Securely installing WordPress

WordPress unfortunately can be a target or entry point for server compromise (given the large amount of untested plugins available).

There are a number of different ways of using WordPress in conjunction with your Magento store,

  • Subdomain (eg. blog.example.com)
  • Subdirectory (eg. example.com/blog)

However, ensuring that your WordPress installation is secure, and isolated from your Magento installation requires a little extra configuration. But isolating WordPress from Magento will ensure that even if WordPress is compromised, your Magento store will remain secure and unaffected.

Securing WordPress (standard)

By Subdomain

If you wish to use a subdomain for WordPress (eg. blog.example.com) then the most secure method is to use an isolated domain-group with a dedicated vhost for the subdomain.

Contact the support team to request an additional domain-group and vhost.

By Subdirectory

If you wish to use a subdirectory for WordPress (eg. www.example.com/blog) then the most secure method is to use an isolated domain-group with a dedicated vhost for the subdirectory, but it requires a single line of configuration for the domain itself.

In ___general/example.com.conf you should add (adjust /blog to suit),

location ~* ^/blog {
  proxy_pass https://blog.example.com;
}

You'll notice that an alternative domain is used for the blog, this is required so that the domain-group has a vhost it can be configured with, similar to the subdomain method above. However, the subdomain itself isn't actually used, the blog will be accessed via the subdirectory URL (www.example.com/blog).

Contact the support team to request an additional domain-group and vhost.

For the WordPress installation, create a directory called blog inside the document root of the new domain-group/vhost, and install WordPress into that directory. Then following the WordPress installation, change the URL in WordPress from blog.example.com to www.example.com/blog

Securing WordPress (Fishpig)

The Fishpig module requires access to your WordPress directory in order to serve content however this isn't possible in this configuration as WordPress is isolated from your store, so some webserver configuration is required to allow content to be served.

Eg. To use Fishpig on https://www.example.com/blog, with WordPress installed in the default directory /wp and the secure vhost as https://blog.example.com

  • Install the Fishpig module and configure it with your WordPress database credentials
  • In your WordPress admin configure your URLs,

  • Set the site address to the blog route which is served by the Fishpig module,

    Site Address (URL): https://www.example.com/blog
  • Set the WordPress address to match the directory name of the installation,

    WordPress Address (URL): https://www.example.com/wp
  • In your main installation vhost configuration file ___general/example.com.conf, define a pass-through so content can be served from the /wp URL,

    location ~* ^/wp/ {
     proxy_pass https://blog.example.com;
    }

    ! A valid DNS record for blog.example.com is required prior to making this change

  • In your secure WordPress vhost configuration file ___general/blog.example.com.conf,

    location /wp {try_files $uri $uri/ @wp;}
    location @wp {
     rewrite . /wp/index.php last;
    }
  • Reload Nginx to apply the changes

Further Security

Hardening WordPress is an incredibly good idea, and it is recommended to follow the guidelines set out by WordPress here.

You can secure the WordPress admin using the instructions found here.