Skipping the hosts file and Apache sections, I roughly followed the Arch Linux Wiki WordPress page by firstly installing WordPress:
pacman -S wordpress
With Nginx already configured to work with PHP, I added the following server section to the Nginx config after which I let Certbot add the SSL certificate lines:
server { listen 443 ssl; listen [::]:443 ssl; server_name maf.moe; root /usr/share/webapps/wordpress; location / { try_files $uri $uri/ /index.php$is_args$args; index index.php; } location ~ ^/wp-json/ { rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last; } include php.conf; }
As I was getting an error message of “The editor has encountered an unexpected error.” preventing me from creating new posts, I added the try_files and rewrite lines as mentioned on this GitHub issue.
Next I created a MariaDB database and user for WordPress:
create database wordpress; grant all privileges on wordpress.* to "wp-user"@"localhost" identified by "<SECRET SECRET PASSWORD>"; flush privileges;
To let WordPress create its config file, I ran:
chown http:http -R /usr/share/webapps/wordpress/
As of version 7.4 php-fpm
is hardened, making /usr read-only. For this I created an override.conf file for php-fpm
:
systemctl edit php-fpm.service
And added the following lines to it:
[Service] ReadWritePaths = /usr/share/webapps/wordpress
After restarting php-fpm.service, I just let WordPress do the rest from the setup page which in my case was shown at https://maf.moe.
To prevent other users on the system from seeing the config file it creates containing the database password, I ran:
chmod 640 /usr/share/webapps/wordpress/wp-config.php
As I don’t want WordPress updating itself I then lock everything down further by keeping the ownership of the files as follows:
chown root:root -R /usr/share/webapps/wordpress/ chown root:http /usr/share/webapps/wordpress/wp-config.php chown http:http -R /usr/share/webapps/wordpress/wp-content/
This allows WordPress to only write to the config file and into the wp-content directory to add media and give plugins write access to their own directories, e.g. Enlighter wants to write to a cache directory in its plugin directory. Although WordPress is able to write into the plugins and themes directories, this doesn’t seem to be enough to install plugins and themes from the web interface though because a window pops up asking for FTP credentials. To get around this I just change the ownership of everything in the /usr/share/webapps/wordpress/ directory temporarily back to http:http because I’m too lazy to do the installations manually.
Looks nice, good luck with your new blog!’; DROP DATABASE WORDPRESS