Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Wordpress MU
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress MU

DeanDean Member

I've got some charitable non-profit friends looking to host websites and I thought one of the better ways for me to do this is to set up a Wordpress MU install.

I need to do this as cheap as possible but also as securely as possible.

I know there are alternatives out there offering it but I want to setup my own. I've done a quick search of LET and found people offering it in the past (like gatsby); but no real guides on how to do it.

I've worked out i'll need 2 VPSes in the same DC/Provider; one for serving content and one for database using internal IPs. I'm probably going to use Rage4 for DNS as I've got an unlimited account there.

Does anyone have any hints/tips/guides to getting it off the ground?

Comments

  • DeanDean Member

    Also what about CDN?

  • AbdussamadAbdussamad Member
    edited March 2015
    • Use key based authentication for SSH. Turn off passwords.

    • Run as little as possible. No FTP for instance. Use SFTP for uploading stuff.

    • Use fail2ban to prevent bruteforcing of WP passwords. You can install it as an mu-plugin

    • Create a subdomain based WP network. It is more flexible.

    Remember that a user account created on one site is a user account on every site in the network. Do you really want that? The database is also shared so that's a problem too.

  • do you need help setting up the backbone? or wordpress itself? You sound like you are going to run a really heavy traffic site with offload sql and cdn...

  • edited March 2015

    @DeanKamitsis said:
    I've got some charitable non-profit friends looking to host websites and I thought one of the better ways for me to do this is to set up a Wordpress MU install.

    I need to do this as cheap as possible but also as securely as possible.

    I know there are alternatives out there offering it but I want to setup my own. I've done a quick search of LET and found people offering it in the past (like gatsby); but no real guides on how to do it.

    I've worked out i'll need 2 VPSes in the same DC/Provider; one for serving content and one for database using internal IPs. I'm probably going to use Rage4 for DNS as I've got an unlimited account there.

    Does anyone have any hints/tips/guides to getting it off the ground?

    1. Don't allow SSH access. In fact, don't allow any direct access to the server by the friends. They can upload anything they need using web interface.

    2. Make sure plugins are updated. 99% of wordpress hacks are due to insecure/improperly coded/unmaintaned plugins that people are still using

    3. Do damage control if you get hacked. Disable Outgoing SMTP on port 25, send mail through external email provider (Mandrill, Mailgun/etc). Lots of hacked sites like spamming crap when their hacked. Don't be one of them.

    4. Disable XMLRPC

    5. Depending on load, it might be advisable to setup a Varnish cache in front with w3-total-cache to allow flushing when needed.

    6. You also need a third server for storing backups.

    7. Offload as much content as possible. You are not Microsoft and have limited bandwidth/speed on your port. Use a CDN.

    8. Setup monitoring, and check for unusual conditions. Its a good indicator of whether your server has been hacked, or if its time to add another server for load balancing.

    9. Depending on how much you are planning to spend, and if you are looking to expand, setup a cluster of cheap LEBs. Sometimes, its cheaper and more reliable than one single VM. 1 HAProxy+Varnish and 3+ backends. Then you can pull one of the nodes off for maintenance or whatever and still be online. Your MySQL will not be lost as well if one of the nodes goes down.

    @DeanKamitsis said:
    Also what about CDN?

    KeyCDN/Amazon Cloudfront/CDNify

    For cheapness, use KeyCDN.

    Thanked by 1howardsl2
  • DeanDean Member

    Abdussamad said: Remember that a user account created on one site is a user account on every site in the network. Do you really want that?

    I hadn't actually realised that so thanks for bringing it to my attention.

    belinik said: do you need help setting up the backbone

    Yes, the backbone infrastructure.

    StartledPhoenix said: Don't allow SSH access.

    Yeah the only access that the administrators would get would be to login to their own WP-Admin.

    StartledPhoenix said: Make sure plugins are updated.

    I check daily already for most sites using MainWP

    StartledPhoenix said: Disable Outgoing SMTP on port 25

    How would this work for the ones wanting to receive notifications / form submissions?

    StartledPhoenix said: Varnish cache in front with w3-total-cache to allow flushing when needed.

    Great idea, thanks.

    StartledPhoenix said: You also need a third server for storing backups.

    Had totally slipped my mind..

    StartledPhoenix said: For cheapness, use KeyCDN

    Will check it out; was also looking at JetPack's built in one.

  • DeanDean Member

    Abdussamad said: The database is also shared so that's a problem too

    I'm sure there's a plugin to separate the databases... Yes there is (I've got a premium WPMUdev account).

  • DeanKamitsis said: I'm sure there's a plugin to separate the databases... Yes there is (I've got a premium WPMUdev account).

    You misunderstood my point. It's not load that is the concern. It's the security aspect of sharing a database between multiple sites. Even with that plugin you still have shared databases.

    If mysql load gets too high you can do things like sharding to spread the load among multiple servers. But I don't think you will have that problem when just starting out.

    Thanked by 1Dean
  • DeanDean Member
    edited March 2015

    Abdussamad said: You misunderstood my point. It's not load that is the concern. It's the security aspect of sharing a database between multiple sites. Even with that plugin you still have shared databases.

    Aaah I see. So are you saying i'm better up setting up separate WP sites using something like Vesta/ServerPilot.io and continue with MainWP?

  • deadbeefdeadbeef Member
    edited March 2015

    I'm very partial to Docker. I'd do it as such:

    • One docker container per entity that includes everything each site needs (mysql, apache, whatever)

    • Nginx reverse proxy to expose the containers to the internet (per domain)

    • A script to back up the containers

    Problems solved.

    Thanked by 2Dean howardsl2
  • DeanDean Member

    @deadbeef - thanks. Are there any get started guides that I can take a look at?

  • @DeanKamitsis said:
    How would this work for the ones wanting to receive notifications / form submissions?

    Use mandrill, which has support for a lot of ports http://help.mandrill.com/entries/21738477-What-SMTP-ports-can-I-use-

    Blocking port 25 prevents direct mailserver -> mailserver connections, but does not prevent stuff like sending to mandrill.

    Thanked by 1Dean
  • @DeanKamitsis said:
    deadbeef - thanks. Are there any get started guides that I can take a look at?

    You'll have to learn Docker, tons of documentation and tutorials (on the site and around the net), I don't think there's a tut you can follow step by step for exactly what you need.

    Thanked by 1Dean
  • edited March 2015

    @deadbeef said:
    I'm very partial to Docker. I'd do it as such:

    +1 to docker.

    With SeLinux support, you can separate containers easily while protecting your host node.

    Thanked by 3deadbeef Dean howardsl2
  • DeanDean Member

    StartledPhoenix said: Depending on how much you are planning to spend, and if you are looking to expand, setup a cluster of cheap LEBs. Sometimes, its cheaper and more reliable than one single VM. 1 HAProxy+Varnish and 3+ backends. Then you can pull one of the nodes off for maintenance or whatever and still be online. Your MySQL will not be lost as well if one of the nodes goes down.

    This was actually something I was considering.

  • edited March 2015

    @DeanKamitsis

    Send me a PM if your interested in having such a setup, I've done this before and will be happy to work with you for free

    (Side note before everyone starts asking - this is an exception to my signature)

  • DeanDean Member

    @StartledPhoenix - thanks for the offer.

    I think at the moment I'll have a bash at setting something up; I hadn't thought about shared users between sites and shared databases and the implications of doing so. With them being charitable organisations etc I have to be careful regarding data etc. It's something I hadn't considered before it was mentioned - I'd incorrectly assumed I could segregate it all off.

    Because of this i'm leaning more towards separate installs using ServerPilot (free) and a separate db server and also using something like KeyCDN/Jetpack Photon to offload all the images. Then using MainWP to keep an eye on all the plugin / template updates.

  • DeanKamitsis said:

    Aaah I see. So are you saying i'm better up setting up separate WP sites using something like Vesta/ServerPilot.io and continue with MainWP?

    I prefer command line tools. You can use wp-cli to manage different installations. Here is a comparison between single site and multisite wp:

    http://lowendtalk.com/discussion/comment/841089/#Comment_841089

    If you are the only user that'll be accessing all the sites then wpmu makes sense. If multiple people have to be given access then go with separate installations.

Sign In or Register to comment.