1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. How to Install and Run Wordpress on AWS

Hardening your installation

Start course

WordPress is an open-source CMS originally built as a web publishing platform, quickly becoming a de-facto standard for blogs. Thanks to its huge third-party plugin ecosystem, WordPress has been adopted for use in many different situations never imagined by its creators, including dynamic websites, e-commerce platforms, and online newspapers. It's a terrific software package with a huge user base, but getting the most out of it can be tricky.

This course demonstrates installing and running WordPress on Amazon Web Services. Expert Linux System Administrator David Clinton will guide you through installation, from the easy way (using a Cloudformation template), up to deploying a highly customizable instance on EC2 and RDS. You will learn to use optimization tools like Varnish and Route53 and to monitor availability and costs with CloudWatch.

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.

Intended Audience

This is an intermediate course that will assume some basic knowledge of the AWS system. Some familiarity with the Linux Command Line Interface and MySQL might also be helpful.To move to the next step, check out our EC2 and RDS courses, and our introductory AWS video. You might also enjoy our courses on CloudFormation, LAMP stacks on AWS and Security on Linux based AWS instances, which make great follow-ups. If you want to challenge yourself, check out our questions.



Hi and welcome to CloudAcademy.com's video series on running your WordPress site in the cloud on AWS.

In this video, we're going to review some of the basics of website security. We may have briefly touched on some of these subjects in other videos in this course, but it's probably a good idea to also see them all together in one place. First of all, security groups. Every EC2 instance should be associated, in fact, I believe must be associated with an Amazon security group. You can create security groups in advance, or in the process of creating an EC2 instance. Let's take a look at creating one independently. Click on security groups, then create security group. Give our group a name. Obviously, you'll use something a little more descriptive than just the word name. And there is great advantage to having a descriptive security group, because you'll be able to identify it in a long list and know what its purpose is. You might write a description, a little better than that one, obviously. You'll decide whether this is part of a VPC or not, and you'll select the VPC if you choose to make it part of that. And most importantly, you'll add rules. This will determine who and what has access to your site and how. So let's add a rule. Let's say we'd like to allow HTTP traffic. For a WordPress site, generally you want to allow a lot of HTTP traffic. In other words, you want every user on the internet to be able to find your site. For that purpose, we should have a source of anywhere, that is, anyone, anywhere on the internet should be able to open your pages. You've got to protect the security of your pages, that is, to prevent users from editing or deleting your pages. That's done from within your WordPress server. However, this rule allows users to at least access your pages.

You could select a custom IP in which case, you could restrict access to only specific IP addresses, like 192.168.02.

That really wouldn't normally be a public address. Or you could choose my specific IP, that is Amazon is aware of my external IP, and you could populate this value with your own IP. That means the only computer on earth which will have access to this site, using HTTP, will be my computer.

Obviously, that's not appropriate for a WordPress site, so we'll go back to anywhere. Let's add another rule, because you might want to access your server using SSH. That would use Port 22, using the TCP protocol. And there, you don't want to leave it open to anyone. You don't want anyone to have access using SSH. There, you might, in fact, want to restrict it to your IP address. Let's add another rule.

Again, let's take a category of rule. You may want to allow ICMP. That is, you may want to allow people to ping your site to see if it's really up and running. You might want anyone, anywhere to be able to do that. You might not. At any rate, if this is the appropriate selection of rules for your site, then click on create. And you now have a new security group. Later when you launch your EC2 instance that will host your WordPress site, you can select this security group, the one known as name, for your site.

In addition to security groups, WordPress itself provides keys and salts. Keys, you could pretty much figure out they are devices used to unlock access to a software service. But what is a salt? In cryptography, Wikipedia teaches us, a salt is random data that is used as an additional input to a one-way function that hashes a password or pass phrase. In other words, it's a way of creating a lot of really difficult to guess data, and associating the knowledge of that data with access to the service. Now, these keys and salts are stored in the WP-config.php file, part of which you're looking at now. You can generate keys and salts from the WordPress website, and that address actually, you'll see just a little bit above all those lines that say, define, those are the keys and salts, just a couple lines of documentation above that, you can see the address you should go to to generate these keys and salts is given. You will then be shown eight or nine lines of these defines. You can copy those and paste them into the wp-config.php file the way we have here.

Don't worry. These specific keys and salts are not being used in an active instance of WordPress. Now if you plan to use SSH to access the server hosting your WordPress site, you may want to create a key pair. Let's go to EC2. Click on key pairs, create a key pair. Let's give it a name. Call it name again. You should choose a name which is much more descriptive. It'll be very useful later.

Create. And you have the option now of saving this file. Save the file to somewhere in your computer. If you're using a Linux system, you should save it to your home directory, so that every time you open the terminal session, you can make easy reference to this key pair in your log in, in your SSH command.

Finally, we should just devote a word or two to your choice of user names and passwords. WordPress will ask for an administrator account name. Many people choose admin. That's a little bit obvious and makes it just a little bit easier for malicious hackers to get into your system.

It's a good idea to choose some unique name besides admin. And as far as passwords go, if you aren't already aware, your password should contain a good number of characters, at least eight. It should contain letters, both lower case and upper case, numbers and non-alphanumeric characters just to make it a great deal harder for humans and software to anticipate and guess what your password may be.

About the Author
David Clinton
Linux SysAdmin
Learning Paths

David taught high school for twenty years, worked as a Linux system administrator for five years, and has been writing since he could hold a crayon between his fingers. His childhood bedroom wall has since been repainted.

Having worked directly with all kinds of technology, David derives great pleasure from completing projects that draw on as many tools from his toolkit as possible.

Besides being a Linux system administrator with a strong focus on virtualization and security tools, David writes technical documentation and user guides, and creates technology training videos.

His favorite technology tool is the one that should be just about ready for release tomorrow. Or Thursday.