WordPress on Azure
Azure, Wordpress

WordPress on Azure

This morning this site did not exist, this server did not exist, this domain was not connected and we had no certificate for it. In under 5 hours I created them all together with installing and activating and testing 26 wordpress plugins including creating google analytics and google search console accounts for the domain and connecting them to the wordpress. I had various technical problems on the way but after about 5 hours it was all done and ready. Our company’s goal and mine in particular is to learn whatever is necessary as quickly as possible to achieve what is required on the highest possible level. I will share with you now my experience of creating this site.

I studied an Msc in theoretical mathematics (link) and it made me like to organize information in bullets so here you go:

  1. Creating the server in Azure
    1. Our startup is part of the bizspark program which gives you 5 msdn subscriptions with 150$ azure monthly credits. I have an email which is given one of the subscriptions and I wanted to create the azure server in that subscription.
    2. I logged in to azure portal and chose the best affordable windows server which is under 150$, there is a 2 cores, 7giga RAM server at about 130$ so I chose it and then suddenly I got an error that I have no subscription.
    3. It turned out that it wasn’t enough assigning msdn subscription to the email, I had to log in to the visual studio subscription area and activate the 150$ azure bonus.
    4. So I done that and this time creating the server worked (in the creation I chose static IP).
  2. Connecting the domain to the server and generating and installing the certificate
    1. I connected to our domain provider. There were many dns records for the domain so I deleted all except the NS (name servers) records, the CNAME of www to @ (mapping the www to the domain without the www), and the A record (mapping domain to IP), changed the IP to the public static IP of the azure machine and saved it. Now the dns is connected to the machine.
    2. I come from a security background (my infosec blog) so I knew our site was going to work over https of course and not http so I have to create a certificate.
    3. This site: https://zerossl.com/free-ssl/#crt allows to create a free certificate for your domain which will be trusted by most browsers which is good enough for most cases. It is very simple and to prove that the domain is yours it required me to create TXT records in the domain provider dns records management and thats about it. It gave me a crt and a key.
    4. To install certificate easily on windows I prefer a pfx file so I had to convert the crt and key file to pfx, how? openssl using the command: openssl.exe pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx
    5. Now I had a certificate pfx but to install it on the server I need to transfer the pfx file to the server.
    6. Azure portal provides file sharing option to transfer big files quickly but if you want to transfer a very small file without preparing the file sharing then you can just use RDP windows mstsc drive mapping.
    7. In azure portal when pressing the connect button of the machine you get downloaded an rdp file which allows to connect to the server using the RDP protocol. The problem is that clicking on the file connects immediately and does not allow to configure the connection adding the drive mapping. So there are probably many solutions but the easiest one I thought of is I ran the “mstsc” command and in the interface I created the mapping and then saved as the connection to file. Then opened the created rdp file using notepad++ and searched for the line related to the mapping and copied it to the rdp file downloaded from azure (I didn’t have to keep working with the azure rdp file but I wanted to work with it because it is the standard way which might prevent some extreme cases which would waste my time).
    8. Now after the rdp file updating after connecting to the server with RDP I had the drive mapping as desired. IMPORTANT NOTE: From security reasons I didn’t want to map my hard drive so I created a virtual drive in my computer mapped to a shared folder and that is the shared drive. You don’t want to share your whole main drive to prevent malicious access to it just in case. To create the virtual drive first share the desired folder (can be just an empty folder where files will pass through) and then in my computer click on “map network drive” and map it to \localhostsharename and then in the RDP file map that drive.
    9. OK, so now that I had a simple way to transfer a file using the RDP, I transferred the pfx file and installed it on the server to the machine personal certificates store so that it can be used for the web server.
  3. Preparing the IIS
    1. I like my iis sites in their own folder and not inetpub wwwroot and that they won’t be called “default site”, so I deleted the default site and default application pool and created a new site pointing to wwwroot of another folder I created. Just need make sure IIS_IUSRS have read&execute permissions on that folder.
    2. Now, even though the site is on https, I don’t want users to fail finding the site when sliding over http or without www so I downloaded url rewrite 2 from iis web platform installer and edited web.config to add rules for redirect from http to https and from fokoya.com to www.fokoya.com.
    3. The last step is from security reasons I removed the site HTTP trace support which if enabled could help attackers bypass http-only protection to read cookies value using javascript.
  4. Installing WordPress
    1. Creating a windows server machine in azure brings it without an iis. You need to install a web role on the server. So in the server manager I installed web role while also installing some useful stuff like telnet client, .net 3.5 and a few more and installing some web role optional features like web sockets support, custom logging and some other logging stuff, IP restrictions, basic authentication and a few more (ping me if you want the full list). I remembered that installing php on iis usually requires the CGI so I installed it too.
    2. Now I followed the official instructions here to install the wordpress but there were some problems.
    3. First of all downloading the web platform installer through iis on the server opened the hardened internet explorer of the server which blocked by default all domains and gave me a hard time so I wanted to install chrome on the server. From the same reason I couldn’t just download chrome from the internet explorer because its blocked too. NOTE: I didn’t want to remove the security from the internet explorer so that was not a possible solution for me. So I downloaded chrome on my own computer and transferred it again through the RDP to the server and installed chrome and though it installed the web platform installer on the server and installed also notepad++ which will later help edit files.
    4. Now according to the instructions in the link I searched “wordpress” in the web platform installer and clicked to install it. You would think that would work right? well it didn’t work. It downloaded everything and installed all except the mysql and was stuck for 30 minutes on the last step of installing mysql.
    5. In such cases I always download sysinternals procmon (process monitor) to check if there is any activity from the installer or if its stuck without doing anything. I ran the procmon and didn’t see any activity so I guessed no point waiting anymore and pressed the “cancel” button and waiting again a little but nothing happened so I killed the web platform installer from task manager.
    6. To my surprise I saw in start menu that mysql was installed. So I guess there was just some bug in the web installer which didn’t notify it that the installation was over. I was lucky that the cancel button didn’t do anything. I tested the mysql client and it seemed to work so seemed like the mysql was installed well.
    7. But the funny thing is that wordpress was not installed. I remembered when starting installing wordpress with the web platform installer it asked me if I would like to use a local database or to install a new mysql. So I guessed that maybe now I can install wordpress again using the web platform installer and I can choose the existing mysql and then it will not be stuck in the mysql installation. So I did it and it worked and it came to the wordpress configuration part in the web platform installer.
    8. The tutorial advised to generate the keys here, however turns out the generated keys have dollars which are not allowed in the web platform installer so I had to replace them with another character.
    9. Other than that the wordpress was now installed.
  5. Configuring wordpress and its plugins
    1.  In the wordpress installation tutorial they said to choose the desired permalink format in wordpress settings however after changing the format the post link returned 404 errors. Turns out that wordpress failed to update the web.config rewrite rule so adding a rule like here fixed the problem.
    2. Now that the site was ready I wanted to enhance its powers with some plugins so I googled a few recommendations about wordpress plugins and looked at their abilities to check what is good for us and ended up installing 26 wordpress plugins:
      1. Activity Log
      2. Antispam Bee
      3. Autoptimize
      4. Disable comments
      5. Display Widgets
      6. Download manager
      7. Duplicator
      8. Easy updates manager
      9. Elementor
      10. Elementor popups
      11. Form maker
      12. Google analytics for wordpress by monsterinsight – created google analytics account and connected it to the plugin to see analytics inside wordpress admin interface
      13. iThemes Security
      14. Login Lockdown
      15. Ninja Forms
      16. OptinMonster API
      17. Popup Maker
      18. Recent Posts widget with thumbnails
      19. Redirection
      20. Regenerate thumbnails
      21. Theme check
      22. W3 total cache – later I found out that it incredibly slowed down the site so I deleted it
      23. wordfence security – real nice to get notifications on server files changes
      24. WP-Mail-SMTP
      25. WP-Members
      26. WPForms Lite
      27. Yoast SEO – and created google search console account, proving domain ownership with TXT dns record, and connected it to Yoast to see google search console information in the wordpress admin interface
      28. Site Editor – really nice plugin allowing to turn theme and page editing experience into drag&drop
      29. WP Statistics – gives statistics without needing to connect google analytics, need to enable geoip and more in settings -> external to see more information
      30. Caldera Forms
    3. Out of this list, the plugins which stood out are:
      1. Activity log
      2. Elementor
      3. Elementor popups
      4. Wordfence security
      5. Yoast SEO
      6. WP Statistics
      7. Google analytics for wordpress by monsterinsight – has countries information which does not appear
      8. Caldera Forms
      9. Duplicator
    4. After working a little with the plugins I found out that:
      1. Some plugins really slow down the site such as the W3 total cache plugin
      2. Having plugins installed, even if disabled, still make the code go through them (I saw it running procmon on the server)
      3. Better not install\activate plugins which are not used or which don’t serve their purpose well
    5. It turns out that one of the main things which give a wordpress site its customization abilities is the theme. Here are the free themes with the most stars in github:
      1. https://github.com/Obox/layerswp – 601 stars
      2. https://github.com/presscustomizr/hueman – 429 stars – we chose it, it’s great
      3. https://github.com/raamdev/independent-publisher – 349 stars
      4. https://github.com/puikinsh/Sparkling – 325 stars
      5. https://github.com/dimsemenov/Touchfolio – 306 stars
      6. https://github.com/tareq1988/wedocs – 275 stars
      7. https://github.com/ryelle/Foxhound – 192 stars
      8. https://github.com/Vtrois/Kratos – 188 stars
    6. It’s best to create your own child theme and template to get full control of the site, see: https://www.smashingmagazine.com/2016/01/create-customize-wordpress-child-theme/
    7. Some comments about the plugins:
      1. Important to check plugin settings to remove the “help us by sending information” which some plugins turn on by default.
      2. Some plugins can’t manage to change files tables so need to manually change files and to change mysql tables in a nice visual UI I installed mysql workbench.
      3. Many of the plugins after installation require some tweaking and the show messages which need to be dealt with so if you install wordpress and giving it to another person who is less technical then you should first work with the wordpress for a hour or two to handle all those messages before considering the installation finished.
      4. If a plugin has no write permissions on some directory then the permissions should be given to IUSR user.
    8. If the server has enough RAM then consider changing php.ini memory_limit to 256M instead of default 128M.
    9. Configure mysql for better performance as explained here: https://haydenjames.io/mysql-query-cache-size-performance/
    10. Can look at C:\Windows\Temp\PHP56_errors.log for errors.
    11. Stop database name resolution and add security by changing wp-config.php db host from localhost to 127.0.0.1 and mysql my.ini config to listen on 127.0.0.1 by adding: bind-address=127.0.0.1 and by adding skip-host-cache and skip-name-resolve but before adding skip-name-resolve for database to keep working need to update users from localhost to 127.0.0.1 in database by executing: UPDATE mysql.user SET host= ‘127.0.0.1’ WHERE user = ‘root’ AND host = ‘localhost’ and UPDATE mysql.db SET host= ‘127.0.0.1’ WHERE user = ‘root’ AND host = ‘localhost’ and executing it for other users too other than root.

That’s it! I hope you found this information useful and would be happy to get your questions and thoughts in the comments section.

Leave your thought here