WHM/cPanel optimised WordPress hosting

This is what you do if you don’t use AWS yet.

getting started

ssh setup

ok so first we get set up to login

Tip: firewall off ssh and use WHM or AWS console features only 

#create key file
chmod 600 keyfile
ssh-add -K keyfile
chmod 600 keyfile

ok so login and then install CSF ConfigServer Security and Firewall.

csf install

wget https://download.configserver.com/csf.tgz
tar xfz csf.tgz
cd csf
sh install.sh
#nano /etc/csf/csf.conf #disable TESTING mode by setting value to “0” or as automated command-line:
sed -i 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf
csf -r

WHM configuration

  • system update
  • cPanel/Upgrade to Latest version
  • SQLServices/MariaDB upgrade

easy apache

  • enable modules eg http2, mod_security2
  • remove old php and install php7.3 with opcache, 
  • change default to php7.3, turn on php-fpm
  • apply performance and security config from https://github.com/h5bp/server-configs-apache to base configuration

Security

install OWASP ModSecurity Core Rule Set V3.0 

  • enable WHM >> Home >> Security Center >> ModSecurity™ Vendors
  • turn on rules engine in WHM >> Home >> Security Center >> ModSecurity™ Configuration
  • review Plugins, ConfigServer Security and Firewall >> Check Server Security
  • review WHM >> Home >> Security Center >> Security Advisor

Whm tweaks and additional settings

  • Restrict document roots to public_html – off
  • Compiler Access – disable
  • WHM turn on AutoSSL

EMAIL

see also https://jonmoblog.wordpress.com/2019/11/17/how-to-deliver-email/ 

php ini settings and FPM – adjust as appropriate eg:

  • memory_limit
  • post_max_size
  • upload_max_filesize

Additional installs

#redis install + php redis extension

# https://tecadmin.net/install-redis-centos/

yum install epel-release
yum install redis
systemctl enable redis
systemctl start redis
#remember to use path to correct pecl for php version
/opt/cpanel/ea-php74/root/usr/bin/pecl install igbinary igbinary-devel redis
#or use whm pecl manager for php redis 
#add to csf pignore:
echo 'exe:/usr/bin/redis-server' >>/etc/csf/csf.pignore

#optionally, disable redis disk cache
redis-cli config set save ""
redis-cli config set appendonly no
redis-cli config rewrite
redis-cli shutdown 
systemctl start redis
redis-cli config get save

#nginx Engintron install

see: https://github.com/engintron/engintron

cd /; rm -f engintron.sh; wget --no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh; bash engintron.sh install

#wp-cli install

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
php wp-cli.phar --info
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp
wp --info

#ImageMagick install

yum install pcre-devel ImageMagick ImageMagick-devel 
/usr/bin/convert --version
#WHM, Software, Module Installers, PECL, imagick or
/opt/cpanel/ea-php74/root/usr/bin/pecl install igbinary igbinary-devel redis

#opcache tweaks

#to avoid excessive disk access set opcache.validate_timestamps=0 :
nano /opt/cpanel/ea-php74/root/etc/php.d/10-opcache.ini
opcache.memory_consumption=128 # MB, adjust to your needs
opcache.max_accelerated_files=10000 # Adjust to your needs
opcache.max_wasted_percentage=10 # Adjust to your needs
opcache.validate_timestamps=0

#additional, solution specific

  • consider adding commonly changing files to blacklists eg: opcache.blacklist_filename=/opt/cpanel/ea-php74/root/etc/php.d/opcache*.blacklist
  • add a web page link for cache reset and include it in maintenance jobs

 

part of a series on cPanel migration to AWS

One thought on “WHM/cPanel optimised WordPress hosting

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s