Installing WordPress with LEMP Stack (NGINX,PHP & MariaDB) on RHEL

Setting up a WordPress site on a Red Hat Enterprise Linux (RHEL) server using the LEMP stack (Linux, Nginx, MySQL/MariaDB, PHP) offers a powerful and efficient solution. This guide provides a comprehensive walk-through, crucially incorporating SELinux considerations for a secure and stable environment. Ignoring SELinux can lead to unexpected issues and vulnerabilities, so we’ll address it every step of the way.

Prerequisites

Here are some key requirements to get started:

1. This tutorial assumes you have a Red Hat Enterprise Linux (RHEL) server with a valid subscription. If you don’t, we’ve got you covered! Check out our comprehensive guide to get a free RHEL subscription here.
2. To make your website public, you’ll need a domain name. We recommend Namecheap for their affordable prices and free lifetime WHOIS privacy protection.
3. You’ll also need a LEMP stack installed on your RHEL server. If you haven’t set this up yet, follow our LEMP stack installation guide here. Once you’re done, come back to continue this tutorial.

Steps to Install WordPress with LEMP Stack

Step 1: Create the Required Users and Directories

First, we’ll create a no-login user in the /home directory. This user’s name should match your website’s domain (e.g., ahramlinux for ahramlinux.com). This is important because PHP-FPM, which processes your website’s scripts, will run with this user’s privileges.

A) Create the user:

useradd -s /usr/sbin/nologin ahramlinux

B) Create the ‘public_html’ directory (if it doesn’t exist):

This directory will hold your WordPress website files.

mkdir /home/ahramlinux/public_html

C) Set the correct permissions:

chmod 755 -R /home/ahramlinux/ chown -R ahramlinux:ahramlinux /home/ahramlinux/

D) Verify the permissions:

You can check the permissions using the following commands:

ls -lhd /home/ahramlinux/ namei -l /home/ahramlinux/public_html/

Step 2: Configuring NGINX to Serve Your WordPress Site

A) First, delete the default NGINX configuration file:

rm -f /etc/nginx/nginx.conf*

B) Create the main NGINX configuration file:

Run vim /etc/nginx/nginx.conf and insert the following lines:

 # Define the user that NGINX worker processes will run as user nginx;  # Set the number of worker processes (auto lets NGINX determine the optimal number) worker_processes auto;  # Define the path to the NGINX PID file pid /run/nginx.pid;  # Include configuration files for dynamically loaded modules include /usr/share/nginx/modules/*.conf;  # Define event block for network settings events {     # Set the maximum number of connections each worker process can handle     worker_connections 1024; }  # Define the HTTP block for web server settings http {     #==========================     # Global Security Settings     #==========================     server_tokens off;      #====================================================================     # Enabling Server-Side Caching Settings (Applied to all server blocks)     #====================================================================     proxy_cache_path /var/cache/nginx/ahramlinux-cache levels=1:2 keys_zone=ahramlinux_keyszone:10m max_size=5g inactive=60m use_temp_path=off;     proxy_cache_key "$scheme$request_method$host$request_uri$args";      #==============================     # Global Cache Exclusion List     #==============================     map $request_method $skip_post {         default 0;         POST    1;     }     map $query_string $skip_query {         default 0;         ""      0;         "~.+"   1;     }     map $request_uri $skip_uri {         default 0;         "~* /wp-admin/"           1;         "~* /xmlrpc\\.php"        1;         "~* wp-.*\\.php"          1;         "~* ^/feed/.*"            1;         "~* /tag/.*/feed/.*"      1;         "~* /index\\.php"         1;         "~* /.*sitemap.*\\.(xml|xsl)" 1;     }     map $http_cookie $skip_cookie {         default 0;         "~* comment_author"             1;         "~* wordpress_[a-f0-9]+"        1;         "~* wp-postpass"                1;         "~* wordpress_no_cache"         1;         "~* wordpress_logged_in"        1;     }     map $remote_addr $skip_ip {         default         0;         "~* 192\\.168\\.1\\.12" 1;         "~* 192\\.168\\.1\\.13" 1;     }     map "$skip_post$skip_query$skip_uri$skip_cookie" $skip_cache {         default 1;         "0000"  0;     }      #=====================================     # Define the log format named 'main'     #=====================================     log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time $upstream_response_time';      #===========================================     # Network and File Transfer Optimizations     #===========================================     sendfile on;     tcp_nopush on;     tcp_nodelay on;     types_hash_max_size 4096;      include /etc/nginx/mime.types;     default_type application/octet-stream;     include /etc/nginx/conf.d/*.conf; } 

C) Check the NGINX configurations:

nginx -t

D) Create the caching directory:

Before adding configurations for your website, create the caching directory:

mkdir -p /var/cache/nginx/01-yourwebsite-cache chown nginx:nginx /var/cache/nginx chown nginx:nginx /var/cache/nginx/01-yourwebsite-cache/ chmod 700 /var/cache/nginx chmod 700 /var/cache/nginx/01-yourwebsite-cache/

E) Create the NGINX server block configuration:

Note that the file name must end with .conf. Run vim /etc/nginx/conf.d/01-yourwebsite.com.conf and paste the following configuration. Replace every occurrence of yourwebsite with your actual domain name (e.g., ahramlinux.com):

 server {     listen 80;     server_name ahramlinux.xyz www.ahramlinux.xyz;     root /home/ahramlinux/public_html/;     index index.php index.html;      client_max_body_size 200M;      location / {         try_files $uri $uri/ /index.php$is_args$args;     }      location ~ /\.ht {         access_log off;         log_not_found off;         deny all;     }      add_header X-Powered-By "";     add_header X-Content-Type-Options nosniff;     add_header X-Frame-Options SAMEORIGIN;     add_header X-XSS-Protection "1; mode=block";     add_header Referrer-Policy "no-referrer-when-downgrade";     add_header Cross-Origin-Resource-Policy "same-site";     add_header Strict-Transport-Security "max-age=31536000" always;      location ~ \.php$ {         try_files $uri =404;         proxy_pass http://127.0.0.1:9000;         fastcgi_index index.php;         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;         include fastcgi_params;          proxy_cache ahramlinux_keyszone;         proxy_cache_use_stale error timeout updating invalid_header http_500 http_503;         proxy_cache_valid 200 302 1h;         proxy_cache_valid 404 10m;         proxy_cache_valid any 1m;         proxy_cache_min_uses 1;         proxy_cache_lock on;         add_header X-Cache $upstream_cache_status;         proxy_hide_header Cache-Control;         proxy_hide_header Expires;         proxy_hide_header Set-Cookie;         proxy_no_cache $skip_post $skip_query $skip_uri $skip_cookie $skip_ip;          expires 1h;         add_header Cache-Control "max-age=3600, must-revalidate, private";     }      location /phpfpmstatus {         proxy_pass http://127.0.0.1:9000;         include fastcgi_params;         allow 192.168.122.1;         deny all;     }      location ~* \.(html|css|js|jpg|jpeg|png|gif|ico|webp|svg|woff|woff2|ttf|eot|otf|mp3|ogg|wav|mp4|webm|avi|txt|pdf)$ {         expires 30d;         add_header Cache-Control "max-age=2592000, public, immutable";     }      location /wp-admin {         add_header Cache-Control "no-cache, no-store, must-revalidate";     }      gzip on;     gzip_vary on;     gzip_types text/plain text/css application/json application/javascript application/xml+rss application/atom+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype application/vnd.geo+json image/svg+xml application/x-shockwave-flash image/webp image/x-icon;     gzip_comp_level 6;     gzip_min_length 1000;     gzip_buffers 16 8k;     gzip_disable "MSIE [1-6]\.";     gzip_proxied any;     gzip_static on;      error_log /var/log/nginx/ahramlinux.xyz.error.log warn;     access_log /var/log/nginx/ahramlinux.xyz.access.log main;      error_page 404 /404.html;     location = /404.html {         root /home/ahramlinux/public_html/;     }      error_page 500 502 503 504 /50x.html;     location = /50x.html {         root /usr/share/nginx/html;     } } 

F) Validate and restart NGINX:

nginx -t sudo systemctl restart nginx.service

Step 3: Configuring PHP-FPM to Process WordPress Files

Note: This guide uses PHP 8.4, but the process is similar for PHP 8.3 and later versions.

Important: Install the following PHP packages, selecting those appropriate for your needs:

sudo dnf install php84-php php84-php-pecl-imagick-im7 php84-php-bcmath php84-php-cli php84-php-fpm php84-php-mbstring php84-php-opcache php84-php-pdo php84-php-sodium php84-php-xml php84-php-mysqlnd php84-php-pecl-mysql php84-php-gd php84-php-pecl-zip php84-php-common php84-php-ioncube-loader php84-php-pear php84-php-intl php84-php-soap php84-php-pecl-xmlrpc php84-php-opcache

A) Remove the default PHP-FPM configuration:

rm -f /etc/opt/remi/php84/php-fpm.d/www.conf

B) Create a new PHP-FPM pool configuration file:

Run vim /etc/opt/remi/php84/php-fpm.d/01-yourwebsite.com.conf and paste the following configuration, replacing yourwebsite with your actual website name (without the .com):

 ; [Pool Definition] [ahramlinux] ; Define the pool name (must be unique)  ; [User and Group] user = ahramlinux ; Set the user that the pool runs as group = ahramlinux ; Set the group that the pool runs as  ; [Socket Configuration] listen = 127.0.0.1:9000 ; Listen on TCP port 9000 listen.mode = 0660 ; Permissions of the socket file (read/write for user and group) listen.acl_users = ahramlinux,apache ; Allow these users to connect to the socket listen.acl_groups = ahramlinux,apache ; Allow these groups to connect to the socket  ; [Process Management] pm = dynamic ; Use dynamic process management (adjusts processes as needed) pm.max_children = 8 ; Maximum number of child processes pm.start_servers = 2 ; Number of processes started initially pm.min_spare_servers = 1 ; Minimum number of idle processes pm.max_spare_servers = 3 ; Maximum number of idle processes pm.process_idle_timeout = 10s ; Time an idle process waits before being killed pm.max_requests = 500 ; Number of requests a child process handles before respawning  ; [Status and Ping] pm.status_path = /phpfpmstatus ; Path to the PHP-FPM status page ping.path = /ping ; Path for ping checks ping.response = pong ; Response to ping checks  ; [Request Handling] request_terminate_timeout = 30s ; Maximum time a request can execute  ; [Logging] access.log = /var/opt/remi/php84/log/php-fpm/ahramlinux.com.accesslog ; Path to the access log file access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" ; Format of the access log slowlog = /var/opt/remi/php84/log/php-fpm/ahramlinux.com.slowlog ; Path to the slow log file request_slowlog_timeout = 10s ; Time a request can take before being logged as slow  ; [Environment Variables] clear_env = yes ; Clear environment variables for security env[TMP] = /tmp ; Set the temporary directory  ; [OPcache Settings] php_admin_flag[opcache.enable] = 1 ; Enable OPcache for performance php_admin_value[opcache.memory_consumption] = 256 ; Memory allocated to OPcache (in MB) php_admin_value[opcache.interned_strings_buffer] = 8 ; Memory for interned strings php_admin_value[opcache.max_accelerated_files] = 2000 ; Maximum number of files cached by OPcache php_admin_value[opcache.revalidate_freq] = 60 ; How often OPcache checks for file updates (in seconds)  ; [File Uploads] php_admin_flag[file_uploads] = On ; Allow file uploads php_admin_value[upload_max_filesize] = 100M ; Maximum size of uploaded files php_admin_value[post_max_size] = 100M ; Maximum size of POST data  ; [Execution Limits] php_admin_value[max_execution_time] = 30 ; Maximum script execution time php_admin_value[memory_limit] = 256M ; Maximum memory a script can use  ; [MIME and Character Set] php_admin_value[default_mimetype] = "text/html" ; Default MIME type php_admin_value[default_charset] = "UTF-8" ; Default character set  ; [Security - Disabled Functions] php_admin_value[disable_functions] = exec,shell_exec,system,passthru,popen,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,mail,ini_restore,dl,symlink,link,highlight_file,show_source,phpinfo ; Disable potentially dangerous functions  ; [Security - Error Handling] php_flag[display_errors] = off ; Do not display errors in production php_admin_value[error_log] = /var/opt/remi/php84/log/php-fpm/ahramlinux.com.errorlog ; Path to the error log file php_admin_flag[log_errors] = on ; Log errors  ; [Security - File Access] security.limit_extensions = .php .php7 .phtml ; Limit execution to these file extensions php_admin_flag[allow_url_fopen] = off ; Disable URL file access for security php_admin_flag[allow_url_include] = off ; Disable URL includes for security php_admin_value[open_basedir] = /home/ahramlinux/public_html/:/tmp/:/var/lib/php/ ; Restrict file access to these directories  ; [CGI Settings (Generally Not Needed with PHP-FPM)] php_admin_value[cgi.force_redirect] = 1 ; Force CGI redirects (usually not needed with PHP-FPM, but included for consistency) php_admin_value[cgi.redirect_status] = 200 ; Redirect status code php_admin_flag[cgi.fix_pathinfo] = 1 ; Fix path info for CGI scripts 

C) Restart and check PHP-FPM:

systemctl restart php84-php-fpm.service systemctl status php84-php-fpm.service

Step 4: Create a Database and User for WordPress

A) Access the MariaDB shell:

mariadb -u root -p

B) Create the WordPress database:

We’ll create the database that WordPress will use. For this example, we’ll use wordpressdb, but feel free to substitute your preferred name.

create database wordpressdb;

C) Create the database user:

We’ll create a user for WordPress to connect to the database. In this example, we’ll use wordpressuser and 'StrongPassword'. Replace 'StrongPassword' with a strong, unique password.

grant all privileges on wordpressdb.* to wordpressuser@'localhost' identified by 'StrongPassword';

D) Apply changes and exit:

flush privileges; exit;

Step 5: Download and Configure WordPress

A) Download WordPress:

You can download WordPress from the official website:

href=”https://wordpress.org/download/”>https://wordpress.org/download/. To download via the command line, first install wget and unzip if you don’t have them:

Copy

sudo dnf install wget unzip -y

Bash

Then, use wget to download the latest version:

Copy

wget https://wordpress.org/latest.zip

Bash

B) Extract the archive:

Copy

unzip latest.zip

Bash

C) Move WordPress files:

Move all the extracted WordPress files to your website’s public_html directory:

Copy

cd wordpress/mv * /home/ahramlinux/public_html/

Bash

D) Set file ownership:

Ensure the website files are owned by the correct user (the one you created earlier):

Copy

chown -R ahramlinux:ahramlinux /home/ahramlinux/public_html/

Bash

E) Rename the configuration file:

Copy

mv /home/ahramlinux/public_html/wp-config-sample.php /home/ahramlinux/public_html/wp-config.php

Bash

F) Edit the configuration file:

Open the wp-config.php file with your preferred text editor (e.g., vim, nano):

Copy

vim /home/ahramlinux/public_html/wp-config.php

Bash

G) Configure database settings:

Locate the following lines and replace the placeholders with your actual database name, username, and password (created in Step 4):

 /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpressdb' ); // Your database name  /** Database username */ define( 'DB_USER', 'wordpressuser' ); // Your database username  /** Database password */ define( 'DB_PASSWORD', 'StrongPassword' ); // Your strong database password 

H) Change the table prefix (recommended):

Find the following line:

 $table_prefix = 'wp_'; 

Change wp_ to a unique prefix for security (e.g., mw57_):

 $table_prefix = 'mw57_'; // Or your chosen prefix 

Save and close the file.

Step 6: Enabling HTTPS

Encrypting HTTP traffic is crucial for security. We’ll use Let’s Encrypt to obtain a free TLS certificate.

A) Install required software:

Copy

dnf install certbot python3-certbot.noarch python3-certbot-nginx.noarch

Bash

B) Obtain and install the TLS certificate:

Copy

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email admin@ahramlinux.com -d ahramlinux.com

Bash

--nginx: Use the NGINX plugin for certificate installation.
--agree-tos: Automatically agree to the Let’s Encrypt terms of service.
--redirect: Automatically redirect HTTP to HTTPS.
--hsts: Enable HTTP Strict Transport Security (HSTS).
--staple-ocsp: Enable OCSP stapling.
--email: Provide an email for renewal notifications.
-d: Specify the domain name.

C) TLS certificate auto-renewal:

To automate certificate renewal, edit the root user’s crontab:

Copy

sudo crontab -e

Bash

Add the following line:

Copy

0 2 * * * /usr/bin/certbot renew --quiet; /usr/bin/systemctl reload nginx.service

Bash

0 2 * * *: Run daily at 2:00 AM.
/usr/bin/certbot renew --quiet: Renew certificates silently.
/usr/bin/systemctl reload nginx.service: Reload NGINX to apply changes.

Step 7: Implementing SELinux Rules for WordPress

A) Check enabled SELinux booleans:

on\” | column -t -s \” –> \””,”language”:”bash”,”theme”:”dracula-soft”,”bgColor”:”#282A36″,”textColor”:”#f6f6f4″,”fontSize”:”1rem”,”fontFamily”:”Code-Pro-JetBrains-Mono”,”lineHeight”:”1.25rem”,”headerType”:”headlights”,”copyButton”:true,”copyButtonType”:”textSimple”} –>

on\” | column -t -s \” –> \”” style=”color:#282A36;display:none;background-color:#f6f6f4″ aria-label=”Copy” data-copied-text=”Copied!” data-has-text-button=”textSimple” data-inside-header-type=”headlights” aria-live=”polite” class=”code-block-pro-copy-button”>Copy

getsebool -a | grep " --> on" | column -t -s " --> "

Bash

B) Enable necessary booleans:

Enable the following booleans to allow HTTPD to function correctly:

Copy

semanage boolean -m --on httpd_enable_homedirssemanage boolean -m --on httpd_can_network_connectsemanage boolean -m --on httpd_can_network_connect_dbsemanage boolean -m --on httpd_can_sendmail

Bash

C) Restore default security contexts:

Copy

restorecon -RvF /home/ahramlinux/public_html/

Bash

D) Set appropriate file contexts:

Ensure your WordPress files have the correct labels. Set the httpd_sys_rw_content_t context for public_html and wp-content:

Copy

semanage fcontext -a -t httpd_sys_rw_content_t "/home/ahramlinux/public_html"semanage fcontext -a -t httpd_sys_rw_content_t "/home/ahramlinux/public_html/wp-content(/.*)?"restorecon -RvF /home/ahramlinux/public_html/

Bash

E) Verify file contexts:

Check the labels:

Copy

ls -lhdZ /home/ahramlinux/public_html/ls -lhdZ /home/ahramlinux/public_html/wp-admin/ll -dZ /home/ahramlinux/public_html/wp-content/

Bash

Congratulations! You have successfully configured SELinux for your WordPress website.

Step 8: Complete the WordPress Installation

A) Access the WordPress setup wizard:

Open your web browser and visit your domain name (e.g., https://ahramlinux.com). This will launch the WordPress setup wizard.

B) Complete the setup:

Follow the on-screen instructions in the setup wizard to configure your WordPress site.

C) Final SELinux context restoration (Important):

After installing WordPress, run this command to ensure all file contexts are correctly set:

Copy

restorecon -RvF /home/ahramlinux/public_html/

Bash

Conclusion

You’ve taken your WordPress installation to the next level, mastering the intricacies of LEMP, security hardening, and performance optimization. From initial setup to HTTPS enablement, SELinux configuration, and NGINX tuning, you’ve successfully navigated the path to a robust and high-performing website. Your WordPress site is now secure, fast, and ready to make its mark. If you found this post useful, don’t forget to share it with your friends!