AWS Lightsail Bitnami Let’s Encrypt Certificate Renewal

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lightsail-bitnami-renew-ssl-certificate/

To renew your Let’s Encrypt certificate on a Bitnami LightSail WordPress instance:

  • SSH into the instance and follow these steps.
  • Review the reference listed above as a guide, before continuing.
  • Note: The steps below are used if the bncert-tool or Lego provided by Bitnami was used to request the certificate.
  • Replace <DOMAIN> with your domain name.
  • Replace <EMAIL> with your email address.
sudo grep -irl "$(openssl s_client -verify_quiet -showcerts -connect <DOMAIN>:443 2>/dev/null | sed -n '/BEGIN/,/END/{p;/END/q}' | head -n 3 | tail -n 2)" /opt/bitnami/letsencrypt /etc/letsencrypt

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

sudo /opt/bitnami/ctlscript.sh stop

sudo /opt/bitnami/letsencrypt/lego --tls --email="<EMAIL>" --domains="<DOMAIN>" --path="/opt/bitnami/letsencrypt" renew --days 90

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

sudo /opt/bitnami/ctlscript.sh start

Sneaky Hackers: How I Fixed the xmlrpc.php Problem

References:

Recently I noticed a flood of xmlrpc.php POSTs in my Apache access_log for a new WordPress site just deployed, using a Bitnami image on AWS Lightsail. Basically it was flooding the site a few times every second! Eventually it gets overloaded and shuts down Apache.

xmlrpc access log
xmlrpc access log

After doing a bit of research, aka… I checked Google, I learned this is a known problem. In a nutshell, hackers can use xmlrpc.php for botnets, brute force attacks, etc. Although there is some value with xmlrpc.php within WordPress (pingbacks, etc), I was not using that functionality.

I addressed the issue with the iThemes Security plugin. Easy to install and configure, it only took a few minutes to make the site much more secure, including two-factor authentication, brute-force login attempt lockout, etc.

iThemes Security
iThemes Security

For the xmlrpc issue, be sure to go into Settings -> Advanced -> API Access – XML-RPC – select Disable XML-RPC, and also for REST-API -> select Restricted Access.

Disable XML-RPC
Disable XML-RPC

Within only a couple days, the plugin has already locked out a few bad IPs attempting brute force attacks. No problems with the XMLRPC floods since, fingers crossed.

Setup WordPress on AWS Lightsail

This post will detail my notes from the steps I used for a new project to get WordPress up and running on AWS Lightsail.

References:

Purchase the Domain Name using Route53

Every great project must start with a new domain name… I will use AWS Route53.

  1. Log into the AWS Console.
  2. Navigate to the Route 53 service.
  3. Check for and Register domain.
  1. Find the perfect domain name, check availability, and purchase.
  2. It can take a bit for the request to be processed, up to 3 days, but normally it is fairly quick. Be sure to confirm the email, which validates your email address.
  3. Now that you have your new domain name, you are fully committed to completing the project!

Deploy the Lightsail Instance

  1. On the AWS console, navigate to the Lightsail service.
  2. Click Create Instance
  3. Select defaults platform: Linux/Unix, and blueprint: WordPress
    • This will install the WordPress Certified by Bitnami and Automattic 5.9.2-3 (at the time of this post) configuration.
  4. Change SSH key pair, or use the default suggested.
  5. Choose the instance plan. The smallest is sufficient for a lightly used site ($3.50 / month, 512 MB, 1 vCPU, 20 GB SSD, 1 TB Transfer).
  6. Identify your instance: Select an instance name
  7. Add any tags if desired.
  8. Click Create instance.

Create a Static IP

  1. Select the option to Add a Static IP, otherwise your public IP address will change when the instance is stopped / started.
  2. Attach the Static IP to your new instance.

Point Domain Name to the Static IP

  1. In Route 53, select the hosted zone for your new domain name.
  2. Click Create record.
    1. Record name – add a www prefix, for example, if desired.
    2. Record type – A record (default)
    3. Value – paste in the public IP address for your Elastic IP
    4. TTL seconds – 300 (default)
    5. Routing policy – Simple Routing (default)
    6. Click Create record.
  3. Create additional A records for other prefixes, for example: www or blog, if needed.
  4. It will take a moment for the records to propagate and become active.

Connect to your Instance

  1. Connect to your instance using ssh with the key saved earlier, or use the console to connect. The user name is bitnami. The example below is connecting from a linux bash shell.
chmod 400 your-lightsail-key.pem
ssh -i your-lightsail-key.pem bitnami@your-static-ip
  1. When first logging in, a message was displayed that locales were not installed.
sudo apt-get install locales-all

Set up Encryption

We will be using Let’s Encrypt to serve your website using HTTPS.

sudo /opt/bintami/bncert-tool

Adjustments to wp-config.php

sudo vi /opt/bitnami/wp-config.php

#Change the WP_SITEURL and WP_HOME to reflect your domain name with https.

Adjustments to php.ini

sudo vi /opt/bitnami/php/etc/php.ini

# Change the:
# upload_max_filesize = 150M
# post_max_size = 150M

# Increase (if desired...
# I left it at the default 30 without any issue so far)
# max_execution_time = 300

Get the bitnami user password

cd
cat bitnami_application_password

Sign in to your site

  1. Open a browser tab to your domain-name, you should now connect to your site, and see the WordPress login screen.
  2. Login using the username: user, password: bitnami_application_password obtained above.

Create a Snapshot of your site

  1. Return to the AWS Lightsail console
  2. Select the new instance
  3. Select the Snapshots tab.
  4. Click + Create snapshot, provide a name, click Create.
  5. While in the snapshots page, slide the switch to enable Automatic snapshots, if desired.

Complete WordPress Configuration

  1. Return to your website on your browser.
  2. If desired, add a new username with Administration rights, login with it to continue your work (the bitnami provided user can then be removed).
  3. Complete the WordPress configuration as normal. For example, configure themes, pages, posts, appearance, etc.

Good luck! I found the references at the top of this post to be helpful.

WordPress Site Migration Issue with Max Upload Size

I ran into an issue when attempting to migrate a WordPress site from local to a new AWS Lightsail instance using the popular All-in-One WP Migration plugin.

Normally this plugin works great… use it to perform the usual Export and then Upload / Import it onto the new site. This time, not so much.

Continue reading “WordPress Site Migration Issue with Max Upload Size”