Skip to content

Instantly share code, notes, and snippets.

@amanjuman

amanjuman/Deploy WordPress on AWS using Free Tier Services

Last active March 14, 2022 09:22
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save amanjuman/b58cbde833f07b184df1681c787affe2 to your computer and use it in GitHub Desktop.
Save amanjuman/b58cbde833f07b184df1681c787affe2 to your computer and use it in GitHub Desktop.
Download ZIP
Deploy WordPress on AWS using Free Tier Services
Raw
Deploy WordPress on AWS using Free Tier Services
## SWAP
sudo fallocate -l 1G /swapfile;
ls -lh /swapfile;
sudo chmod 600 /swapfile;
sudo mkswap /swapfile;
sudo swapon /swapfile;
sudo nano /etc/fstab
/swapfile swap swap defaults 0 0
swapon --show
sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get autoremove -y && sudo apt-get install software-properties-common
sudo add-apt-repository ppa:ondrej/php -y && add-apt-repository ppa:nginx/stable -y
sudo apt-get install nginx mariadb-client zip unzip certbot python3-certbot-nginx php7.4-{apcu,bcmath,bz2,cli,common,curl,dev,fpm,gd,imap,intl,json,imagick,mbstring,mysql,opcache,redis,soap,xml,xmlrpc,zip} -y
sudo sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/max_execution_time = 30/max_execution_time = 120/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/memory_limit = 128M/memory_limit = 512M/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/post_max_size = 8M/post_max_size = 1024M/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 512M/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/max_input_time = 60/max_input_time = 120/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/max_input_vars = 1000/max_input_vars = 5000/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/short_open_tag = Off/short_open_tag = On/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/zlib.output_compression = Off/zlib.output_compression = On/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/;opcache.enable=1/opcache.enable=1/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/;opcache.save_comments=1/opcache.save_comments=1/g' /etc/php/7.4/fpm/php.ini
sudo sed -i 's/;date.timezone.*/date.timezone = UTC/' /etc/php/7.4/fpm/php.ini
sudo nano /etc/nginx/fastcgi_params
// Add this line to bottom
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
sudo service nginx restart
sudo update-alternatives --set php /usr/bin/php7.4
sudo systemctl restart php7.4-fpm
mysql -h your-rds-host-name -P 3306 -u rds-master-user -p
CREATE DATABASE site_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'siteuser'@'%' IDENTIFIED BY 'Password';
// For MySQL 5.7 or Less
GRANT ALL ON sitedb.* TO 'siteuser'@'%' IDENTIFIED BY 'Password' WITH GRANT OPTION;
// MariaDB 10 Up
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE ON `sitedb`.* TO 'siteuser'@'%';
FLUSH PRIVILEGES;
EXIT
cd /var/www/
sudo wget https://wordpress.org/latest.zip && unzip latest.zip && rm latest.zip
mv wordpress/ yourdomain.tld
sudo chmod 775 -R /var/www/yourdomain.tld/
sudo chown -R root:www-data /var/www/yourdomain.tld/
// This is for AWS
sudo chown -R ubuntu:www-data /var/www/yourdomain.tld/
sudo certbot --nginx -d yourdomain.tld -d www.yourdomain.tld --register-unsafely-without-email
sudo openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 2048
sudo wget -q https://gist.githubusercontent.com/amanjuman/8ee772b38bc1a14cecf30546d0e53b73/raw/696eb10ae462d0603290a4f23120592b0de4f669/nginx.conf -O /etc/nginx/nginx.conf
sudo wget -q https://gist.githubusercontent.com/amanjuman/8ad9e374cb970a352d08b950e3d3dbef/raw/ddf53d463c80dfe76f7594b3bb3a58df63cd2aad/default -O /etc/nginx/sites-available/default
sudo service nginx restart
sudo nano /etc/nginx/sites-available/yourdomain.tld.conf
server
{
# Listen
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
# Directory & Server Naming
root /var/www/yourdomain.tld;
index index.php index.html;
server_name yourdomain.tld www.yourdomain.tld;
http2_push_preload on;
large_client_header_buffers 4 16k;
# HTTP to HTTPS redirection
if ($scheme != "https")
{
return 301 https://$host$request_uri;
}
# SSL
ssl_certificate /etc/letsencrypt/live/yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.tld/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.tld/fullchain.pem;
# Disable Hidden FIle Access Except Lets Encrypt Verification
location ~ /\.well-known
{
allow all;
}
# Nginx Logging
access_log /var/log/nginx/yourdomain.tld-access.log;
error_log /var/log/nginx/yourdomain.tld-error.log warn;
# Max Upload Size
client_max_body_size 100M;
# Permalink Support
location / {
try_files $uri $uri/ /index.php?$args;
}
# PHP Upsteam
location ~ \.php$
{
include snippets/fastcgi-php.conf;
## For PHP 7.4
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$
{
deny all;
}
# WordPress: Deny nasty stuff uploads that aren’t images, videos, music, etc
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$
{
deny all;
}
# WordPress: deny scripts and styles concat
location ~* \/wp-admin\/load-(?:scripts|styles)\.php
{
deny all;
}
# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$
{
deny all;
}
# Robot Text Logging Off
location = /robots.txt
{
allow all;
log_not_found off;
access_log off;
}
# Fav ICON Disable
location = /favicon.ico
{
log_not_found off;
access_log off;
}
# Assets Pull: Configure CORS to Resolve Web Font Issues
location ~* \.(eot|otf|ttf|woff|woff2)$
{
add_header Access-Control-Allow-Origin *;
}
# WordPRess: Cache
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|svg)$
{
expires 7d;
add_header Cache-Control "public, no-transform";
log_not_found off;
access_log off;
}
}
sudo ln -s /etc/nginx/sites-available/yourdomain.tld.conf /etc/nginx/sites-enabled/
sudo service nginx restart
sudo certbot renew --dry-run
## Add SES, S3, ECache in Config
sudo nano /var/www/yourdomain.tld/wp-config.php
define('FS_METHOD','direct');
define( 'WP_CACHE', true );
define('WP_CACHE_KEY_SALT', 'yourdomain.tld');
define('WP_REDIS_HOST', 'redis-endpoint');
define('WP_REDIS_PASSWORD', '');
define( 'AS3CF_SETTINGS', serialize( array(
'provider' => 'aws',
'access-key-id' => 'aws-id',
'secret-access-key' => 'aws-key',
) ) );
define( 'WPOSES_AWS_ACCESS_KEY_ID', 'aws-id' );
define( 'WPOSES_AWS_SECRET_ACCESS_KEY', 'aws-key' );
## IAM Bucket Permission for Advance User
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ObjectLevel",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::bucket-name/*"
},
{
"Sid": "BucketLevel",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
## Bucket Policy if you Don't CloudFront
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name*"
}
]
}
## CloudFront New S3 Region Support
Update Origin: bucketname.s3.regioncode.amazonaws.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment