How to set up a secure Media Temple DV Developer server for WordPress

WASHINGTON, DC – WordPress Developer

Important Notes

• For all passwords you should use a secure password generator, like http://strongpasswordgenerator.com/. You may need to play around with the output so that it fits the MediaTemple password guidelines that disallow certain characters.
• NOTE: Keep track of your passwords as soon as they are generated so that you don’t lose access to something if you accidentally overwrite your clipboard.
• NOTE: I wrote this up after setting up an Ubuntu server. Other Linux distributions may require different commands, but the overall idea should be the same.

Steps

1. Login to MediaTemple and change the root password. Use http://strongpasswordgenerator.com/ to generate a new, strong password. You may need to modify it to fit within MT’s password guidelines.
2. Login to SSH using the IP address, root user, and password you just set.
3. Follow all of the steps in this guide on MT: https://kb.mediatemple.net/questions/2010/How+do+I+install+a+LAMP+stack+to+my+server%3F#dv_developer/dvd_ubuntu
   • Any time it says /etc/init.d/apache2 reload you may have to use instead: service apache2 reload
   • The final step should be to create a database and user for the main website:
   • create database dbname; grant all on dbname.* to 'dbuser' identified by 'password';
   • We will use this later when installing WP or importing from another instance
4. Create a new linux user and add to the www-data group
   • useradd -m -g users -G www-data unprivileged-user
   • passwd unprivileged-user
   • Sometimes, the wrong shell is assigned, so be sure to use the following command to keep things consistent: chsh -s /bin/bash unprivileged-user
5. Now you can disable direct root SSH login (you will now use the unprivileged-user user you just created), and it would be a good idea to change the maximum authentication attempts and the SSH port number. These steps will make it much more difficult for a potential attacker to gain access to your server.
   • Follow this guide to disable direct root SSH login.
   • Follow this guide to change the SSH port. If you don’t know what port number to use, try 8722.
   • To restrict the maximum authentication attempts allowed, you can open the /etc/ssh/sshd_config file and look for MaxAuthTries (if it is not present, add it on a new line. The syntax is:
     • MaxAuthTries 2 #Change  2 to the maximum number of tries you want to allow
   • You can still get root access by using the su command after logging in with unprivileged-user (you will need to enter the root user password).
6. Install postfix mailserver
   • apt-get install postfix
   • Select “Internet Site” option
7. Install PHP cURL extension
   • apt-get install php5-curl
8. Install WP-CLI and add to PATH
   • curl -L https://raw.github.com/wp-cli/builds/gh-pages/phar/wp-cli.phar > wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/bin/wp
wp --info #just to test it out
   • If you’re still logged in as root, it should display a warning. Ignore that for now. We just want to make sure it is working
9. Download the latest version of WordPress to the server
   • wp core download #run from web root directory where WordPress will reside
   • If you are setting up a brand new WP instance you can just continue to use WP-CLI
     1. wp core config --dbname=dbname --dbuser=dbuser --dbpass=password
     2. wp core install
   • If you are importing from another (staging/dev/prod) instance, you will only need to copy over the wp-content directory and the SQL dump
     1. On the old server:
        • tar cfz wp-content.tgz wp-content --exclude="cache" --exclude="*.(tar|tar.gz|tgz|bz2|zip|rar) (see: http://www.thegeekstuff.com/2010/04/unix-tar-command-examples/)
        • mysqldump -n -u user -p --add-drop-table database > database.sql
        • Put these files in a web accessible directory so that you can use wget to quickly transfer them
     2. On the new server:
        • wget http://oldserver.com/database.sql
wget http://oldserver.com/wp-content.tgz
mysql -u dbuser -p -d dbname < database.sql
tar xzf wp-content.tgz
        • View this guide on WordPress.org about moving your site: http://codex.wordpress.org/Moving_WordPress
   •  If you have a WPMUDEV membership, you can use the Snapshot plugin to import data
     1. NOTE: This method does not require changing the URLs like the 2nd method does but requires WordPress already installed
     2. Create new export of the current instance and download it to your computer
     3. Follow the WP-CLI installation instructions above to install WordPress
     4. Install the WPMUDEV Dashboard and Snapshot plugins on the new installation
     5. Import the snapshot and restore it via the GUI in the WP
     6. Ensure that everything imported correctly (users, styles, posts, pages, custom post types, settings, uploads, etc.) and browse the site to look for anything that looks wrong.
     7. We have found that this method may not work properly when importing a theme that uses a custom page builder, but your mileage may vary and you’re welcome to try it out.
10. Set user and group ownership and permissions for the WP directories
    • chown -R inqbation:www-data #run these commands from the WP root directory
find -type d -exec chmod 0755 {} ;
find ./wp-content -type d -exec chmod 0775 {} ;
find -type f -exec chmod 0644 {} ;
chmod 0444 .htaccess
chmod 0444 config.php
chmod g+s #should make all new files/folders inherit the same user/group
11. Enable direct file modification (for updating, adding plugins)
    • Edit config.php, add define('FS_METHOD','direct');
12. Enable mod_rewrite module:
    • sudo a2enmod rewrite && sudo service apache2 restart
13. Login to the WP backend and set permalinks. You will have to manually modify the .htaccess file if the permissions are set as indicated above. You can temporarily change it to 0666 and then set it back to 0444 afterward.

If you would like to set up your own DV Developer server on MediaTemple, you can click here to get started!