp /root/wordpress_db_password.txt /mnt/tank/apps/wordpress

Your password file will then be backup up as part of the backup of your WordPress datasets (you are doing this aren't you?). If you ever have to rebuild the server, just restore your WP sites and copy the backed up password file located in each site root back to /root.

Refer to the 2.3.3 changelog for details.

To update your existing WordPress jails, run the following commands within the jail:

Code:

sed -i '' "s|/var/log/access.log|/var/log/caddy/access.log|" /usr/local/www/Caddyfile
sed -i '' "s|validate|configtest|" /usr/local/etc/rc.d/caddy
sysrc -x caddy_logdir
service caddy restart

Previously bespoke installed, Caddy is now installed using the pkg package manager. Refer to the 2.3.2 changelog for details.

To update your existing WordPress jails, run the following commands within the jail:

Code:

pkg install caddy
sed -i '' "s|configtest|validate|" /usr/local/etc/rc.d/caddy
sysrc caddy_logdir="/var/log"
service caddy restart

Improved error checking around the WP_ROOT configuration variable introduced in the last release. Refer to the 2.3.1 changelog for details. There is no change to existing jails.

1. A Caddy web server serves the PHP files in the WordPress jail. Caddy has been upgraded from 2.2.1 to 2.3.0.

To update your WordPress jail, assuming the jail is named wordpress, enter the jail iocage console wordpress and update Caddy:

Code:

cd /usr/local/bin
fetch https://github.com/caddyserver/caddy/releases/download/v2.3.0/caddy_2.3.0_freebsd_amd64.tar.gz
caddy version #2.2.1
service caddy stop
mv caddy caddy_2.2.1
tar xvf caddy_2.3.0_freebsd_amd64.tar.gz
service caddy start
caddy version #2.3.0
rm caddy_2.3.0_freebsd_amd64.tar.gz

2. Configuration variable WP_ROOT replaces FILES_PATH and DB_PATH. This should make script configuration clearer. No change is required for existing WP jails. The change only affects new installations and rebuilds using the latest script.

Notable changes in this release:

1. Install the command line tool WP-CLI within the jail.
2. Bugfix: Avoid the use of $ when generating passwords.
3. Bugfix: Authentication keys and salts in wp-config.php.

Acknowledgements: @NasKar for his valuable contributions to this release.

To update your wordpress jail if you've run the previous version 2.1.0 of the script, enter the jail iocage console wordpress and then follow the instructions below.

Install WP-CLI

Code:

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp 

Amendments to wp-config.php

Edit wp-config.php cd /usr/local/www/wordpress && ee wp-config.php.

To support WP_CLI, replace the lines (near the top of the file)...

Code:

define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
  $_SERVER['HTTPS']='on';

...with...

Code:

if ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && 'https' === $_SERVER['HTTP_X_FORWARDED_PROTO'] ) {
  $_SERVER['HTTPS']='on';
}

Next, search for AUTH_KEY. If on the next line, AUTH_KEY is also defined, change that to SECURE_AUTH_KEY. Repeat for AUTH_SALT.

References:

1. Installing WP-CLI.
2. PHP notice: Undefined index on $_SERVER superglobal

After a somewhat bumpy ride upgrading from MariaDB 10.3 to 10.4, the upgrade from MariaDB 10.4 to 10.5 turned out to be painless. There are no outwardly visible changes arising from the upgrade. Assuming you've previously run version 2.0.0 of the installation script, you can upgrade to the newer version of MariaDB by performing the following steps within the WordPress jail:

It's recommended that you backup the MariaDB databases before proceeding. You can use phpMyAdmin to accomplish this. Once you've completed the backup, proceed with the following steps:

1. Stop MariaDB service mysql-server stop
2. Remove MariaDB 10.4 pkg delete mariadb104-server and its dependencies pkg autoremove
3. Install MariaDB 10.5 pkg update and pkg install mariadb105-server
4. Start MariaDB service mysql-server start
5. f you've upgraded from an earlier version of MariaDB (10.3 or earlier), you may still need the root db password for this step. Upgrade the database mysql_upgrade -p

Reference: Upgrading from MariaDB 10.4 to MariaDB 10.5

MariaDB 10.4 uses an improved authentication model. Versions 1.x of the script used MariaDB 10.3. Assuming you've previously run version 1.5.0 of the installation script, you can upgrade to the newer version of MariaDB by performing the following steps within the WordPress jail:

It's recommended that you backup the MariaDB databases before proceeding. You can use phpMyAdmin to accomplish this. Once you've completed the backup, proceed with the following steps:

1. Stop MariaDB service mysql-server stop
2. Remove MariaDB 10.3 pkg delete mariadb103-server and its dependencies pkg autoremove
3. Install MariaDB 10.4 pkg update and pkg install mariadb104-server
4. Make the following configuration changes within the jail:

Code:

chown mysql:mysql /var/run/mysql
sed -i '' "s|mysqli.default_socket =|mysqli.default_socket = /var/run/mysql/mysql.sock|" /usr/local/etc/php.ini

5. Start MariaDB service mysql-server start
6. Restart PHP services service php-fpm restart
7. If you're upgrading from an earlier version of MariaDB (10.3 or earlier), you may need the root db password for this step. Upgrade the database mysql_upgrade -p

Reference: Upgrading from MariaDB 10.3 to MariaDB 10.4

Create and configure a phpMyAdmin database to store configuration data.

To update your WordPress jail wordpress if you've run the previous version 1.4.8.1 of the script:

1. First note the wordpress user password of the WordPress database cat /root/wordpress_db_passwords.txt
2. Enter the jail iocage console wordpress and execute the following commands, substituting the wordpress user password for ${DB_PASSWORD}.

Code:

mysql -u root -e "CREATE DATABASE phpmyadmin;"
mysql -u root -e "GRANT ALL PRIVILEGES ON phpmyadmin.* TO wordpress@localhost IDENTIFIED BY '${DB_PASSWORD}';"

3. Using a browser, log in to phpMyAdmin and follow the signposts to store phpMyAdmin configuration data in the phpmyadmin database.