Setting up WordPress on Arch Linux with Nginx

Skip­ping the hosts file and Apache sec­tions, I roughly fol­lowed the Arch Linux Wiki Word­Press page by firstly installing WordPress:

pacman -S wordpress

With Nginx already con­figured to work with PHP, I added the fol­low­ing serv­er sec­tion to the Nginx con­fig after which I let Cert­bot add the SSL cer­ti­fic­ate lines:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name maf.moe;
    
    root /usr/share/webapps/wordpress;
    
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
        index index.php;
    }

    location ~ ^/wp-json/ {
        rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last;
    }
    
    include php.conf;
}

As I was get­ting an error mes­sage of “The edit­or has encountered an unex­pec­ted error.” pre­vent­ing me from cre­at­ing new posts, I added the try_​files and rewrite lines as men­tioned on this Git­Hub issue.

Next I cre­ated a Mari­aDB data­base and user for WordPress:

create database wordpress;
grant all privileges on wordpress.* to "wp-user"@"localhost"
    identified by "<SECRET SECRET PASSWORD>";
flush privileges;

To let Word­Press cre­ate its con­fig file, I ran:

chown http:http -R /usr/share/webapps/wordpress/

As of ver­sion 7.4 php-fpm is hardened, mak­ing /​usr read-only. For this I cre­ated an override.conf file for php-fpm:

systemctl edit php-fpm.service

And added the fol­low­ing lines to it:

[Service]
ReadWritePaths = /usr/share/webapps/wordpress

After restart­ing php-fpm.service, I just let Word­Press do the rest from the setup page which in my case was shown at https://maf.moe.

To pre­vent oth­er users on the sys­tem from see­ing the con­fig file it cre­ates con­tain­ing the data­base pass­word, I ran:

chmod 640 /usr/share/webapps/wordpress/wp-config.php

As I don’t want Word­Press updat­ing itself I then lock everything down fur­ther by keep­ing the own­er­ship of the files as follows:

chown root:root -R /usr/share/webapps/wordpress/
chown root:http /usr/share/webapps/wordpress/wp-config.php
chown http:http -R /usr/share/webapps/wordpress/wp-content/

This allows Word­Press to only write to the con­fig file and into the wp-con­tent dir­ect­ory to add media and give plu­gins write access to their own dir­ect­or­ies, e.g. Enlight­er wants to write to a cache dir­ect­ory in its plu­gin dir­ect­ory. Although Word­Press is able to write into the plu­gins and themes dir­ect­or­ies, this does­n’t seem to be enough to install plu­gins and themes from the web inter­face though because a win­dow pops up ask­ing for FTP cre­den­tials. To get around this I just change the own­er­ship of everything in the /​usr/​share/​webapps/​wordpress/​ dir­ect­ory tem­por­ar­ily back to http:http because I’m too lazy to do the install­a­tions manually.