Tango Devlopment

Tag: wordpress

  • WordPress SSH2 configuration

    Instead of the packaged WordPress I run the version provided by WordPress. It is installed using a different userid from the userid the web server runs as.  To enable updates from the Admin Dashboard, I enabled sftp (ssh). This is how I did it.

    Using the sftp option requires the php ssh module. This command installs the php ssh module.

    apt install php-ssh2

    The FTP funtionality includes the sftp (ssh2) option for connectivity.  To enable this the /etc/wordpress/config.php file must be updated to include the following lines. (Use the appropriate directories for your installation.)

    // This value should be ssh2 not ssh
    define('FS_METHOD', 'ssh2');
    define('FTP_BASE', '/var/www/');
    define('FTP_CONTENT_DIR', '/var/www/wp-content/');
    define('FTP_PLUGIN_DIR ', '/var/www/wp-content/plugins/');
    define('FTP_PUBKEY', '/etc/wordpress/.ssh/id_rsa.pub');
    define('FTP_PRIKEY', '/etc/wordpress/.ssh/id_rsa');
    // user that owns wordpress install - should not be root
    define('FTP_USER', 'wordpress');
    // password for FTP_USER username - may be empty
    define('FTP_PASS', 'changeme');
    // hostname:port combo for your SSH/FTP server
    define('FTP_HOST', 'localhost');

    The following script creates and populates the directories required for ssh to work. An ssh key is generated and granted restricted access to the user owning the distribution. The last command verifies the setup.

    # Make the directories
www-data mkdir -p -m 0755 ~www-data/.ssh /etc/wordpress/.ssh
sudo chown www-data /etc/wordpress/.ssh
# Create the known hosts fi
sudo ssh-keyscan -c "localhost > ~www-data/.ssh/known_hosts"
sudo chmod 444 ~www-data/.ssh/known_hosts
# Generate the key file 
sudo -u www-data ssh-keygen -b 4096 -f /etc/wordpress/.ssh/id_rsa -N changeme
# Secure the directories
sudo chown root:www-data /etc/wordpress/.ssh ~www-data/.ssh
# Authorize the key - with restricted access
echo -n 'from="127.0.0.1,::1",restrict,pty ' >> ~/.ssh/authorized_keys
sudo cat /etc/wordpress/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# Test the configuration - should be prompted for the key's password.
sudo -u www-data ssh -i /etc/wordpress/.ssh/id_rsa $(logname)@localhost

    I hope this is useful for you. As always, please change the password used above.

    My original installation used a key without a password. At the time sftp access was not stable. I have not yet done an upgrade with a password on the key.

  • WordPress Tuning

    I’ve done a little tuning to my WordPress setup. In order to keep up to date, I’ve switched from the Ubuntu installation to a downloaded installation under /opt/wordpress. This is owned by my user and served by apache running as www-data. Updates are done using the sftp add-on.

    Securing /opt/wordpress

    I added myself to the www-data group. This allow apache to read any files with group access, but prevents writing if the web-server is compromised.

    I set the group sticky bit on all the directories. If required, setting it on the wp-content/upgrade directory should be sufficient.

    SSH Key

    I generated my key outside the home directory for www-data which is /var/www. The directory I chose is not one I would publish. However, ssh requires a .ssh/known_hosts file in its home directory. This was created and the appropriate security added. The key is password protected.

    Outstanding Issues

    There are some outstanding issues. I’ll look into these as time permits.

    Native ssh

    The WordPress ssh2 modules does not work on my server. I’ve found a couple of issues.

    • Passwords on the key don’t work. This is a known issue with a work-around. The initial connection appears to fail, but a second call should resolve the issue.
    • The is_dir function does not work. Returning true for paths that end in a slash (/) is a workaround. This got me as far as trying to install. This may be a result of how the path is constructed and there is a published workaround.
    • The is_file function appear to fail as WordPress reports the download contains no files. This is likely the same issue as for the is_dir function.

    Theme upgrades

    My modifications to the theme are getting a little old. The theme works reasonably well on mobile devices, but I would like to update to a more streamlined theme. The site statistics I have indicate a surprisingly high percentage of viewers use a mobile device.

  • Installing WordPress on Ubuntu

    WordPress is available as a packaged application for Ubuntu.  However it requires a bit of post installation configuration. The installation will install the apache2 multi-user server if no server is installed. I modified the installation to run over top of an existing site.  The default installation creates directories under /var/www, which I move to /srv. (more…)