Installing WordPress with LAMP Stack on RHEL

ByAhramLinux Team Updated

Installing WordPress on a Linux server can be daunting, but with the right tools and a clear guide, it can be a breeze. In this article, we’ll walk you through the process of installing WordPress with the LAMP (Linux, Apache, MySQL, PHP) stack on RHEL (Red Hat Enterprise Linux).

Table of Contents

Essential Requirements

1- This tutorial assumes that you have a server with Red Hat Enterprise Linux (RHEL) installed, and attached with a valid RHEL Subscription If you don’t have a valid subscription, we have written a detailed tutorial about this, click on the below link to get your valid rhel subscription for free now!

How To Obtain a RHEL Subscription For Free: Complete Guide

2- If you’re willing to make your website publicly accessible, then you should have a valid domain name, we recommend you buy the domain from NameCheap because their price is low and they give whois privacy protection free for life.

3- You should also have a LAMP Stack exit on your rhel server. If not, please check the below tutorial

How To Install LAMP Stack On RHEL

After finishing the LAMP Stack installation, You can come back here and read that tutorial.

Steps to Install WordPress with LAMP Stack

Step 1: Create the Required Users and Directories

At first, we need to create a NO-Login User under the /home directory. The name of this user will be as yourwebsite name, For example, If yourwebsite name is ahramlinux.com, then the user will be ahramlinux, and so on. Also, the importance of this step is that we will run PHP-FPM (Which is responsible for Processing Website Scripts) with the privileges of that user

A) Run the following command to create the user

useradd -s /usr/sbin/nologin ahramlinux
Bash

B) Create The public_html directory If don’t exist (This Directory will hold the WordPress website files)

mkdir /home/ahramlinux/public_html
Bash

C) Adjust the permissions as follows

chmod 755 -R /home/ahramlinux/
Bash
chown -R ahramlinux:ahramlinux /home/ahramlinux/
Bash

E) Check the permissions using ls or namei

ls -lhd /home/ahramlinux/
Bash
namei -l /home/ahramlinux/public_html/
Bash

Step 2: Configuring Apache Virtual Host For WordPress

A) First we need to make sure that these lines do exist in the main httpd configuration file, If not you can simply add them at the end of the file

vim /etc/httpd/conf/httpd.conf
Bash

Then Paste the following configurations

 #This Directive is important to only show "Apache" in server response headers for security reasons ServerTokens Prod  #################### ## Resource Limits # #################### # For event MPM (best performance) <IfModule mpm_event_module>   ServerLimit 40    StartServers 4    ThreadsPerChild 25    MaxConnectionsPerChild 500    MinSpareThreads 30    MaxSpareThreads 60    MaxRequestWorkers 1000 </IfModule>
Apache

Then save & close the file.

B) Next Create the following Apache virtual host file for your WordPress website in the /etc/httpd/conf.d/ directory

Note that the file name will be as (yourwebsite.com.conf) don’t forget the .conf at the end of the file

vim /etc/httpd/conf.d/yourwebsite.com.conf
Bash

Then Paste the following code into that file, and of course replace the word (yourwebsite) as your actual website name and for the directory we have just created under the /home directory in the previous step.

 <VirtualHost *:80>     ServerName yourwebsite.com     ServerAlias www.yourwebsite.com     ServerAdmin admin@yourwebsite.com     DocumentRoot "/home/yourwebsite.com/public_html/"     DirectoryIndex index.php index.html #This enables .htaccess file, which is needed for WordPress Permalink to work.      <Directory "/home/yourwebsite.com/public_html/"> #To Make Apache able to write or modify Your WP Files       Options -Indexes +FollowSymLinks       Require all granted       AllowOverride All            <Files ".ht*">      Require all denied      </Files>           </Directory>     ErrorLog "/var/log/httpd/yourwebsite.com.error-log"     LogLevel warn     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %O" mycustomlogformat     CustomLog "/var/log/httpd/yourwebsite.com.access-log" mycustomlogformat   # Redirect to local php-fpm if mod_php (5, 7 or 8) is not available <FilesMatch \.(php|phar)$>           SetHandler "proxy:unix:/var/opt/remi/php84/run/php-fpm/yourwebsite.com.sock|fcgi://localhost"       </FilesMatch>  <LocationMatch "^/phpfpmstatus$">     SetHandler "proxy:unix:/var/opt/remi/php84/run/php-fpm/yourwebsite.com.sock|fcgi://localhost/"     Order deny,allow     Deny from all     Allow from 192.168.122.1 </LocationMatch>    # Enable HTTP/2 (requires HTTPS) and fallback to HTTP/1.1 Protocols h2 http/1.1  # Enable persistent connections to allow multiple requests over a single TCP connection (HTTP/1.1). KeepAlive On # Time to wait for subsequent requests (adjust as needed) KeepAliveTimeout 5 # Set the maximum number of requests allowed per keep-alive connection. MaxKeepAliveRequests 100    ######################## ### Security Headers ### ########################  #Prevents browsers from MIME-sniffing a response away from the declared content-type. Header set X-Content-Type-Options "nosniff"  #Protects against clickjacking by only allowing the page to be framed by pages from the same origin. Header set X-Frame-Options "SAMEORIGIN"  #Tells the browser to enable its XSS protection and, if an XSS attack is detected, to block the page from loading entirely. Header set X-XSS-Protection "1; mode=block"  # This header controls referrer information sent with requests, ensuring privacy during HTTPS to HTTP downgrades by not sending referrer data. It allows referrer information for secure same-origin navigations and HTTPS to HTTPS, but restricts it to protect against information leakage when downgrading from HTTPS to HTTP. Header always set Referrer-Policy "no-referrer-when-downgrade"  # Implements Cross-Origin-Resource-Policy to restrict resource access to same-site origins, enhancing security by preventing unauthorized cross-origin resource sharing and potential data leakage. Header set Cross-Origin-Resource-Policy "same-site"   ############################## ### Caching Configurations ### ##############################  #Enable disk caching for all paths (adjust as needed) CacheEnable	disk	/  #RHEL/CentOS standard cache directory CacheRoot /var/cache/httpd  #Recommended for performance CacheDirLevels 2  #Recommended for performance CacheDirLength 1  # 1 hour default expiration CacheDefaultExpire 3600  # 1 day maximum expiration CacheMaxExpire 86400  #Cache resources without Last-Modified headers (use with caution) CacheIgnoreNoLastMod On  # Set Expires Headers (mod_expires) for static assets <FilesMatch "\.(html|css|js|jpg|jpeg|png|gif|ico|webp|svg|woff|woff2|ttf|eot)$">     ExpiresActive On     # Aggressive caching for static files     ExpiresDefault "access plus 1 year" </FilesMatch>  # Set Cache-Control Headers (mod_headers) <FilesMatch "\.(html|css|js|jpg|jpeg|png|gif|ico|webp|svg|woff|woff2|ttf|eot)$">     # 1 year, public, immutable (for static files)     Header set Cache-Control "max-age=31536000, public, immutable" </FilesMatch>  # Example: Caching dynamic content with revalidation <FilesMatch "\.php$">  # Example for PHP files   # 1 hour, revalidate, browser-only   Header set Cache-Control "max-age=3600, must-revalidate, private" </FilesMatch>   # Example:  No caching for specific paths (e.g., admin area) <Location /wp-admin>   Header set Cache-Control "no-cache, no-store, must-revalidate" </Location>  # Example:  Vary caching based on User-Agent (Important for responsive design) <FilesMatch "\.(css|js)$">   Header append Vary "User-Agent" </FilesMatch>    ################################## ### Compression Configurations ### ##################################  <IfModule mod_deflate.c>      # Compress all these file types     AddOutputFilterByType DEFLATE text/plain text/html text/css application/javascript application/json application/xml image/svg+xml application/x-font-ttf application/vnd.ms-fontobject application/font-woff2 application/font-woff      # Set compression levels (1-9, 9 is best but uses more CPU)     # A good balance     DeflateCompressionLevel 6      # Compress even if the client is using a proxy (important!)     SetOutputFilter DEFLATE       # Set vary headers (important for proxies and caching)     #for text based files     <FilesMatch "\.(html|css|js|jpg|jpeg|png|gif|ico|webp|svg|woff|woff2|ttf|eot)$">         Header append Vary "Accept-Encoding"     </FilesMatch>      # Set a minimum file size to compress (helps with small files)     #Compress files larger than 1KB     SetEnv DEFLATE_MIN_RATIO 1024      # Don't compress these user agents (if needed)     # BrowserMatch "MSIE [1-6]" no-gzip     # BrowserMatch "Mozilla/2\.0" no-gzip      # Add a header to indicate compression (for debugging)     Header set Content-Encoding gzip   </IfModule>  </VirtualHost>
Apache

Then save & close the file.

C) After that, test your Apache configurations

apachectl configtest
Bash

If you see “Syntax OK” then It means that the Apache virtual host configuration file is correct

D) Now restart the Apache Web Server

systemctl restart httpd.service
Bash

E) Check the Apache status, it must be active(running)

systemctl status httpd.service
Bash

Note: If You’re doing some development on your website, and want to test the changes, then you can simply remove the cache from here

cd /var/cache/httpd/
Bash
rm -rf *
Bash
systemctl restart httpd.service
Bash

Step 2: Configuring PHP-FPM For WordPress

We will be using PHP Version 8.4 but the same can be applied to PHP Version 8.3 and So On

Important Note: Don’t forget to install the following PHP Software or choose as per your needs

sudo dnf install php84-php php84-php-pecl-imagick-im7 php84-php-bcmath php84-php-cli php84-php-fpm php84-php-mbstring php84-php-opcache php84-php-pdo php84-php-sodium php84-php-xml php84-php-mysqlnd php84-php-pecl-mysql php84-php-gd php84-php-pecl-zip php84-php-common php84-php-ioncube-loader php84-php-pear php84-php-intl php84-php-soap php84-php-pecl-xmlrpc php84-php-opcache

A) First, you’ve to remove the following php-fpm configuration file

rm -f /etc/opt/remi/php84/php-fpm.d/www.conf
Bash

B) Create the following php-fpm definition pool file for your website

vim /etc/opt/remi/php84/php-fpm.d/yourwebsite.com.conf
Bash

Paste the following lines, and replace the word yourwebsit text with your actual website name

 ; PHP-FPM Pool Configurations For Website yourwebsite.com   ;;[Pool Definition] This is the name of the pool. It must be unique. This is not a directive but rather defines the start of a pool definition  [yourwebsitenamewithoutdotcom]  ; Pool Name  ;;[Process User and Group] user = yourwebsiteuser  ; User that the pool runs as group = yourwebsiteuser ; Group that the pool runs as    ;;[Socket Permissions and Access Control] ;;These directives control how the pool listens for connections.  listen = /var/opt/remi/php84/run/php-fpm/yourwebsite.com.sock ; Path to the socket file ;listen = 127.0.0.1:9001 ; Alternatively, listen on a specific port ;listen.owner = ahramlinux  ; Owner of the socket file (usually webserver user) ;listen.group = ahramlinux  ; Group of the socket file (usually webserver group) listen.mode = 0660   ; Permissions of the socket file listen.acl_users = yourwebsiteuser,apache  ; users have permission to connect to the pool's listening socket listen.acl_groups =  yourwebsiteuser,apache   ;;[Process Management] ;;These directives control how PHP-FPM manages worker processes.  pm = dynamic       ; Process manager (dynamic, static, ondemand) pm.max_children = 8  ; Maximum number of child processes pm.start_servers = 2 ; Number of processes started at startup pm.min_spare_servers = 1 ; Minimum number of idle processes pm.max_spare_servers = 3 ; Maximum number of idle processes pm.process_idle_timeout = 10s  ;The number of seconds after which an idle process will be killed pm.max_requests = 500 ; The number of requests each child process should execute before respawning ; Status page settings (optional, but recommended for monitoring) pm.status_path = /phpfpmstatus ; Path to the status page (accessible via webserver)   ;[Health check path] ping.path = /ping ping.response = pong    ;;[Request Handling] request_terminate_timeout = 30s ; Maximum execution time for a request   ;;[Logging and Error Handling]   access.log = /var/opt/remi/php84/log/php-fpm/yourwebsite.com.accesslog  ;The access log file access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" ; Consult the main configuration file  ; Slow log settings (for debugging slow scripts) slowlog = /var/opt/remi/php84/log/php-fpm/yourwebsite.com.slowlog request_slowlog_timeout = 10s    ;;[Environment Variables] ;; clear_env = yes ;;This is highly recommended. It clears any environment variables that might be set by the web server before passing them to the PHP scripts. This can prevent certain types of attacks that rely on manipulating environment variables. env[TMP] = /tmp   ;;[Enabling OPcache] ;;to improve PHP performance by caching compiled scripts. php_admin_flag[opcache.enable] = 1 php_admin_value[opcache.memory_consumption] = 256 ;Memory allocated to OPcache in MB php_admin_value[opcache.interned_strings_buffer] = 8 ;Memory for interned strings php_admin_value[opcache.max_accelerated_files] = 2000 ;Max files to cache php_admin_value[opcache.revalidate_freq] = 60 ;How often to check for script updates   ;;[[ Custom PHP ini settings (if needed) ]] ;; Add Any PHP INI Settings-Related Per Need By using the php_admin_value or php_admin_flag   ;;;;;;;;;;;;;;;; ; File Uploads ; ;;;;;;;;;;;;;;;; ; Security related settings for uploads php_admin_flag[file_uploads] = On ;Changed from Off to allow file uploads if needed php_admin_value[upload_max_filesize] = 100M ;Increased for better functionality php_admin_value[post_max_size] = 100M ;Increased to match upload size php_admin_value[max_execution_time] = 30  php_admin_value[memory_limit] = 256M php_admin_value[default_mimetype] = "text/html" php_admin_value[default_charset] = "UTF-8"   ; Disable dangerous functions php_admin_value[disable_functions] = exec,shell_exec,system,passthru,popen,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,mail,ini_restore,dl,symlink,link,highlight_file,show_source,phpinfo   ; Error log settings php_flag[display_errors] = off  ;Never display errors in production php_admin_value[error_log] = /var/opt/remi/php84/log/php-fpm/yourwebsite.com.errorlog php_admin_flag[log_errors] = on	; Log errors   ; Security settings (important!) security.limit_extensions = .php .php7 .phtml php_admin_flag[allow_url_fopen] = off php_admin_flag[allow_url_include] = off php_admin_value[open_basedir] = /home/yourwebsite/public_html/:/tmp/:/var/lib/php/ ; Restrict file access to the website's directory and /tmp   ;;cgi.force_redirect is primarily relevant when PHP is used as a CGI (Common Gateway Interface) handler. With other SAPI (Server Application Programming Interface) modules like mod_php (for Apache) or PHP-FPM, this directive is generally not needed.  ; Prevent execution of files uploaded by users php_admin_value[cgi.force_redirect] = 1 php_admin_value[cgi.redirect_status] = 200 php_admin_flag[cgi.fix_pathinfo] = 1
INI

C) Now Restart PHP-FPM & Check Its Status as It must be active(running)

systemctl restart php84-php-fpm.service
Bash
systemctl status php84-php-fpm.service
Bash

Step 3: Create a Database and User for WordPress

A) Access The MariaDB Shell using the root user as Following

mariadb -u root -p
Bash

B) Once You’re in, create the database for your WordPress website, I named it here wordpressdb but you can name it whatever name you like for example you can name it as your website name.

create database yourwebsitedb;
Bash

C) Now create a Database user with a password and give it access to your WordPress website ( This is the user that WordPress will use to connect to the database that we have just created)
Note: Of course, You can name the database user whatever name you like and the same goes for the database user’s password

grant all privileges on yourwebsitedb.* to mydbuser@'localhost' identified by 'mypassword123';
Bash

D) Now You’ve to flush the privileges table for the changes to take effect and then exit out of MariaDB Shell.

flush privileges;
Bash
exit;
Bash

Step 4: Download & Configure WordPress

A) Now download the WordPress, You can get the download link just by right-clicking on the download button and then copying the link address as follows

The Official WordPress Download Page is : https://wordpress.org/download/

Then at the command line, type the following command wget followed by the download link you’ve just copied as the following

sudo dnf install wget unzip -y
Bash
wget https://wordpress.org/latest.zip
Bash

D) Extract the archive as following

unzip latest.zip
Bash

E) Now move all the WordPress files to the public_html directory as follows

cd wordpress/
Bash
mv * /home/yourwebsite/public_html/
Bash

F) Adjust the permissions as follows, We need to make sure that WordPress website files are owned by the user that we have just created in Step 1 earlier.

chown -R yourwebsite:yourwebsite /home/yourwebsite/public_html/
Bash

G) Rename the WordPress sample configuration file as follows

mv /home/yourwebsite/public_html/wp-config-sample.php /home/yourwebsite/public_html/wp-config.php
Bash

H) Edit the WordPress configuration file with your preferred command-line text editor

vim /home/mywordpressuser/public_html/wp-config.php
Bash

I) Find these lines and replace the green text with the actual MariaDB name, MariaDB username,and password that we created earlier in the previous step [Step 3]

/** The name of the database for WordPress */
define( ‘DB_NAME’, ‘database_name_here‘ );

/** Database username */
define( ‘DB_USER’, ‘username_here‘ );

/** Database password */
define( ‘DB_PASSWORD’, ‘password_here‘ );

J) Also in the same file, find the following line, and change the wp_ table prefix to whatever prefix you like. This step is optional but It’s highly recommended to improve security

$table_prefix = ‘wp_’;

I’ll change it [For Example] to

$table_prefix = 'mw57_';

Then save & close the file.

Step 5: Enabling HTTPS

It’s highly recommended that HTTP traffic between the users’ browser and the server be encrypted. We can enable HTTPS by using a free TLS Certificate issued by Let’s Encrypt.

A) First Install the required software as follows

dnf install certbot python3-certbot.noarch python3-certbot-apache.noarch
Bash

B) Now execute the following command to obtain and install TLS Certificate

certbot --apache --agree-tos --redirect --hsts --uir --staple-ocsp --email admin@yourwebsite.com -d yourwebsite.com
Bash

Congratulations! The Certificate should now be obtained and installed successfully, and You should notice that a new VirtualHost Configuration File has been created to serve yourwebsite with https, the file name should be like this

ls -lht /etc/httpd/conf.d/yourwebsite.com-le-ssl.conf
Bash

C) TLS Certificate Auto-Renewal
To enable automatic renewal of your Let’s Encrypt certificate, simply edit the root user’s crontab file.

sudo crontab -e
Bash

Insert the following line at the bottom of the file.

0 2 * * * /usr/bin/certbot renew --quiet; /usr/bin/systemctl reload httpd.service
Bash

Then save the file and quit.

Step 6: Adjusting SELINUX Policies

A) First You may want to check all the enabled SELinux Booleans by typing the following command

getsebool -a | grep " --> on" | column -t -s " --> "
Bash

B) Allow httpd to read home directories

semanage boolean --m --on httpd_enable_homedirs
Bash

C) Allow the following SELinux Boolean to enable HTTPD to initiate network connections

semanage boolean -m --on httpd_can_network_connect
Bash

D) Allow HTTPD to connect to databases

semanage boolean -m --on httpd_can_network_connect_db
Bash

E) Allow HTTPD to send mail (if needed)

semanage boolean -m --on httpd_can_sendmail
Bash

F) Now Restore the files to their default SELinux security contexts, by typing the following command

restorecon -RvF /home/yourwebsite/public_html/
Bash

G) Then You’ve to Ensure your WordPress files are labeled with httpd_user_content_t for content and httpd_sys_rw_content_t for writable directories

Note 1: By Default every file and directory that is located under /home/yourwebsite/public_html is labeled with the httpd_user_content_t Label, So We Only need to change the Label(Type) for the public_html directory & the wp-content directory

Note 2: The /wp-content/: is the most important directory in terms of write permissions. It’s where user-generated content, themes, plugins, and other important data reside

To associate the httpd_sys_rw_content_t context to both directories, type the following two commands

semanage fcontext -a -t httpd_sys_rw_content_t "/home/ahramlinux/public_html"
Bash
semanage fcontext -a -t httpd_sys_rw_content_t "/home/yourwebsite/public_html/wp-content(/.*)?"
Bash

Then Apply these changes by typing the following command

restorecon -RvF /home/yourwebsite/public_html/
Bash

Now The public_html directory and the wp-content ONLY should have the httpd_sys_rw_content_t Label and any other file should have the httpd_user_content_t Label

ls -lhdZ /home/yourwebsite/public_html/
Bash

Take a directory other than wp-content and check its SELinux Label It should be httpd_user_content_t as follows

ls -lhdZ /home/yourwebsite/public_html/wp-admin/
Bash

The result should contain the httpd_user_content_t Label as following

drwxr-xr-x. 9 yourwebsite yourwebsite unconfined_u:object_r:httpd_user_content_t:s0 4.0K Nov 21 16:07 /home/yourwebsite/public_html/wp-admin/

Now Check the Label of the wp-content directory, It should be httpd_sys_rw_content_t

ll -dZ /home/yourwebsite/public_html/wp-content/
Bash

Congratulations! You’ve successfully managed to configure SELinux for Your WordPress Website. Enjoy the Security!

Step 7: Finish The WordPress Installation with Its Setup Wizard

A) Head over to your browser and type your domain name as following

https://yourwebsite.com
WordPress with LAMP Stack

One Additional Step after a successful WordPress installation, run the following command again

restorecon -RvF /home/yourwebsite/public_html/
Bash

Conclusion

You’ve successfully built a secure and performant WordPress site on RHEL 9. By configuring the LAMP stack, implementing SELinux and TLS, and optimizing with security headers, caching, and compression, you’ve established a solid foundation. This comprehensive approach ensures your site is not only robust and reliable but also primed for peak performance. Congratulations on building a powerful platform ready to make its mark online!

Share
AhramLinux Team
Previous
Setting Up MariaDB Master-Master Master-Slave Replication on RHEL
Next
Installing WordPress with LEMP Stack (NGINX,PHP & MariaDB) on RHEL