Preparation for multi-domain install

  • ted.byers

    (@tedbyers)


    13 years, 2 months ago

    I plan on using the latest version of WordPress, but before I work through the documentation for installing a multi-domain WordPress site, I have some questions.

    1) I am going to begin by simulating a multi-domain system by adding what look like omain names to the hosts file on both the servers and a few client virtual machines. But, if I spend time on creating a quantity of material, for the purpose of testing, what would be needed to simply make all that content available on a real domain, if and when I buy a domain name for it? Is there a best procedure to do this, so I do not have to recreate all that content?

    2) I want to support a searchable archive, to which links can easily be made using whatever editor is built into WordPress (e.g. a document archive that contains all the documents an author has relied on to support he claims he makes, and to which other authors can link, in either critiquing the first author’s material or to do a different analysis (part of the idea is that it would be silly to store the same reference material independantly for each author, and part to ensure that all authors dealing with a given topic have a common base of reference material on which they can rely – and of course, extend). I know a guy who says he can develop such a thing (or advise me on how to do it – as I program web applications using Perl while he prefers PHP – and he is something of a WordPress guru), but is there an existing plugin that comes close to supporting what I need, that I could extend; or do I have to develop something de novo?

    3) I plan on installing OFBiz on the same server, to handle ecomerce transactions associated with subscribing to material the authors have decided to make available for a fee. Is there any potential issue that might arise by having both accessible on the same apache httpd server.

    4) what would be necessary to ensure that all content is available only over SSL or TLS?

    5) What safeguards are in place in WordPress to protect against various web attacks (such as attacks involving injection of shell scripts, or of malevolent SQL statements, using the various forms WordPress must use? Or should I begin investigating the potential of using something like mod_rewrite or mod_security to provide some protection?

    Thanks

    Ted

Viewing 3 replies - 1 through 3 (of 3 total)
  • Abhishek Ghosh

    (@abhishek_ghosh)

    13 years, 2 months ago

    1) No, you can only transfer the specific tables from PHPMyAdmin and the uploads, themes folders.

    2) Use different directories. You can obviously combine a custom PHP webpage…there are lot of wordpress functions those will run fine. Yes, you need to code yourself a bit.

    3) Its better to avoid such setup because obviously the risk increases for SQL injection.

    4) htaccess can redirect to SSL. WP Super Cache (if you use) needs to be tweaked manually. You have to use a CDN that has SSL / https url ; otherwise you will get mixed content error. The site’s url should be made https:// from http:// from WordPress settings page. Please check my guide on HTTPS part on make.wordpress.org handbook – http://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress/

    (Please provide feedback if more needs to be added)

    5) Its better to use a Fully Qualified Domain Name with SSL for MySQL instead of popular ‘localhost’ configuration. Its easy to move while in attack.
    There are lot of points many a times discussed on wordpress.org and by good bloggers. Two are important :

    http://codex.wordpress.org/Hardening_WordPress

    Also read the articles on php.net and perishablepress.
    SQL Injection is the possibly most dreaded situation, but fortunately it happens less than thought. Never use plugins or themes from questionable source. mod_security can do less if the attack is within the files.
    Always keep all the things fully updated – be it PHP or WordPress itself.
    Most attacks are javascript exploits usually comes from any third party development.

    Thread Starter ted.byers

    (@tedbyers)

    13 years, 2 months ago

    Thank you Sir,

    I greatly appreciate this.

    I am now thinking that perhaps I may use a web server exposed to the web as a reverse proxy server, and have it direct requests to distinct web servers that hide behind my firewall. And for my common archive, I may contract my friend to help develop a suitable plugin, and use, as my usual standard protocol requires, a code walkthrough to verify quality. I do this anyway with staff, so this won’t be any different. I am assuming that PHP and Perl are sufficiently similar that I won’t have trouble understanding the PHP code.

    I have some followup questions, in part for material supplementary to what you say here and on the pages to which you refer.

    1) When I went to install WordPress from Ubuntu 12.10’s Software Center (I do not know if that is recommended), after having set up Apache as I usually do (including use of MPM – I am not sure, now, if mod_MPM is necessary, since later versions of Apache are multi-threaded), I got an error message saying that WordPress won’t work properly with MPM enabled (a surprise given the benefits of MPM and the fact that WordPress is so widely used). Given that MPM is highly desirable for performance, what do you think about a) why WordPress doesn’t like MPM (or maybe it is just the package configuration that Ubuntu used), and b) use of reverse proxy (both for performance/load balancing and possible security benefits)?

    2) You mention use of .htaccess, but buch of what I have been reading, from rather recent sources, seem to prefer mod_rewrite. What is the difference?

    3) On the hardening wordpress page, reference is made to mod_security being tricky to configure, as well as the utility of OSSEC. However, no information is provided on how to use either, and no link is provided to a page or pages that describe how to do use either well. Do you have information about, or a link to pages that describe, using either or both well? I am just beginning to study mod_security (and I have some resources already to facilitate that), but it would be very valuable to have a resource that documents how to use it well with WordPress (with comments on how use with WordPress may be different from use of mod_security generally, as in protecting web applications one developes oneself). And I have no knowledge at all of, or resources for learning about, OSSEC (that is, apart from OSSEC’s website).

    I would appreciate any additional information you can provide.

    Thanks again,

    Ted

    Abhishek Ghosh

    (@abhishek_ghosh)

    13 years, 2 months ago

    I am now thinking that perhaps I may use a web server exposed to the web as a reverse proxy server

    You can use any PaaS like Heroku Cloud or AppFog or Open Shift within the free quota for testing or development. Basically all gives git access through CLI. With Heroku, you will get easy to access to bash commands. You can add any modules of Apache, for example; to tailor your need.

    Definitely you can use any normal web server, but that actually is not free…

    1) There is no ‘recommended’ distro of Linux, you can use any you are used with. Usually peoples uses Debian (and Ubuntu now, as actually it has good official and unofficial documentation), CentOS as free option for REHL.
    PHP for WordPress part only, actually easy.

    mod_MPM is not necessary. But your observed phenomenon is true. Debian or Debian derivatives like Ubuntu does throws 404 (practically kind of random 404) with WordPress. There is issue with permission certain files of WordPress. It is not Ubuntu’s issue, as the issue is also with the Grandfather Debian, the issue is with WordPress specific files including wp-config.php.

    Its possibly not right to state my personal opinion about WordPress. But I think the backend (both for Apache webserver part and database server part) is not optimized for modern / currently available technologies. WordPress even does not support outside MySQL. You can read an interesting post :

    http://wordpress.org/support/topic/mysql-or-mysqli-is-best?replies=24

    mod_MPM works fine with REHL. I use that $use_flock=true in some cache plugin in WordPress. Its a manual override and yes, the performance is excellent. It is a kind of dual edged sword setup. mod_prefork_mpm and all possible tweaks are on and it consumes a huge memory as WordPress cache plugin (WP Super Cache) serves HTML webpages. I personally think that, for such a setup, it is better to go for a good managed host; as frankly you know the known previous issue with mod_security-2.6.x.

    The test results I posted in the above thread, was with mod_MPM on REHL. Practically you can see, as expected; mod_MPM with load balancing working fine. Load balancing can not shown in this way though, but at least its fine; otherwise we will get some sort of error.

    2)

    You mention use of .htaccess, but buch of what I have been reading, from rather recent sources, seem to prefer mod_rewrite. What is the difference?

    mod_rewrite is preferred. .htaccess is better to keep light.

    3) mod_security and WordPress : mod_security and WordPress has very bad relationship. What I understood in general, it has conflicts with AJAX. You can see Tony’s kind of experiment :

    http://tonyonsecurity.com/2012/08/07/uninstall-modsecurity-wordpress-challenges/

    Its not you or me, its a lot people who has confusion with mod_security. This person described in a bit elaborative way to fix :

    http://www.thefanclub.co.za/how-to/how-disable-modsecurity-rules-drupal-and-wordpress

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Preparation for multi-domain install’ is closed to new replies.