Installing WordPress on CentOS 8

After recently upgrading my web server to CentOS 8 I decided that I wanted to replace my old static web page with a more intersting WordPress site.

Getting WordPress up and running on CentOS 8 was a fairly straight forward process however there were a couple of small things that tripped me up along the way (I’m mainly looking at you, SELinux!)

In this post I have provided step by step instructions on installing WordPress on CentOS 8. This includes steps on keeping SELinux happy and using LetsEncrypt / Certbot to serve the site over HTTPS.

Note that many of the commands in the guide will require root privileges. You’ll either need to run them while logged in as the root user or by prepending the commands with sudo.

Installing the Required Packages

There are a few packages required to get WordPress up and running on CentOS 8. You’ll need to install the following:

dnf install php-mysqlnd php-fpm php-gd mariadb-server httpd mod_ssl tar curl php-json -y

Adding Firewall Rules

In order for people to access your WordPress site, you’ll need to add some firewall rules. These rules are allowing access to port 80 and 443 from the outside world.

You will want to use the “–permanent” flag to ensure that these rules survive any server reboots. Once the rules have been added you will then need to reload the firewall.

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload

Note: I don’t want to spend too much time discussing firewall rules in this post, however if you don’t want people trying to access your site before it’s properly configured, I have another blog post that you might find useful. In it, I go over how you can configure the firewall to only allow access to the site from your local machine until you’re ready to make it publicly available.

Enabling HTTPD and MariaDB

Next, you’re going to start the Apache (httpd) and MariaDB services. You will also enable them to start automatically after a system reboot.

systemctl enable --now httpd
systemctl enable --now mariadb

With the services enabled (and previously mentioned firewall rules applied), you should now be able to navigate to the URL or IP address of your web server in the browser and see the default Apache/CentOS welcome page.

Getting the Database Ready

Now that the MariaDB service is up and running you can run a handy tool which helps to make the default config more secure. This tool is interactive and will prompt you to set a password for the root SQL user as well as make some changes to default security settings. In most cases, you’ll want to go with the suggestions it makes. Make sure to keep a note of the password!

mysql_secure_installation

Once the MariaDB server has been secured, it’s time to create the database and SQL user login that will be used by WordPress. You’ll also give that user full control over the wordpress database you create.

You’ll need to connect to mysql using the root password that you set in the previous step. When creating the SQL login for WordPress, remember to replace ‘your_password‘ with a secure password of your own.

mysql -u root -p
Enter password:

CREATE DATABASE wordpress;
CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'your_password';
GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost';
EXIT

Downloading WordPress

That’s most of the ground work done. Now it’s time to start installing WordPress on CentOS 8. Download a copy of WordPress and move it into the Apache document root:

wget https://wordpress.org/latest.tar.gz
tar -xf latest.tar.gz

cp wordpress/* /var/www/html/

chown -R apache:apache /var/www/html/
chmod -R g+w /var/www/html/
usermod -aG apache your_server_username

There are a few things going on in the commands above. The first two lines have you download the latest copy of WordPress and extract the contents to your current directory. You then copy the extracted contents to the /var/www/html/ directory, which is Apache’s default document root.

Once copied, you then have some permissions to tidy up. First, you change the owner of the /var/www/html/ directory and all of it’s contents to the apache user and the apache user group. You then give the apache group the ability to edit the files. Finally, you add your own account to the apache group. This allows you to more easily work with the contents of the /var/www/html/ directory. You will likely need to log out and back into your server before the group membership changes take effect.

Keeping SELinux Happy

The following command applies an SELinux label to the /var/www/html/ directory and all of it’s contents. This label tells SELinux that Apache is allowed to read and alter the contents.

chcon -R -t httpd_sys_rw_content_t /var/www/html/

While on the topic of SELinux, there is one other change that you will likely want to make. The following command tells SELinux that the Apache process should be allowed to connect to the network. This is to allow the WordPress dashboard to check for updates, as well as allow you to view WordPress themes and plugins from the dashboard.

setsebool -P httpd_can_network_connect 1

Enabling HTTPS and Redirection

The remaining steps focus on setting your site up to serve over HTTPS. You will also make a change to Apache’s httpd.conf file which allows WordPress to use pretty URLs.

This allows you to change the default URLs from something like https://yoursite.com/?p=1 to something nicer, like https://yoursite.com/blog/blog-post-title which you can later manage from the WordPress dashboard (Settings -> Permalink Settings).

The .htaccess File

First up, create the .htaccess file in the /var/www/html/ directory and add some rules which redirect all http requests to https:

touch /var/www/html/.htaccess

# Add the following to the .htaccess file using your preferred text editor:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Updating httpd.conf

Next you make the change to Apache’s httpd.conf file which allows pretty URLs to be used. Use your preferred text editor to open /etc/httpd/conf/httpd.conf and scroll down until you find a section like the example below. It wont look exactly like this, as I’ve stripped out the comments for brevity. You then need to make sure that the AllowOverride option is set to “All“.

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

Save your changes and restart Apache

systemctl restart httpd

Installing a SSL Certificate

In this final step, you’ll use LetsEncrypt and Certbot to enable HTTPS.

First, you’ll use Certbot to request a certificate from LetsEncrypt. You will need to remember to change the email address and domain in the following command to match your own:

certbot certonly --webroot -w /var/www/html/ --renew-by-default --email your@email.com --text --agree-tos  -d www.yourdomain.com

At this point Certbot will have placed several files on your server. You now need to tell Apache where to find them

# Use your preferred text editor to edit /etc/httpd/conf.d/ssl.conf
# Locate the following variables and update their values as follows
# Remember to replace www.yourdomain.com with your actual domain

SSLCertificateFile /etc/letsencrypt/live/www.yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.yourdomain.com/fullchain.pem

Finally, you should set up a cron job (scheduled task) to automatically renew the certificate. There are various ways to do this, but this example uses the /etc/crontab file. This causes Certbot to check your certificate each day and renew if the certificate is due to expire within the next 30 days.

# Use your preferred text editor to edit /etc/crontab
# Add the following to the bottom of the file

0 0 * * 0 root /usr/bin/certbot renew >> /var/log/certbot-renew.log

Finishing Up

And that’s it! You should now have finished installing WordPress on CentOS 8. All that’s left to do is navigate to your server’s URL or IP address in the browser and follow the WordPress set up steps.

Additional Note – Upgrading to PHP 7.4

As mentioned by Dan in the comments, I should have upgraded to PHP 7.4 as CentOS 8 uses 7.2 by default. The WordPress admin dashboard will warn you if your server is running a PHP version lower than 7.4

Upgrading PHP on CentOS 8 Stream is as easy as this:

dnf module switch-to php:7.4

After the above command has finished running, you can check the version using:

php-fpm --version