Before you Install WordPress
A Virtual Private Server (VPS) hosting package gives you a lot of control over the resources that you can deploy to make your WordPress powered site as fast as it can be. So, before you order and pay for your VPS package, what features should you look for:
- Centos 6 or Centos 7 Unix Operating System. Centos 7 is new and 64 bit, and so if you are looking towards PHP 7, you might want to have this if it is an option..
- cPanel WHM licence. This element of the package you buy is often sold separately and can be relatively expensive, so try to find a deal that is inclusive of this software.
- The server should be a ‘Cloud’ server. This means that there is no physical server as such, but your server has resources from a pool of physical servers that it can call upon. This is organized in a software program called a hypervisor. The usual choice is between OpenVZ and KVM, with OpenVZ being the more common, as it is less expensive, whereas KVM is usually better.
- VPS Management Software, probably SolusVM. You will need a UI based software package to manage the cloud server. Some hosts will not offer this.
- The server should have at least 2GB RAM, 40GB (hopefully) SSD storage, 1TB (1000GB) monthly bandwidth, 2 CPU’s and 1 dedicated IP address. The uplink connection should be at least 1GBPS.
- The server should hopefully be protected by a minimum of 20GBPS DDoS firewall protection and daily R1Soft backups.
- Most importantly, the server should be a fully ‘Managed‘ service. This means you should get 24/7 technical support for the problems that will arise. This element of the package you buy is often sold separately and can be relatively expensive, if it is offered at all.
- You should be offered a free migration service, to bring your settings, data and databases(s) from an existing server (they will usually only do one domain). This will include setting up your own personal nameservers. You will have to contact your domain registrar to sort out pointing the domain to these new nameservers.
- Accounts and logins should be made for you for; SolusVM, root and WHM and a cPanel account for your main domain. If you are putting more than one domain on the server, which you are permitted to do, you may have to set these up yourself, but it is not difficult to do this.
- Optional CDN. Many hosts now offer free setup and use of a basic Cloudflare account, some even offer the Pro account, sometimes for free and sometimes for US$5 per month. Cloudflare has an Apache module that links it all together for you.
On a monthly payment plan, this should cost about US$30. Exact costs will depend on the ‘pool’ of resources you buy. The more the resources you want, the more it will cost, but relatively adding resources is quite cheap, and often worth doing. For example, tripling the resources (200% extra) would probably cost only 33% extra.
So, you now have a hosting plan, I hope. Before you do anything substantial, make sure it is working by checking the home page and all the logins. Don’t forget, it may take many hours for this to go live.
We will now look at configuring your Cloud VPS for WordPress.
In the previous chapter you last checked that the server was working in the front end and back end. So, log in to Web Host Manager (WHM) and you should be greeted by the main WHM Home page. My current version says that it is cPanel 54.0, and this document is based on that and was updated accordingly in January 2016. Depending on how your server is set up, you might see certificate warnings during your logins. You must add the certificates to your browser exceptions list to successfully log in. The first task is to make sure that your server is on the ‘Current’ tier (your host will not normally do this for you). Navigate to Server Configuration (the first button on the main screen) => Update Preferences. cPanel, by default, is usually on the ‘Release’ tier, but this is, IMHO, too conservative. The ‘Current’ tier actually has more recent versions of software and has more recent security fixes. Whilst on this page, at the bottom, makes sure ‘Operating System Package Updates’ and ‘Apache SpamAssassin™ Rules Updates’ are both set to Automatic. Save these settings.
Having done that, make sure everything is up-to-date. From the Home page, select cPanel => Upgrade to Latest Version. This may take a while to complete and sometimes the update fails, when a forced update may be needed (tick the checkbox). A forced update may take up to three hours to run, so do not do this unless a normal update fails.
Finally, from the Home page, select Software => EasyApache 3 (I am not going to use EasyApache 4 in cPanel 54, as I do not think it is stable enough for the inexperienced user; I may look at it again in cPanel 56 when it releases in a few months into 2016). EasyApache 3 keeps PHP, Apache, and the modules you have installed up to date. When EasyApache 3 has either checked for updates and found none, or installed to the latest version(s) of your software (for example, mine updated to EasyApache 3.32.9), you will then see a page showing the current installation configuration (the previously saved config). You need this configuration to show Apache 2.4 and PHP 5.6. Even if it does, the chances are that the detailed profile configuration needs tweaking. So, follow these steps:
- On the ‘Previously Saved Config’ row, click the settings cog at the right side.
- On the Apache Version screen ensure that the latest version of Apache 2.4 is enabled (on my installation this is 2.4.18) and then click Next Step.
- On the PHP 5 page, select the latest version of PHP 5.6 (on my installation this is 5.6.17) and then click Next Step.
- On the Short Options List page, scroll to the bottom and enabled the Exhaustive Options List.
- In the Apache Built-in Modules, first scroll towards the bottom of the page and find the PHP 5.6.17 options section, and at the bottom of that list and select (check to on) the ‘Save my profile with appropriate PHP 5 options set so that it is compatible with cpphp ‘ option. A pop-up with a warning will appear; accept this by clicking OK.
- Scroll up a little bit to the Other Modules section and enable (check to on) the Mod RUID2 0.9.8 option. Again a pop-up with a warning will appear; accept this by clicking OK.
- Now go back to the top (Apache Built-in Modules) and make sure you have only the following Apache modules enabled – all others need to be disabled:
- MPM Prefork
- Mod SuPHP 0.7.2
- In the Other Modules, also enable Mod Security 2.9.0.
- In the PHP 5.6.x section (mine currently shows 5.6.17), you are reminded to ‘harden’ your PHP settings. Your host may have done some hardening already for you. You must have only the following modules enabled – all others need to be disabled:
- MySQL “Improved” extension
- PDO MySQL
- Now Save and Build this. Hopefully, all will go well. It always has for me. when it has built, click OK to the notice.
- We now need to convert/upgrade from MySQL to MariaDB, which is a faster leaner database. From the WHM Home page, select Software => MySQL/MariaDB Upgrade. The first step is to select MariaDB, next you need to select all three checkboxes to show you understand the risks. Next select the ‘unattended upgrade.’ Then set the upgrade going. After it has finished, you will need to select the option to ‘Rebuild Apache and PHP using saved settings.’ Eventually the process will have rebuilt and restarted the server.
- Because we have installed Mod RUId2 we need to change the PHP Handler. Navigate to WHM Home » Service Configuration » Configure PHP and suEXEC, and in there change from suPHP to DSO Handler.
- We now need to make sure that the PHP settings are suitable for WordPress, as some of the defaults in PHP are not optimal. From the WHM Home page, select Service Configuration => PHP Configuration Editor and when this opens select Advanced Mode. Most settings do not need changing. Some of these listed below only need checking (the text boxes for some will be too small to read all the contents). When you have changed them, save the changes:
- date.timezone == set this to one that is suitable for your site. This list gives you all the options.
- default_socket_timeout == 400
- display_errors == off
- max_execution_time == 300
- max_input_time == 300
- max_input_vars is set by default to 1000. Each menu item in WordPress needs 9 (or more), so increasing this is something you may need to do if you have long menus. Mine is set to 5000.
- memory_limit == 256M (at least, I have mine set to 1024M as I have a server with 24GB RAM)
- post_max_size == 64M
- upload_max_filesize == 64M
- Save these settings (WHM will automatically restart Apache to make them active for you). You will see the message ‘The php.ini has been written’ and the actual php.ini file is displayed.
- We now need to install ImageMagick. From the WHM Home page, select Software -> Module Installers -> PHP Pecl (usually the second option) and click manage. In the ‘Install a PHP PECL’ field imagick and click Install Now button – that’s all. Restart Apache (from the WHM Home page, select Restart Services -> HTTP Server (Apache).
That is it, you now need to configure WordPress to use your awesome new VPS.
In this document I am going explain how to build a Self-Hosted WordPress site. Yes, that’s right. No debate over which Content Management Software (CMS) to use. It’s WordPress. Sorry if that offends you, but I have been doing web design far too long to be bothered with anything else. For 99% of users, WordPress is fine and dandy. For the purposes of these blog posts, I am going to skim over some of the really basic stuff (I might come back and add a bit of detail). I know that you can develop a site on your local PC or Mac, but the first time you get stuck, anybody who tries to help you will want to see what you have, and that means you need a web server. Unless you want to do a simple blog, forget the WordPress.com hosting packages, and become a self-hosted site.
That means you should get a domain. I used to use GoDaddy, but the control software is not so good and support is at best average. I now use Gandi.net, and have found them good for support, but very parochially French in attitude. The way their website sign up works is very much based on French legal definitions of businesses, so do be wary. The first thing you must do with Gandi is to create a ‘handle’, and at the top of this page they say ‘Be sure to choose the correct handle type for your situation, and note that you must use a real, legally verifiable name for yourself or your company or organization.’ If you are an individual or sole trader, or a partnership, you must choose ‘a company’, as that is the French definition of any business that trades in any way. This page shows who pays sales tax and at what level (outside the EU fiscal zone there is no sales tax payable).
You now need a web server. Sadly, it is at this point that most people get seriously burnt. There are some truths that need to be told:
- For a given dollar spend, you will never get more than a certain service level. It will be promised, but will not materialize.
- Big hosting providers tend to be over-priced and generally provide poor or bad service. There are some real horror stories on the internet; many are true.
- Once you have a host you might wish to use, search for them on the webhostingtalk forums. But beware, members rarely post of good experiences, but will shout loudly the first time something goes wrong; so expect some bad mouthing.
- On the Internet, some hosting businesses regularly seem to get bad press. The EIG group is one that seems to regularly swallow up smaller hosts and impose their own brand of customer care. They own Bluehost, Hostgator and many other brands. Read about them at the researchasahobby website. GoDaddy and Siteground are ‘others to avoid’ that come to mind. Searching for the term ‘avoid’ in the Web Hosting forum gives 29 pages of threads. Don’t get me wrong. All hosts have bad days. Sometimes they have a sales rush due to a special offer that leaves them short resourced for a while.
- Unless you are a web server expert, buying an unmanaged service is a recipe for disaster. Look for fully managed hosting packages. Do NOT abuse that support. The hosting company offers it at a cheap price in the hope that you will not call on them too much.
- Make sure you know before you buy in whose data center your server will be located. There are only a fixed number of these data centers in the world. Each is generally run by one company, and some have poor reputations.
- Many hosts claim that you will have the security of R1Soft Daily backups, but the data center may not even have this service. Do NOT rely on the host to do backups. Print out a copy of the phpinfo() report (you can use a WordPress plugin phpinfo-print to do this) for your site and make daily backups yourself using one of the many WordPress backup tools. I personally use Backup Buddy.
- Ask if you get a dedicated IP address, or a shared one. If it is a shared one, ask for the IP address before you sign up and check how many hosts are on that address. Chances are it could be over 1,000!! You can use this tool to check. Ask how many other domains share the server.
- A lot of small, startup hosts are run by college students, some younger than 18, with no real staff and little experience or business morals. They often use fake personal details (name, qualifications and experience). One such individual is a serial problem, by the name of Jonny Nguyen. Google his name with greenvaluehost.
- Smaller hosts provide the best value deals in the early months of their trading, but get more expensive as they expand and as the years go by.
- ‘Standard’ web servers, typically with Centos 6.5, Apache 2.4, PHP 5.5, MySQL 5.5 and cPanel software, are stable but sometimes poorly configured for the fast operation of a WordPress site. Throwing faster hardware at this configuration will NOT help.
There are a lot of ‘WordPress Specialist’ web hosts. Without exception they will be relatively expensive for the actual server configuration they provide, but they offer a service as well, often including specially configured for WordPress (faster) servers. If you have the budget and lack the skills, these type of host are the best choice; you might wish to check out the Dreamhost DreamPress 2 server deals.
Forget all the special ‘free’ hosting deals. The same goes for ‘shared hosting’ deals. I am assuming that you can’t afford a complete physical server (and they often don’t have a managed service option anyway). A less expensive type of server is a ‘Cloud Server’; this means that your site does not reside on one machine, but shares its resources across a lot of physical machines. This is a much faster, cheaper and more reliable solution. Different hosts may use a different name for this type of package, but this is what you need.
Unless you have a big web site in mind, you will want to start with a Virtual Private Server (VPS) with a Unix operating System (such as Centos), Apache, MySQL and PHP. To make managing it easy, you will want WHM, cPanel and EasyApache installed. Most importantly, you will want a Managed Service. That means, when it goes wrong, you get help. But, beware, my experience over the last year makes me wary of Cloud Servers that use OnApp for management of the server; my sites used to have this and the server often crashed, leaving me offline for a day or more each time. On a budget look for OpenVZ and for performance at a price use KVM; here is a comparison. Right now, I have my own dedicated server, which I have to manage myself, which costs me $65 a month including a cPanel server license (which itself costs $30 a month in that $65), and I couldn’t be happier with the package that QuickPacket put together for me.
The bottom line is, less than US$30 per month is cheap for a VPS deal, once you factor in the cPanel licence and managed support. I have been through all manner of web hosts and deals over the years, so you might be wise to avoid all that heartache.
But we all like a deal, right? I tend to search through the Web Hosting Talk’s Hosting Offers forum, but the problem for most people is the overwhelming number of offers and who can you trust? My personal recommendation is Stablehost, who often do VPS deal coupons on the that forum, for example this offer gives 15% off the first invoice.
THIS SECTION IS UNDERGOING A COMPLETE RE-WRITE – DO NOT USE
Let’s now assume you have all that done. Download and install WordPress from wordpress.org. Follow the 5 minute guide in the codex, or watch any number of excellent videos on You Tube. That was easy. If you want some data to play with, search the WordPress Codex for Sample data, download the file and install it. You may get some errors when installing, but ignore them.
With you logged in to the WordPress back end, your basic WordPress installation already has three plugins; Akismet, Hello Dolly and (if you imported the sample data file) WordPress Importer. All three can be deactivated for now, and then delete Hello Dolly – you don’t need it.
Go to Appearances … Themes, you will see 3 themes called 2013, 2014 and 2015. 2015 will be activated as the current theme. Delete the other two, by clicking on the thumbnail of each, which will bring the theme option up in full, and the delete link is at the bottom left. Why? Themes can be hacked, so if you are not using them, delete them. You can always re-install them later if you need to.
To save you a lot of time doing the research, I have a core set of plugins I find useful and install to every site I make. To save time, install the WP Install Profiles plugin. Go to Plugins … Add New and type the name into the search box and hit enter. From the search results, click install for the plugin and at the next window click the Activate Plugin link. Now go to Plugins … Bulk Install Profiles. This is the settings page for WP Install Profiles In the plugins list, paste the list of plugins (the list in the screenshot is different, so don’t worry, use the list as it now is below) and click download. Go back to the plugins page and you can see the new list of plugins installed. So much easier than doing them one by one. Or, if you want, you can install these one plugin at a time, but that will take ages.
nginx-helper (only add this one if you have nginx reverse proxy installed)
To complete the installation;
Step 1. Check the option box at the left side of the header of the table of all the plugins, so that they are ALL checked
Step 2. Uncheck the Aksimet plugin.
Step 3. Uncheck Global Hide Toolbar Bruteforce
Step 4. Choose Activate in the dropdown Bulk actions select box.
Step 5. Click the Apply button.
Step 6. Deactivate the Install profiles plugin.
The Post Types Order plugin will require you to go to its settings and simply save the default settings. Then open the General Settings => Permalinks page. I prefer the postname, without category, to be the URL, so you can see that I have added /%postname%/ in the custom field. Save these settings, and return to the Plugins page. There may be other error messages, but we will ignore these for now. In my next post, I will go through any changes that I would suggest you make to these plugins.
You are already on your way to build a self-hosted WordPress site.
There are two types on installation of WordPress.