The idea is to take you through all the steps needed to get up and running, some basic familiarity with computers and Linux is assumed, but not a lot.

• Server Setup 1: OS installation
  This goes through a few pre-requisites, and then launches into the installation.
• Server Setup 2: Initial tweaks
  These first few steps will make your life easier when administering this server.
• Server Setup 3: Install Webserver
  We’ll install and test the webserver software – Apache.
• Server Setup 4: Going Public
  Configure the server, DNS and your router to allow public access to a placeholder website.
• Server Setup 5: HTTPS
  Enable secure connections to your new website with Lets Encrypt and certbot.
• Server Setup 6: WordPress Pre-requisites
  Get ourselves ready to install WordPress – we need PHP and a database.
• Server Setup 7: Install WordPress
  Get WordPress installed so you have a functional website!
• Server Setup 8: WordPress tweaks
  A few tweaks to optimise WordPress.
• Server Setup 9: Nextcloud Prep
  Preparatory work before the Nextcloud installation.
• Server Setup 10: Nextcloud Installation
  Get the database and files system configured, then install Nextcloud
• Server Setup 11: Config Improvements
  Some little tweaks to improve the security of our server
• Server Setup 12: Collabora
  Install and configure Collabora Online Development Edition
• Server Setup 13: Security Improvements
  Move the WordPress configuration out of the web root
• Server Setup 14: Backups
  This shows how to collect together all the data you need to completely back up your server.
• Server Setup 15: Optional Extras
  Further optional tweaks to make your installation better.

Now you’re up and running with what should be a stable and secure installation of WordPress and Nextcloud with Collabora.

There are plenty more tweaks you can work on yourself:

Server Administration

• Advanced HTTPS – you can check your config with https://www.ssllabs.com/ssltest/. You have choices about how you want to set up your system – more secure or more compatible with older clients. This tool from Mozilla provides recommendations for the the Apache configuration you need.
• Email configuration – This allows either system to send emails. Best way to do it us an existing email service, and let your server connect to that. s-nail and exim can both do this.
• You can keep you system automatically up to date with the unattened-upgrades package – this keeps your system up to date. If email is configure it’ll send you an summary of what it’s updated.

WordPress:

WordPress relies on htaccess for a few things, mainly nicely writing urls for permalinks. However, .htaccess files have a problem – they’re checked every time someone visits your site. You can reconfigure apache to load the data from the .htaccess file once, instead of on every request.

Be careful, there may be multiple .htaccess files, and some plugins install their own, so use these commands to find them all:

cd /var/www/wordpress
find | grep htaccess

Nextcloud

A few ideas:

• Work your way through the list in administration section – the links to the documentation will help a lot.
• Background jobs: Try setting up a systemd timer or traditional crontab. Have a look in Basic Settings in the Settings menu for an Administrator.
• Scan you installation for security issues https://scan.nextcloud.com/
• Include .htaccess instead of loading it every time, like for WordPress.

User friendliness

These are a few niceties you might try to help with general use:

• Set up passwordless login: https://linuxize.com/post/how-to-setup-passwordless-ssh-login/
• Use tmux to keep you shell sessions alive.

One recommendation that many security experts make is that the WordPress configuration files should be outside the web root. Lets make this change.

WordPress

Create a new folder called /var/www_config. Put a new folder in here, wordpress

cd /var
sudo mkdir www_config
cd www_config
sudo mkdir wordpress

Copy the WordPress configuration file across, and set it’s permissions so no-one apart from www-data (and root, of course) can read it:

sudo cp -a /var/www/wordpress/wp-config.php /var/www_config/wordpress/
sudo chown -R www-data:www-data /var/www_config
sudo chmod -R u=rX,go= /var/www_config

Now we need to tell Apache that the when PHP scripts on the wordpress site run, they can only access the folders we want them to:

• /var/www/wordpress : our wordpress installation
• /var/www_config/wordpress : our wordpress config
• /tmp : WordPress needs this for handling plugin upgrades etc.

Modify the wordpress Apache site configuration file and add this line inside the VirtualHost section:

php_admin_value open_basedir "/var/www/wordpress/:/var/www_config/wordpress/:/tmp/"

Now reload Apache.

Finally, WordPress still needs to be able to find this file, so replace the contents of the original wp_config.php with this:

<?php

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Location of your WordPress configuration. */
require_once('/var/www_config/wordpress/wp-config.php');

It’ll take effect the moment you save it, so now visit your site from the client, and hopefully nothing has broken!

Nextcloud

For some reason this isn’t as widely recommended by Nextcloud users. I’ll investigate and update this post with my suggestion.

For now, just make sure only www-data can read and write the config file:

sudo chown -R www-data:www-data /var/www/nextcloud/config/
sudo chmod -R u=rX,go= /var/www/nextcloud/config/

Most of these steps are optional, but highly recommended

Set up Anti-Spam

Spam comments are an unfortunate reality of life on the internet, so you’ll need something to stop them.

Akismet is a highly respected solution, and is free for personal users, but you need to sign up for a free account with them first. There’s a lot more details about getting set up on their website.

There are other Antispam plugins out there too.

Delete Inactive themes and plugins

It’s recommended (for security) that you delete any plugins or themes you aren’t using, with the execption of leaving one standard theme available to use as a fallback.

Go to the plugins section from the menu on the left. There should be a red delete link under each inactive plugin

Go to the themes section. Click on an inactive theme, then find the delete link in the bottom-right corner.

Add domain name to server hosts file

WordPress can report some weird errors when it can’t access itself, which can sometimes happen if your router is misbehaving or you’re running offline for some reason.

To do this we add an entry to the server’s hosts file. This tells the server that our wordpress domain (e.g. www.example.org) should be on this server.

sudoedit /etc/hosts

Add this line, anywhere

127.0.0.1 www.example.org

After this post you’ll have a working WordPress installation to play with!

Make website unavailable from public internet

A word of warning – the first thing that will happen once we’ve installed wordpress is you’ll create an admin user. You don’t want a hacker to swoop in a beat you to it.

Reverse the steps you took to open the ports in your router.

Download and unpack

Go to the directory above your wordpress folder – mine was /var/www/wordpress, so we’ll go to /var/www

cd /var/www

Delete your wordpress directory – we’re about to recreate it:

sudo rm -R wordpress

Download wordpress

sudo wget https://wordpress.org/latest.tar.gz

Unpack – the tar.gz file is like a zip file, so we’re just unpacking it.

sudo tar xvfz latest.tar.gz

Optional step – if the folder you set up for the website wasn’t called “wordpress”, move the new folder to what it used to be called:

sudo mv wordpress other_wp_folder	

Now wordpress needs to be able to modify the files inside it’s directory, so to do that we change the owner of the directory and everything in it to www-data. www-data is the user that apache runs as.

sudo chown -R www-data /var/www/wordpress/

And we’re done with the install!

Configure

Now go to your site on the client machine e.g www.example.org

If all has gone according to plan, you’ll this page (asking for a language) or the next one.

This is the intro to the configuration:

Now fill in the database details from the last post in here.

This page sets the site title (it’s doesn’t need to be the URL – it can be anything you like) and your admin account.

And that’s done!

This is the admin console

And the view of the site when you’re logged in.

And what it looks like for ordinary visitors.

Re-enable public access

Now you can re-enable public access by configuring port forwarding on your router.

WordPress is a very flexible platform, but there are a few key pieces that are essential for it to run:

• A websever
  • We installed Apache in an earlier post so that’s covered, though we will need some extra modules.
• PHP
  • This is the programming language WordPress is built in and runs on, so our server needs to have it installed.
• A Database
  • We’ll install MariaDB, which is powerful & popular solution.

The full details are on the WordPress website, and we’ll refer back to this for the specifics in a bit: https://make.wordpress.org/hosting/handbook/handbook/server-environment/

First, lets install PHP

sudo apt install php

It’s worth paying some attention to what apt is actually doing at his point:

sandy@waldorf:/var/www/test$ sudo apt install php
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libapache2-mod-php7.3 libsodium23 php-common php7.3 php7.3-cli php7.3-common php7.3-json
  php7.3-opcache php7.3-readline psmisc
Suggested packages:
  php-pear
The following NEW packages will be installed:
  libapache2-mod-php7.3 libsodium23 php php-common php7.3 php7.3-cli php7.3-common php7.3-json
  php7.3-opcache php7.3-readline psmisc
0 upgraded, 11 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,377 kB of archives.
After this operation, 17.7 MB of additional disk space will be used.
Do you want to continue? [Y/n]

In the list of packages that will be installed, php7.3 has been selected. This is the current stable version of PHP, and is the default in Debian 10. Also, libapache2-mod-php7.3 will be installed – this is the Apache module that lets it run php code when to create the web pages you see.

We can test this with the phpinfo(); function, which does a similar thing to the http://test.example.org/server-info page we created in the previous post.

Create a file called phpinfo.php in the folder for the test website:

sudoedit /var/www/test/phpinfo.php

Type in this line:

<?php phpinfo(); ?>

Now visit http://test.example.org/phpinfo.php. You should get a long page full of information that looks like this:

All of the headings on this page after HTTP Headers Information and before Additional Modules are the modules that PHP has loaded and can be used by php webpages on your server.

If we compare that list of modules, to the list of extensions required by WordPress, we might find some gaps. This is the list from my server:

So the missing ones are:

• curl
• dom
• imagick
• mbstring
• mysqli
• xml
• zip

So we’ll install them. The package names take the form of php- or php7.3- and then the module name. The dom module is provided within the php-xml package. mysqli is in php-mysql.

sudo apt install php-curl php-imagick php7.3-mbstring php-mysql php-xml php-zip

For some reason, some of these need to be enabled manually, the others just work.

sudo phpenmod -s apache2 curl mbstring mysqli

Restart the webserver:

sudo systemctl restart apache2

Database

The Database holds all of the live content in your wordpress blog, like the posts and comments. It also has all of the user information.

We’ll install mariadb

sudo apt install mariadb-server

Now we’ll use a ready-made script to set basic security options. You’ll need to create a strong password for root user for the database server (not the same as the root user of the system).

sudo mysql_secure_installation

Say yes to all of the options, entering the database server root password when prompted.

Now create the actual worpress database in the database server. Start by logging into the database with the mysql command line client, and enter the password when prompted.

sudo mysql -u root -p

sandy@waldorf:/etc/php/7.3/apache2$ sudo mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 57
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

You’re now logged into a special command line that’s just for working on the database server. This command creates the database – the name could be anything – just remember it for later. I’ve called mine wp_db.

CREATE DATABASE wp_db;

Then next command creates the user that WordPress will use to access this database. It also sets their password and gives them access to the database. Fill in your own values for wp_db, wp_usr and password.

GRANT ALL PRIVILEGES ON wp_db.* TO "wp_usr"@"localhost" IDENTIFIED BY "password";

Now force the database to reload that user information and exit:

FLUSH PRIVILEGES;
EXIT

This is what the whole interraction looks like on my system:

sandy@waldorf:/etc/php/7.3/apache2$ sudo mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 57
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE wp_db;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON wp_db.* TO "wp_usr"@"localhost" IDENTIFIED BY "password";
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> EXIT
Bye

Updating wordpress:

mkdir ~/temp
cd ~/temp/
wget http://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz

cd /var/www/html/

sudo rm -Rf wp-admin/
sudo rm -Rf wp-includes/

sudo cp -R ~/temp/wordpress/wp-admin/ .
sudo cp -R ~/temp/wordpress/wp-includes/ .


rsync -vcrultO ~/temp/wordpress/wp-content/ wp-content/

sudo chgrp -R apache .
sudo chown -R apache .

rsync -nvcrultO --exclude 'wp-content' --exclude 'wp-includes' --exclude 'wp-admin' ~/temp/wordpress/* .