I am preparing a new WordPress website (Architect2Succeed.com) which is aimed at my profession as an IT architect.

When I setup Fossadventures.com, I didn’t make an installation instruction as I was not sure that everything would be as I liked. Which turned out to be true, as I have switched from Hack/HHVM to PHP7/PHP-FPM.

In this tutorial I want to incorporate all the learnings from my previous experience. This tutorial is likely to be very beneficial for all Linux beginners, who want to install WordPress from scratch on a VPS server running openSUSE Tumbleweed.

This Complete DIY guide is based on learnings from other great tutorials. See reference list below. I like to send out a huge thanks to the writers of these tutorials. I have combined their learnings and added some of my own.

• HowtoForge (LEMP tutorial) (WordPress tutorial)
• Rosehosting (LEMP tutorial) (WordPress tutorial)
• Linuxbabe (LEMP tutorial) (WordPress tutorial)
• Bjorn Johansen (Block PHP files)
• DigitalOcean (Increase PageSpeed Score)
• openSUSE.org (Let’s Encrypt)

Get your Virtual Private Server ready

The first thing to do is to purchase an openSUSE VPS. There are various options available. However, not all of them document the openSUSE version that they offer, which is a big miss in my opinion. Prices do vary, which means that you have to think about where these organizations have cut corners. Personally, I went with Transip.nl. But I feel that Linode would also be a good option.

• Contabo.com – offers a Leap 15.1 VPS with 300GB Disk for € 4 / month
• VPSserver.com – offers an openSUSE ??? VPS with 25GB disk for € 5 / month
• Transip.nl – offers a Tumbleweed VPS with 50GB SSD for € 10 / month
• Linode.com – offers an openSUSE Leap 15.1 VPS with 50GB SSD for € 10 / month
• Rosehosting.com – offers a managed openSUSE ??? VPS with 30GB SSD for € 25 / month
• LinuxCloudVPS – offers a managed openSUSE ??? VPS with 20GB SSD for € 26 / month

After purchasing a VPS, you need to install openSUSE. In my case, I have chosen a partitioning setup where I separate the operating system from the data partitions. Because this server is hosting a website, the data partitions are not located at /home. Rather, I like to make partitions for the WordPress application, the MariaDB database and the Nginx configuration files. My partition setup:

• Total size: 50 GiB
• BIOS Boot partition (8 MiB)
• Swap partition (2 GiB)
• Root partition (21 GiB – BtrFS) mounted at /
• WordPress partition (20 GiB – XFS) mounted at /srv/www
• MariaDB partition (6 GiB – XFS) mounted at /var/lib/mysql
• Nginx partition (1 GiB – XFS) mounted at /etc/nginx

See also the screenshot of the expert partitioner below:

After configuring the partition setup that you like, complete the openSUSE Tumbleweed installation on your VPS server.

Install Nginx and create your first static page

Nginx (pronounced Engine X) is a webserver / loadbalancer that you can use to provide or block access to certain parts of WordPress. For instance blocking direct access to PHP files or hidden files.

Zypper is the package manager that is used for command line installation. There is a very nice cheat sheet (page 1) (page 2) with all commands that are needed to install software via the command line. To install nginx, use the following command:

zypper in nginx

Now we are going to create a basic index.html file that will show us nginx is working. First you need to go to the htdocs folder, by using the following command:

cd /srv/www/htdocs/

If you are interested to see what’s in this folder, use the command ls -l. You will find there is already a file 50x.html in place. We are now going to create this index.html file.

echo "<H1> Your Title </H1>" > index.html

If you want to get fancy: edit the file you just created with the VIM editor.

vi index.html

Use Alt!+I to insert text. Use Esc to exit edit mode. Use :wq! to save.

You can do the same to create an Index.css file. Which you can then also edit using the VIM editor.

echo "h1 {color:blue;}"  > index.css

Now its time to start nginx and enable it to start on boot, by using the following commands:

systemctl start nginx
systemctl enable nginx

The last thing to do is to open port 80 (HTTP) in firewalld. Use the following commands:

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
irewall-cmd --list-all

Now open your favorite browser, go to the IP address that your VPS is hosted on, to see your Index.html file. If you are installing this on a virtualbox server, just type in the localhost IP address:

http://127.0.0.1.
http://localhost/

Install MariaDB

For the database that forms the back-end of WordPress, you can choose between using MySQL and MariaDB. MariaDB is a fork of the MySQL database, which was created in response to the Oracle purchase of SUN. One of the driving forces behind this fork is Michael “Monty” Widenius, which is one of the original MySQL founders. The databases have gone their own ways, both have a thriving community. So both MySQL and MariaDB are excellent choices.

In 2014 Red Hat Enterprise Linux has switched to MariaDB by default in RHEL 7. Personally, I think MariaDB is the more ‘open’ project, like LibreOffice is the better version of OpenOffice.org. So I have opted to install MariaDB. This is done by entering the zypper command:

zypper in mariadb mariadb-client mariadb-tools

Now enable the database to startup on boot and start the database service:

systemctl enable mysql
systemctl start mysql

If you want to see if everything is running, use these commands. The second command helps you to exit back into the command line.

systemctl status mysql
mysql-version

Now lets secure the MariaDB database from unwanted access. Type the following command:

sudo mysql_secure_installation

Now you will get the following questions:

Switch to unix_socket authentication?: Y
Change the root password?: Y --> set a new secure password!
Remove anonymous users?: Y
Disallow root login remotely?: Y
Remove test database and access to it?: Y
Reload privilege tables now?: Y

Now login to your MariaDB database with the new password:

mysql -u root -p
ENTER PASSWORD

When you are logged in as root on your VPS, you don’t have to provide a password. This is because MariaDB uses unix_socket authentication (first question), which gives the root user of your VPS access to the root user of the database. So don’t worry if you can enter the database without providing a password.

Next create a database and a database user. I strongly recommend to not use ‘ admin’ as the username. And while you avoid common names; ‘wpuser’ might also be easy to guess. This is way to easy to hack.

create database UNIQUE_DB_NAME;
create user UNIQUEDBUSER@localhost identified by 'UNIQUE_DB_USER@';
grant all privileges on UNIQUE_DB_NAME.* to UNIQUE_DB_USER@localhost identified by 'UNIQUE_DB_USER@';
flush privileges;

To see if your database and user are successfully created, use the commands:

SHOW DATABASES;
SELECT User FROM mysql.user;

Now that you created a database user, set a password for that user. I would advice that your newly created user gets a different password as your root database user. This is done by entering the following commands:

USE mysql;
ALTER USER 'UNIQUE_DB_USER'@'localhost' IDENTIFIED BY '############';
flush privileges;
exit

Install PHP7 and PHP7-FPM

PHP and the FastCGI Process Manager (PHP-FPM) are used by WordPress to communicate between WordPress, Nginx and the MariaDB database. WordPress is written in PHP, a powerful and versatile programming language. The latest version, PHP 7.4 has a greatly improved performance over PHP 5.6. This is the big advantage.

Source: Kinsta – The Definitive PHP 5.6, 7.0, 7.1, 7.2, 7.3, and 7.4 Benchmarks (2020)

Of course there are also many programmatic improvements, but this is less relevant for people who just want to run WordPress. At the beginning of Fossadventures, I used HHVM and Hack instead of PHP and PHP-FPM. But that crashed a lot. So I got rid of this and replaced this with PHP and PHP-FPM.

PHP-FPM is an alternative (better) implementation of FastCGI, which is a better implementation of CGI. Okay that tells you nothing. So lets start with CGI, which stands for Common Gateway Interface. CGI is a protocol for web servers (such as Nginx) to interface with PHP. It enables dynamic content generation and processing (1). FastCGI is what it sounds like, a faster re-implementation of CGI with enhanced capabilities. Now we get to PHP-FPM, which improves upon FastGCI. A couple of examples of improvements (2) are:

• Advanced process management with graceful stop/start;
• Emergency restart in case of accidental opcode cache destruction;
• Accelerated upload support;
• Dynamic/static child spawning;
• And much more.

Sounds impressive. From my experience, it works incredibly well. You can install both PHP7 and PHP7-FPM by entering the following command:

zypper in php7 php7-mysql php7-fpm php7-gd php7-mbstring php7-zlib php-curl php-gettext php-openssl php-zip php7-exif php7-fileinfo php7-imagick

Now let’s edit some configuration files. This is the same instruction as provide by Howtoforge (3), just updated for PHP 7. For your convenience, I will detail every command here below.

We first need to create the PHP-FPM configuration file. This is done by using the commands:

cd /etc/php7/fpm/
ls -l
cp php-fpm.conf.default php-fpm.conf
vi php-fpm.conf

Now use Alt+I to go into the edit mode. Uncomment (remove the semicolomn) of the following lines and change the log_level:

pid = run/php-fpm.pid
error_log = log/php-fpm.log
syslog.facility = deamon
syslog.indent = php-fpm
log_level = warning (change from the default)
events.mechanism = epoll
systemd_interval = 10

Exit and save by pressing the ESC key and typing the following command:

:wq!

Now we move to the website configuration file and we create another PHP-FPM configuration file.

cd php-fpm.d
ls -l
cp www.conf.default YOUR_WEBSITE_NAME.conf
ls -l
vi YOUR_WEBSITE_NAME.conf

Then we make adjustments by entering Alt+I and making the following changes:

user = nginx
group = nginx

listen = /var/run/php-fpm.sock

listen.owner = nginx (uncomment by removing the ;)
listen.group = nginx (uncomment by removing the ;)
listen.mode = 0660 (uncomment by removing the ;)

Exit and save by pressing the ESC key and typing the following command:

:wq!

Next we are going to edit the php.ini file. This is done by typing the following commands:

cd /etc/php7/cli/
ls -l
vim php.ini

We make adjustments by entering Alt+I. Go to the section ‘Data Handling’ (line 616) and find the section post_max_size. Make the following adjustment:

post_max_size = 12M

Go to the section ‘Paths and Directories’ (line 733) and then find the section CGI.fix_pathinfo. Make the following adjustment:

cgi.fix_pathinfo=0

Go to the section ‘File Uploads’ (line 832) and then find the section upload_max_filesize. Make the following adjustment:

upload_max_filesize = 6M

Go to the section ‘Module Settings’ (line 947) and then find the section [Pdo_mysql]. Make the following adjustment:

pdo_mysql.cache_size = 2000    (this line is new)
pdo_mysql.default_socket=

Save and exit by pressing the ESC key and typing the following command:

:wq!

Now copy the php.ini file to the conf.d directory:

cp /etc/php7/cli/php.ini /etc/php7/conf.d/php.ini
cd /etc/php7/conf.d/
ls -l

Now we want to setup Nginx to work with PHP-FPM. Before we make this change, it is very important that we create a backup of the nginx.conf file. In case we screw anything up, we have a backup that we can restore!

cd /etc/nginx/
ls -l
cp nginx.conf nginx.conf.backup01
ls -l

Now we can safely edit the nginx.conf file. We do this by entering the command and pressing Alt+I to go into edit mode:

vi nginx.conf

Create a new line just below “include conf.d/*.conf;” and put in the code:

client_max_body_size 20M;

Make the following adjustments just below “location / {“. Add index.php to the index line and then add the line with try_files:

index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$args;

Right below this section at a blank line, add the following code:

location ~ .php$ {
 root /srv/www/htdocs;
 try_files $uri =404;
 include /etc/nginx/fastcgi_params;
 fastcgi_pass unix:/var/run/php-fpm.sock;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }

After this, go to the line that says error_page 404… and change the .html into .php.

error_page  404              /404.php;
error_page  405              /405.php;

Save and exit by pressing the ESC key and typing the following command:

:wq!

Let’s make sure that the nginx.conf file still works by entering:

nginx -t

Now we like to change the ownership of the php-fpm.pid and php-fpm.sock files to nginx. We do this by entering the following commands:

cd /var/run/
ls -l
chown nginx:nginx php-fpm.pid
chown nginx:nginx php-fpm.sock
ls -l

If we have no errors, we can savely restart Nginx and start and enable PHP-FPM:

systemctl enable php-fpm
systemctl start php-fpm
systemctl restart nginx

To test the working of PHP, you can create a test file in the ‘htdocs’ folder, just as we did with the index.html and index.css files.

cd /srv/www/htdocs/
echo "<?php phpinfo(); ?>" > test.php

To test if the file is succesfully created, you can use vim to read the file and then exit.

vi test.php
:q!

It is time to try out if PHP has succesfully installed. To do so, you need to start PHP-FPM and restart Nginx.

nginx -t
systemctl start php-fpm
systemctl restart nginx

Open your favorite browser, go to the IP address that your VPS is hosted on and add “/test.php” (or your website name/test.php) to see the status of your PHP installation. If you are installing this on a virtualbox server, just type in the localhost IP address:

http://127.0.0.1./test.php
http://localhost/test.php

You will be greeted by the PHP status page.

For security reasons remove the test.php file. This is done via the following command.

cd /srv/www/htdocs/
ls -l
rm test.php
ls -l

Create a Nginx Virtualhost file for your website

The first thing to do is to create a Nginx Virtualhost file for your website. This file contains all the specific Nginx information regarding your website, like its name, methods for accessing the website, locations that you want to block etcetera. Create and edit the file using the following commands:

cd /etc/nginx/vhosts.d
ls -l
echo "server" > YOUR_WEBSITE_NAME.conf
ls -l
vi YOUR_WEBSITE_NAME.conf

Now lets start editing this file (remember Alt+I) by writing in the following text inside the Nginx configuration file:

server {
     # This line for redirect non-www to www
     server_name  YOUR_WEBSITE_NAME.com; rewrite ^(.*) http://www.YOUR_WEBSITE_NAME.com$1 permanent;

     listen 80;
}
server {
     server name www.YOUR_WEBSITE_NAME.com;
     root /srv/www/YOUR_WEBSITE_NAME/;
     index index.php index.html index.htm;

     location / {
          try_files $uri $uri/ /index.php$args;
     }

     error_page 404 /404.php
          location = /404.php {
          root /srv/www/YOUR_WEBSITE_NAME/;
          }

     error_page 500 502 503 504 /50x.html;
          location = /50x.html {
          root /srv/www/YOUR_WEBSITE_NAME/;
          }

     location ~ .php$ {
          root /srv/www/YOUR_WEBSITE_NAME/;
          fastcgi_keep_conn on;
          #fastcgi_pass 127.0.0.1:9000;
          fastcgi_pass unix:/var/run/php-fpm.sock;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME
          $document_root$fastcgi_script_name;
          include /etc/nginx/fastcgi_params;
     }
}

Save and exit by pressing the ESC key and typing the following command:

:wq!

Now we are going to create the root location for your website, that you have just specified in the nginx vhosts file. Remember this line:

root /srv/www/YOUR_WEBSITE_NAME/;

That directory doesn’t exist yet! So now we need to create this folder by entering the commands below. We will also copy the index.html, index.css and 50x.html files:

mkdir -p /srv/www/YOUR_WEBSITE_NAME/
cd /srv/www/htdocs/
cp index.html /srv/www/YOUR_WEBSITE_NAME/index.html
cp index.css /srv/www/YOUR_WEBSITE_NAME/index.css
cp 50x.html /srv/www/YOUR_WEBSITE_NAME/50x.html
cd /srv/www/YOUR_WEBSITE_NAME/
chown nginx:nginx index.html
chown nginx:nginx index.css
chown nginx:nginx 50x.html
ls -l

Because we now have the nginx vhosts file, we don’t need everything in the main nginx configuration anymore. So we will edit the main nginx configuration file again.

Before we start editing, let’s first create a backup. And then open the configuration file with Vim. Use the code below:

cd /etc/nginx/
cp nginx.conf nginx.conf.backup02
ls -l
vi nginx.conf

Remove this section:

location ~ .php$ {
 root /srv/www/htdocs;
 try_files $uri =404;
 include /etc/nginx/fastcgi_params;
 fastcgi_pass unix:/var/run/php-fpm.sock;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }

Save and exit by pressing the ESC key and typing the following command:

:wq!

Now test your nginx configuration file.

nginx -t

If there are errors, you should restore the nginx.conf file from the backup you just created. This is done by the command (only use this if you found errors!):

cp YOUR_WEBSITE_NAME.conf.backup02 YOUR_WEBSITE_NAME.conf

If there are no errors, restart nginx:

systemctl restart nginx

Now open your favorite browser, go to the IP address that your VPS is hosted on, to see your Index.html file. If you are installing this on a virtualbox server, just type in the localhost IP address:

http://127.0.0.1.
http://localhost/

Register your Domain name and configure your DNS settings

This might also be a good time to add your website name to your DNS. This way, you don’t have to enter the IP address all the time. If you haven’t registered your website name yet, this is the time to do it! Most of the VPS providers can also provide you with a domain name. If not, there are plenty of commercial alternatives. I registered with TransIP.nl. Create the folowing DNS records:

Name: *
TTL: 1 hour
Type: A
IP address: YOUR_VPS_IPv4_ADDRESS

Name: *
TTL: 1 hour
Type: AAAA
IP address: YOUR_VPS_IPv6_ADDRESS

Name: @
TTL: 1 hour
Type: A
IP address: YOUR_VPS_IPv4_ADDRESS

Name: @
TTL: 1 hour
Type: AAAA
IP address: YOUR_VPS_IPv6_ADDRESS

Name: www
TTL: 1 hour
Type: A
IP address: YOUR_VPS_IPv4_ADDRESS

Name: www
TTL: 1 hour
Type: AAAA
IP address: YOUR_VPS_IPv6_ADDRESS

You probably have to wait 1-5 minutes for the DNS records to be synchronized with the other name servers worldwide. But once that is complete, you can open your favorite browser and visit your site at:

http://www.YOUR_WEBSITE_NAME.com

Your index.html file should automatically load.

Install WordPress

After all this work, it is finally time to install WordPress. We first need to go to the directory where we will install WordPress. Then we will remove the index.html and index.css files we created.

cd /srv/www/YOUR_WEBSITE_NAME/
ls -l
rm index.html
rm index.css
ls-l

We will now retreive the latest WordPress zip file and unzip it. This will put all files in a subfolder called WordPress. Because we want these files in the YOUR_WEBSITE_NAME folder, we move these files to the current directory. Finally, we remove the empty WordPress folder and the WordPress Zip file.

wget wordpress.org/latest.zip
unzip latest.zip
mv wordpress/* .
# rmdir wordpress/ && rm latest.zip

Now we need to connect our WordPress instance to the MariaDB database that we have created. This is done by creating and editing the wp-config.php file. To make sure Nginx has the right access level, we will change the ownership of all files in your websites directory. Use the following commands:

cp wp-config-sample.php wp-config.php
chown nginx:nginx -R /srv/www/YOUR_WEBSITE_NAME/
vi wp-config.php

Press Alt + I to go into edit mode and make the following changes:

define('DB_NAME', 'UNIQUE_DB_NAME');
define('DB_USER', 'UNIQUEDBUSER');
define('DB_PASSWORD', 'UNIQUEDBUSER@');

Save and exit by pressing the ESC key and typing the following command:

:wq!

We referenced the 404.php file in the Nginx configuration and in the Nginx Vhosts configuration. We make this file available by using the following commands:

cp /srv/www/htdocs/wp-content/themes/twentytwenty/404.php /srv/www/htdocs/404.php
cp /srv/www/htdocs/404.php /srv/www/YOUR_WEBSITE_NAME/404.php
chown nginx:nginx /srv/www/htdocs/404.php
chown nginx:nginx /srv/www/YOUR_WEBSITE_NAME/404.php

Now enter the domain of your website in your favorite browser. You will now be redirected to the installation screens. In the first screen, pick the language that is used in the WordPress Dashboard.

In the next screen, you fill in the website name, your admin name and your admin password. Of course you will make this name unique and use a strong password!

The third and final screen tells you that you are ready to go!

By clicking on Log In, you are directed to the WordPress Log-in page. Now you can start configuring the site. Before you start doing that, you want to make some server side improvements first:

• Install phpMyAdmin to administer your database
• Enable GZIP compression
• Harden your Nginx configuration
• Enable HTTPS

Install phpMyAdmin

phpMyAdmin is a great tool to visually check (and edit) what’s in your database. This might be a life saver for some more exotic issues, that cannot be fixed from the WordPress Admin Dashboard. However, I recommend blocking the phpMyAdmin dashboard by default in your Nginx setup. Only when you really need it, unblock it in Nginx. Then make the changes and block it again. Because it is such a powertool, you should limit access to it as much as possible. That said, let’s start with the installation by using the following commands (this package contains Capital Letters):

zypper in phpMyAdmin

Type ‘y’ to accept all dependent packages to be installed. Second we will create a htpasswd file. Use the commands:

htpasswd -c /etc/nginx/htpasswd UNIQUE_PHPMYADMIN_USER
ENTER A NEW SECURE PASSWORD

Now we are going to create a new the Nginx configuration file for phpMyAdmin. Use the following commands:

cd /etc/nginx/vhosts.d
ls -l
echo "server" > phpMyAdmin.conf 
ls -l
vi phpMyAmin.conf

Now press Alt + I to go into edit mode. Now complete the file by typing the following code.

server {
    server_name 01.01.001.001;
	root /srv/www/htdocs; 
	index index.php index.html index.htm;

	location / {
        try_files $uri $uri/ /index.php?$args;
	}

	location ~ ^/phpMyAdmin/.*\.php$ {
		root /srv/www/htdocs/;
		#deny all;
		#access_log off;
		#log_not_found off;
		auth_basic 'Restricted Access';
		auth_basic_user_file  /etc/nginx/htpasswd;
		fastcgi_pass unix:/var/run/php-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		include   fastcgi_params;
    }

    error_page 404 404.php;
	location = /404.php {
	root /srv/www/htdocs;
	}

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /srv/www/htdocs;
	}

	# PHP-FPM running throught Unix-Socket
	location ~ \.php$ {
	root   /srv/www/htdocs;
	fastcgi_keep_conn on;
	#fastcgi_pass   127.0.0.1:9000;
	fastcgi_pass   	unix:/var/run/php-fpm.sock;
	fastcgi_index  index.php;
	fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include        fastcgi_params;
	}

}

This is the configuration in which you can access phpMyAdmin (after entering your username and password). For now we will save the Nginx configuration file by pressing Esc and type:

:wq!

Test your nginx configuration file. If there are no errors, restart nginx:

nginx -t
systemctl restart nginx

Now we need to create a symbolic link from phpMyAdmin to the htdocs directory. This is done by entering the following command:

ln -s /usr/share/phpMyAdmin /srv/www/htdocs/phpMyAdmin
chown nginx:nginx -R /usr/share/phpMyAdmin

Now we need to create a symbolic link from phpMyAdmin to the nginx conf.d directory. This is done by entering the following command:

ln -s /etc/phpMyAdmin/config.inc.php /etc/nginx/conf.d/config.inc.php
chown nginx:nginx /etc/phpMyAdmin/config.inc.php

The final thing we need to do is give Nginx access to the php session. This is done by using the command:

chown nginx:nginx -R /var/lib/php7

Try out to login to the phpMyAdmin dashboard. Enter your IP followed with /phpMyAdmin:

http://01.01.001.001/phpMyAdmin

You should now see your phpMyAdmin dashboard.

When you are done checking out it is time to go back into your Nginx configuration file and block access completely. Make the following changes (press Alt +I to go into edit mode) to the phpMyAdmin.conf file:

location ~ ^/phpMyAdmin/.*\.php$ {
	root /srv/www/htdocs/;
	deny all;
	access_log off;
	log_not_found off;
	#auth_basic 'Restricted Access';
	#auth_basic_user_file  /etc/nginx/htpasswd;
	fastcgi_pass unix:/var/run/php-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
	include   fastcgi_params;
}

Save the Nginx configuration file by pressing Esc and type:

:wq!

Test your nginx configuration file. If there are no errors, restart nginx:

nginx -t
systemctl restart nginx

Now try accessing your phpMyAdmin page again by entering the same URL:

http://01.01.001.001/phpMyAdmin

If everything works, you should see a Nginx 403 error, telling you that access is denied. Which will prevent bruteforce attacks on your phpMyAdmin dashboard.

Optimize and harden your Nginx configuration

One big speed improvement is one that is easy to implement is enabling Gzip compression. This speeds up the delivery of files to the end user, because if these files are smaller, it takes less time to download them. And every time a webpage is refreshed, a lot of files need to be downloaded. This is done by editing the Nginx configuration file with the Vim text editor. But before we start editing, we will create a backup file so we can always revert to the previous verion. Use the following commands:

cd /etc/nginx/vhosts.d
ls -l
cp YOUR_WEBSITE_NAME.conf YOUR_WEBSITE_NAME.conf.backup01
ls -l
vi YOUR_WEBSITE_NAME.conf

We go into edit move by pressing Alt + I. Now we need to add some code below “server {” and above “location {“.

gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;

gzip_types
text/css
text/plain
text/javascript
test/xml
application/javascript
aplication/json
application/x-javascript
application/xml
application/rss+xml
application/xhtml+xml
application/x-font
application/x-font-ttf
application/x-font-otf
application/x-font-opentype
application/x-font-truetype
application/x-font-woff
application/x-font-woff2
application/vnd.ms-fontobject
font/opentype
font/otf
font/ttf
image/svg+xml
image/x-icon;

We also want to set the time that files can stay in the browser cache. A good caching time can differ from site to site. My blogs don’t get updated regularly. I write a blog post every 1 or 2 months. So I have chosen a caching time of 3 weeks. If you post every week, you might want to lower this to 7 days. The browser caching time is specified by adding the following code (directly below the gzip text):

location ~*  \.(jpg|jpeg|png|gif|bpm|ico|css|js|pdf)$ {
     expires 21d;
}

We are not done yet! We also want to block off certain parts of the site that hackers shouldn’t have access to. This is done by adding the following code (directly below the browser caching text):

location / {
	try_files $uri $uri/ /index.php?$args;
}

location ~* /wp-includes/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
}

location ~* /wp-content/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
}

location ~* /(?:uploads|files)/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
}

location = /xmlrpc.php {
	deny all;
	access_log off;
	log_not_found off;
}

location = /latest.zip {
	deny all;
	access_log off;
	log_not_found off;
}

Save and exit by pressing the ESC key and typing the following command:

:wq!

Now test your nginx configuration file.

nginx -t

If there are errors, you should restore the nginx.conf file from the backup you just created. This is done by the command (only use this if you found errors!):

cp YOUR_WEBSITE_NAME.conf.backup01 YOUR_WEBSITE_NAME.conf

If there are no errors, restart nginx:

systemctl restart nginx

Enable HTTPS

Now it is time to change our WordPress website from HTTP to HTTPS. For this, we need an SSL certificate. Which the Let’s Encrypt organsisation provides. Certbot is the official tool to request Let’s Encrypt certificates. So we first need to add the Certbot repository. This is done by using the following commands:

zypper addrepo https://download.opensuse.org/repositories/devel:/languages:/python:/certbot/openSUSE_Tumbleweed/devel:languages:python:certbot.repo

zypper addrepo https://download.opensuse.org/repositories/home:/ecsos:/server/openSUSE_Tumbleweed/home:ecsos:server.repo

zypper ref

Now it will ask you if you will trust the repositories. Type ‘a’ + ‘Enter’ to always trust this repository. After this is done, we can install the Certbot packages. Use the following command:

zypper in certbot-common certbot-doc certbot-systemd-timer python3-certbot python3-certbot-nginx

You will be asked to install certain other packages that are dependencies of the above packages. Type ‘y’ + ‘Enter’ to accept this proposal.

Now we will run the certbot application on the command line by using the command:

certbot --nginx

The Certbot application will ask some questons. Put in the following answers.

• Enter your e-mail address
• Agree to the Terms of Service (select Yes)
• Decide if you want the EFF newsletter (I have selected Yes)
• Leave the input blank to select all options (press Enter)
• Now redirect everything to HTTPS (select 2)

Now that part is finished. We just need to open the firewall for HTTPS traffic. Use the following commands:

firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all

Now enter the address of your website in the browser and check if you can see the lock symbol in your browser. That means you have succesfully installed and configured certbot!

We also want certbot to automatically renew. This can be done by using Crontab to renew every month. Open the crontab file of certbot by using the following commands:

cd /etc/cron.d/
ls -l
vi certbot

Press Alt + I to go into edit mode and uncomment (remove the #) of the lines and specify the time interval to renew the certbot certificates. I have specified to run this script every 9 days at 4:10 AM.

renew all certificates methode: renew 
10 4 9 * *  root    /usr/bin/certbot renew

Save and exit by pressing the ESC key and typing the following command:

:wq!

Essential WordPress plugins

The last thing to do to make your WordPress setup complete is to install lots of plugins! A general recommendation is to reduce the numer of WordPress plugins to a minimum. But from my experience, the plugins are the thing that makes WordPress great. You want a performant and secure website. And there are many free and paid plugins that help you achieve that goal.

So far, I have 3 paid plugins (Wordfence, Hide My WP Ghost and Easy Updates Manager). You can also use the free versions, which are still a great option. Below is my list of essential WordPress plugins and the reason why I use them.

Wordfence Security

Wordfence is an endpoint Web Application Firewall and a malware scanner. It greatly enhances the security of your WordPress site by blocking known malicious traffic.

Hide My WP Ghost

Hide My WP Ghost is a security plugin that hides / changes a lot of common WordPress URLs. It also changes the names of plugins and themes to random names. This makes sure that automated attacks against your WordPress site will not work. And that it is harder to gain insight in the vulnerable plugins and themes that you are using.

Easy Updates Manager

Managing all your plugin updates can be a time consuming effort. What if a plugin can do all the work for you? I have set Easy Updates Manager to update all minor WordPress versions and to update all plugins and themes. The premium plugin automatically makes a backup of my site (via UpdraftPlus) before updating. And I get notified via Slack (e-mail is also a possibility).

UpdraftPlus – Backup/Restore

UpdraftPlus is a great Backup/Restore plugin for WordPress. I use it to backup my site every 14 days to my Google Drive. I might consider going Premium in the future, as this also allows Cloning and Migration, which is useful for creating a cloned test site.

HTTP Headers

This plugin allows me to set Security options in my HTTP header.

Contact Form 7

This is a popular WordPress plugin for creating a contact form. It can also send out e-mails when someone submits a request, but don’t want my server to have that ability.

Flamingo

Instead I use Flamingo to store the messages that are submited via the contact form.

WP Mail SMTP by WPForms

This replaced the default PHP mail function and enables me to send outgoing emails via SMTP and Transip as the mailprovider.

Check & Log Email

This allows me to see which e-mails have been send from my WordPress site.

WP Statistics

This plugin enables me to see the number of visits to my website and per page. It is less comprehensive as Google Analytics. But its more than enough for my use case.

Google XML Sitemaps

The Google XML Sitemaps plugin makes sure that my site is indexed by Google. This is not needed if you use more elaborate SEO plugins.

Broken Link Checker

Once you start writing a lot of blogs, your will also link to other sites. At a certain time, these links might brake. This reduces the reading experience of your readers. This is also bad for your SEO. This plugin helps you to find these problems and repair them.

Redirection

This plugin is also related to errors on your website that will start to appear over time. This time related to 301 (redirect) and 404 (page nog found) errors. This plugin helps your to find these problems and repair them.

WP Super Cache

It is a caching plugin. It makes my website load faster.

Autoptimize

It is a plugin that minifies my HTML, CSS and Javascript. It makes my website load faster.

Asset Cleanup: Page Speed Booster

This is a plugin that can load/unload (un)needed Javascript files for certain parts of the site. It makes my website load faster.

Optimole

This plugin helps me to optimizes images (resize and compress) and enables lazy-loading of images. It makes my website load faster.

OMGF

This plugin stores all Google Fonts that are used on my website locally, so when loading my website, people are not redirected to Google. It makes my website load faster.

WP-Optimize

This plugin cleans and optimizes my database. This will result in a very small speed inprovement.

Profilepress

This plugin allows me to use my own picture from my own WordPress media library for when I log in.

Yoast Duplicate Post

This plugin enables me to quickly duplicate an older blog post to use as a template for a new blog post.

Conclusion

I hope that this extensive guide was helpful in getting your new website up-and-running. There is so much more that you should now do:

• Select a nice looking theme
• Customize your theme
• Configure all plugins
• Remove all default posts
• Add the Site and Sitemap to Google Search Console

One important addition. If your start writing blog posts and create pages with your admin user, you make it very easy for hackers to brute force hack your website. Therefore I would recommend a separation of roles. Create a second user for yourself with only editing rights. And use that user account to create pages and write blog posts.

I leave the rest for you to work out. Best of luck!

Publishing date: 25-03-2020
Updated: 29-07-2021