How to Secure WordPress Installation with Bedrock on Google Cloud Platform. Bedrock is a WordPress boilerplate with a different improved directory structure and easier configuration.
It is more secure by isolating the web root and limit access to non-web files and more secure passwords using wp-password-becrypt which replaces the MD5 hashing with modern bcrypt method.
In this guide you are going to learn how to install and configure WordPress using Bedrock. This setup is tested on Google Cloud Platform.
Prerequisites
- If you are on Google Cloud you need to setup a VM Instance with Ubuntu 20.04.
- Complete LAMP setup with Let’sEncrypt SSL
Once you have the above prerequisites completed you can proceed to setup Bedrock.
Install Composer
Composer is required to install and configure Bedrock. You can install composer using the following command.
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/bin --filename=composer
Setup Bedrock based WordPress
Navigate yo your web root directory.
cd /var/www/html/yourpath/public
Download Bedrock based WordPress using Composer.
sudo composer create-project roots/bedrock .
Notice the .
at the end, which means setup the WordPress contents directly inside this folder without creating a subdirectory named bedrock
.
Now if you check the structure using ls
command, you will see the structure as below.
├── composer.json ├── config │ ├── application.php │ └── environments │ ├── development.php │ ├── staging.php │ └── production.php ├── vendor └── web ├── app │ ├── mu-plugins │ ├── plugins │ ├── themes │ └── uploads ├── wp-config.php ├── index.php └── wp
- The
web
directory is the web root of your WordPress. - The
app
directory will have your uploads, themes and plugins.
With this directory structure you wont have wp-content
and instead of that your will have app
directory.
Your admin files will be located inside the wp
directory.
Configure Bcrypt for Secure Password
Install Bcrypt using composer to secure your passwords using bcrypt.
sudo composer require roots/wp-password-bcrypt
This command will include a file namedwp-password-bcrypt.php
which will be automatically autoloaded by Composer and it won’t appear in your plugins.
Configure Apache to use the Correct Web Root
Now you need to update the Documentroot
and Directory
paths to point to the web directory.
Edit your virtual host configuration with the command below.
sudo nano /etc/apache2/sites-available/domainname.conf
Make sure your file looks same as below.
<VirtualHost *:80> ServerAdmin [email protected] ServerName domainname.com ServerAlias www.domainname.com DocumentRoot /var/www/html/domainname/public/web <Directory /var/www/html/domainname/public/web> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
Hit CRTL + X
followed by Y
and ENTER
to save and exit the file.
Now do the same for the virtual host which has the SSL configuration to point to the correct web root.
Restart Apache for the changes to take effect.
sudo service apache2 restart
Create Database for WordPress
If you already have database and user you can skip to configure .env
file.
Login to your MySQL console.
mysql -u root -p
Use the password you used while setting up the server.
Execute the below command to create new database.
CREATE DATABASE database_name /*\!40100 DEFAULT CHARACTER SET utf8mb4 */;
Create new user and assign it to the above created database.
CREATE USER 'username'@'localhost' IDENTIFIED BY 'secure_password'; GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'localhost';
Flush Privileges.
FLUSH PRIVILEGES;
Now you have a new database, username and the password for your WordPress.
Configure WordPress with Database
Edit the .env file that is located outside the web root.
sudo nano /var/www/html/yourpath/public/.env
Update the following with the details you used before.
- DB_NAME => database_name
- DB_USER => username
- DB_PASSWORD => secure_password
- Uncomment the DB_HOST and DB_PREFIX.
- Modify the DB_PREFIX with the one you wish.
Generate salts using this URL (https://roots.io/salts.html) and replace the keys below.
Configure .htaccess
Now you configure .htaccess file or you can also refresh the permalinks to have pretty URLs
sudo nano /var/www/html/yourpath/public/web/.htaccess
Add the below configuration to it.
#BEGIN WordPress RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] #END WordPress
Now you can check your website on web browser and follow the on screen instructions to complete the installation.
Conclusion
Now you have learned how to install WordPress securely with Bedrock
Thanks for your time. If you face any problem or any feedback, please leave a comment below.