How to Secure WordPress Installation with Bedrock – Google Cloud

How to Secure WordPress Installation with Bedrock on Google Cloud Platform. Bedrock is a WordPress boilerplate with a different improved directory structure and easier configuration.

It is more secure by isolating the web root and limit access to non-web files and more secure passwords using wp-password-becrypt which replaces the MD5 hashing with modern bcrypt method.

In this guide you are going to learn how to install and configure WordPress using Bedrock. This setup is tested on Google Cloud Platform.

Prerequisites

• If you are on Google Cloud you need to setup a VM Instance with Ubuntu 20.04.
• Complete LAMP setup with Let’sEncrypt SSL

Once you have the above prerequisites completed you can proceed to setup Bedrock.

Install Composer

Composer is required to install and configure Bedrock. You can install composer using the following command.

curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/bin --filename=composer

Setup Bedrock based WordPress

Navigate yo your web root directory.

cd /var/www/html/yourpath/public

Download Bedrock based WordPress using Composer.

sudo composer create-project roots/bedrock .

Notice the . at the end, which means setup the WordPress contents directly inside this folder without creating a subdirectory named bedrock.

Now if you check the structure using ls command, you will see the structure as below.

├── composer.json
├── config
│   ├── application.php
│   └── environments
│       ├── development.php
│       ├── staging.php
│       └── production.php
├── vendor
└── web
    ├── app
    │   ├── mu-plugins
    │   ├── plugins
    │   ├── themes
    │   └── uploads
    ├── wp-config.php
    ├── index.php
    └── wp

• The web directory is the web root of your WordPress.
• The app directory will have your uploads, themes and plugins.

With this directory structure you wont have wp-content and instead of that your will have app directory.

Your admin files will be located inside the wp directory.

Configure Bcrypt for Secure Password

Install Bcrypt using composer to secure your passwords using bcrypt.

sudo composer require roots/wp-password-bcrypt

This command will include a file namedwp-password-bcrypt.php which will be automatically autoloaded by Composer and it won’t appear in your plugins.

Configure Apache to use the Correct Web Root

Now you need to update the Documentroot and Directory paths to point to the web directory.

Edit your virtual host configuration with the command below.

sudo nano /etc/apache2/sites-available/domainname.conf

Make sure your file looks same as below.

<VirtualHost *:80>
     ServerAdmin [email protected]
     ServerName domainname.com
     ServerAlias www.domainname.com

     DocumentRoot /var/www/html/domainname/public/web

     <Directory /var/www/html/domainname/public/web>
         Options Indexes FollowSymLinks
         AllowOverride All
         Require all granted
     </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log 
     CustomLog ${APACHE_LOG_DIR}/access.log combined 
 </VirtualHost>

Hit CRTL + X followed by Y and ENTER to save and exit the file.

Now do the same for the virtual host which has the SSL configuration to point to the correct web root.

Restart Apache for the changes to take effect.

sudo service apache2 restart

Create Database for WordPress

If you already have database and user you can skip to configure .env file.

Login to your MySQL console.

mysql -u root -p

Use the password you used while setting up the server.

Execute the below command to create new database.

CREATE DATABASE database_name /*\!40100 DEFAULT CHARACTER SET utf8mb4 */;

Create new user and assign it to the above created database.

CREATE USER 'username'@'localhost' IDENTIFIED BY 'secure_password';
GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'localhost';

Flush Privileges.

FLUSH PRIVILEGES;

Now you have a new database, username and the password for your WordPress.

Configure WordPress with Database

Edit the .env file that is located outside the web root.

sudo nano /var/www/html/yourpath/public/.env

Update the following with the details you used before.

• DB_NAME => database_name
• DB_USER => username
• DB_PASSWORD => secure_password
• Uncomment the DB_HOST and DB_PREFIX.
• Modify the DB_PREFIX with the one you wish.

Generate salts using this URL (https://roots.io/salts.html) and replace the keys below.

Configure .htaccess

Now you configure .htaccess file or you can also refresh the permalinks to have pretty URLs

sudo nano /var/www/html/yourpath/public/web/.htaccess

Add the below configuration to it.

#BEGIN WordPress

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

#END WordPress

Now you can check your website on web browser and follow the on screen instructions to complete the installation.

Conclusion

Now you have learned how to install WordPress securely with Bedrock

Thanks for your time. If you face any problem or any feedback, please leave a comment below.