Changes

Jump to navigation Jump to search
This page describes the configuration of the new research computing machines: '''Father ''' (Windows Server 2019) and '''Mother ''' (Ubuntu Server 20.04). Note that the [[RDP Software Configuration]] describes the software installed on Father. The hardware description and complete build notes and configuration of information for '''Bastard''', our blisteringly fast, multi-GPU, A.I. estimation platform, is are on the [[DIGITS DevBox]] page. The hardware descriptions for Father and Mother are on the [[Research Computing Hardware]] page. See also: [[Recovering Astarte]] for notes on moving content from an old mediawiki installation to a new one.
==Both machines (Father and Mother)==
wget https://extdist.wmflabs.org/dist/extensions/GeoData-REL1_34-8a52fa4.tar.gz
tar -xzf GeoData-REL1_34-8a52fa4.tar.gz -C /var/lib/mediawiki/extensions
 
wget https://extdist.wmflabs.org/dist/extensions/NumberFormat-REL1_34-cf8a23e.tar.gz
tar -xzf NumberFormat-REL1_34-cf8a23e.tar.gz -C /var/lib/mediawiki/extensions
Do the semantic mediawiki install and config. Last time, we installed Semantic Mediawiki using composer, which is the preferred method. See [[Web_Server_Documentation]].
Line 29: if ( $path && @file_exists( $path ) ) {
=====Other Config=====
Check pre-reqs are good for Scribuntu.
service apache2 restart
=====MathML=====
I tried various methods to get MathML to work and always failed. It looks like the community bet on Mathoid working out, but there's been no development on it for 5 months now, and it looks dead. The good news, if is that MathJax works just fine right out of the box:
git clone https://github.com/jmnote/SimpleMathJax.git
wfLoadExtension( 'SimpleMathJax' );
#$wgSmjInlineMath = [ [ "$", "$" ], [ "\\(", "\\)" ] ];
Note: the last line lets you demark math with LaTeX-like syntax. I disabled it, as I use $ signs way to too much in other contexts.
=====PDFEmbed=====
PDFEmbed was the extension that I never knew that I always wanted!
wfLoadExtension( 'PDFEmbed' );
====SemanticACL=====
IntraACL (http://wiki.4intra.net/IntraACL) doesn't work with Mediawiki 1.34, so it's out. I also wasn't wild about its patch-based approach.
or equivalently (but silently):
<nowiki>{{#set: Visible to=whitelist|Visible to group::=team}}</nowiki>
=====BibTeX=====
cd ../maintenance
php update.php
====Change the Dbase====
I tried to 'rename' the dbase, creating a dedicated dbase user that has access to just the wiki's dbase, and resetting its password.
in /bulk/backups:
To do the front page, I copied the source of [https://www.mediawiki.org/w/index.php?title=Template:Main_page&action=edit Template:Main page] from mediawiki to a page (called Test) and created [Template:Main page/styles.css] using [https://www.mediawiki.org/w/index.php?title=Template:Main_page/styles.css&action=edit mediawiki's code]. Then I rejigged the contents of the page!
 
The only minor but non-obvious change, was that I used h2 headings inside each mainpage_box, rather than h3's. As a consequence, I needed to add the following to [[Template:Main_page/styles.css]]:
.mainpage_box h2 {
border-bottom: none;
}
.mainpage_box h2 .header_icon {
margin-right: 5px;
}
Old instructions[https://www.mediawiki.org/wiki/Topic:R1j08xhjgrtkpj6q] suggest using [[Special:ExpandTemplate]] on mediawiki's wiki, with the input text <nowiki>{{:MediaWiki}}</nowiki>. But this isn't necessary as the template doesn't need expanding in its current (at the time of writing) incarnation. Naturally, the page works well on MobileFrontend.
And the wiki now seems happy!
=====PostGIS Issues===== 
I also checked postgres and everything seemed ok:
su researcher
All my extensions report back.
====Other Fixes====Update: It seems something did go wrong. Just because the extensions report back doesn't mean they work! When I try to run queries that use PostGIS, I get: SQL Error [58P01]: ERROR: could not access file "$libdir/postgis-2.4": No such file or directory I tried updating the extension (I'm pretty sure that I'm running 2.4.3): ALTER EXTENSION postgis UPDATE TO "2.4.3";
Remove redundant user accountsBut that didn't fix anything. I checked the versions: cat select version(); PostgreSQL 10.14 (Ubuntu 10.14-0ubuntu0.18.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0, 64-bit --So somehow I'm still running version 10! select PostGIS_full_version(); ERROR: could not access file "$libdir/etc/passwdpostgis-2.4": No such file or directory CONTEXT: userdel -r usernameSQL statement "SELECT public.postgis_lib_version()" PL/pgSQL function postgis_full_version() line 25 at SQL statement
So I need to get Xwindows set up again. My best guess as to backed off the cause of this issue is leftover Nvidia drivers data from my attempts to install the GPUs on this box went bad in an earlier apt-get upgrade but two dbases that I can't see them listedd used since the upgrade: dpkg pg_dump -l | grep nvidiaFc stockmarket > stockmarket_Fc_20201023.dump pg_dump -driverFc vcdb4 > vcdb4_Fc_20201023.dump #FAILED!
There is The second backoff failed: pg_dump: [archiver (db)] query failed: ERROR: could not access file "$libdir/postgis-2.4": No such file or directory pg_dump: [archiver (db)] query was: SELECT a.attnum, a.attname, a.atttypmod, a.attstattarget, a.attstorage, t.typstorage, a .Xauthority fileattnotnull, a.atthasdef, a.attisdropped, a.attlen, a.attalign, a.attislocal, and an pg_catalog.format_type(t.ICEauthority fileoid, in /home/ed and both are owned by ed:eda. The former is empty atttypmod) AS atttypname, array_to_string(a.attoptions, ', ') AS attoptions, CASE WHEN a.attcollation <> t.typcollation THEN a.attcollation ELSE 0 bytesEND AS attcollation, a.attidentity, pg_catalog.array_to_string(ARRAY(SELECT pg_catalog.quote_ident(option_name) and the latter has some non-UTF8 || ' ' || pg_catalog.quote_literal(option_value) FROM pg_catalog.pg_options_to_table(I think?attfdwoptions) ORDER BY option_name), E', ') characters in itAS attfdwoptions FROM pg_catalog.pg_attribute a LEFT JOIN pg_catalog.pg_type t ON a.atttypid = t.oid WHERE a. Iattrelid = '19998614'm not sure if either is an issue::pg_catalog.oid AND a.attnum > 0::pg_catalog.int2 ORDER BY a.attnum
I didn't see xserver-xorg-video-nouvea in the package list or any video driver module, so I installed nouveau: dpkg -l lsmod | more apt install xserver-xorg-video-nouveau I'm not sure if I should be fixing my boot image or not... shutdown -r now lsmod | more======Postgres Upgrade Attempt (Failed)======
After doing this the login would give a local desktop but neither the keyboard nor mouse workedMy changes weren't substantial, so I proceeded with an upgrade. First I tried uninstalling checked to see if I had postgres12 installed and reinstalled listening on another port or not: locate postgres ls /usr/bin/postgres dpkg --get-selections | grep postgres pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 10 main 5432 online postgres /data/postgres /var/log/postgresql/postgresql-10-main.log 12 main 5433 online postgres /var/lib/postgresql/12/main /var/log/postgresql/postgresql-12-main.log pg_upgradecluster 10 main #This failed: pg_dump: error: query failed: ERROR: could not access file "$libdir/postgis-2.4": No such file or directory So... I can't automatically upgrade without first fixing the keyboardissue with v10 and postgis. add-configuration againapt-repository http://apt.postgresql.org/pub/repos/apt But that put the following into /etc/apt/sources-list: deb http://apt.postgresql.org/pub/repos/apt focal main vi it to (see https://wiki.postgresql.org/wiki/Apt): deb http://apt.postgresql.org/pub/repos/apt focal-pgdg wget --quiet -O - http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc | sudo apt-key add - apt-get remove keyboardupdate #Throws a warning: N: Skipping acquire of configured file 'main/binary-i386/Packages' as repository 'http://apt.postgresql.org/pub/repos/apt focal-configurationpgdg InRelease' doesn't support architecture 'i386' But the wretched thing still doesn't seem to be available: apt-get install keyboardpostgresql-configuration 10-postgis-2.4 shutdown Package postgresql-10-postgis-r now2.4 is not available, but is referred to by another package.
But that just Trying a manual approach. [https://packages.ubuntu.com/bionic/i386/postgresql-10-postgis-2.4/download Get the file], put me back where I was: with a login loop problemit in /bulk/temp and cd there. So I tried switching to lightdmThen: apt-get install lightdm./postgresql-10-postgis-2.4_2.4.3+dfsg-4_i386.deb #This failed too - there are unmet dependencies and they are 'not installable'.
And it worked even before a reboot. After a reboot, I had a different login screen but ======Switching over the actual desktop looked the same. The .Xauthority file is now 51 bytes big and I suddenly have a .xsession-errors, which contains a list of environment settings taking place... However, the machine then silently crashed that night and again the following morning. I couldn't find a specific cause in the logs but there did seem to be a number X and GNOME problems: journalctl -b -1 journalctl --since "1 hour ago"installations======
So, I ran an update from the GUI, which may have helped. However, there was a warning about an issue with a screensaver took the first time that I loaded lightdm, and alternative approach of changing the crashes seemed to happen sometime after a clean bootdata folders [https://www. So I uninstalled lightdm, and installed gdm (which failed as installed already) and rebooted but got no GUItutorialspoint. Then I uninstalled and reinstalled gdm and everything seems fine now. aptcom/how-to-change-postgresql-data-folder-location-on-get remove lightdm aptubuntu-get remove gdm3 apt16-get install gdm304].
Incidentally, I left a clock running in a terminal so that I could see when the box went down if it crashed again. The clock code isplan: while [ 1 ] ; do echo -en "$#Take version 10 offline#Move version 10's data to a new location (date +%T/var/lib/postgresql/10/main)\r" ; sleep 1; done#Switch the ports of versions 10 and 12#Move version 12's data to /data#Put version 12 online#Load up the data in version 12!#Optionally wipe out the old installation
====Important Moves====Shut it down: pg_ctlcluster 12 master start pg_lsclusters #The cluster Ver Cluster Port Status Owner Data directory Log file 10 main 5432 online postgres /data/postgres /var/log/postgresql/postgresql-10-main.log 12 master 5433 online postgres /var/lib/postgresql/12/master /var/log/postgresql/postgresql-12-master.logg systemctl stop postgresql systemctl status postgresql
I kept Edit the old versions of mediawiki and wordpress and moved them to config files: vi /etc/postgresql/10/bulkmain/retired (using yyymmdd dates)postgresql.conf mv data_directory = '/var/lib/mediawiki26082020 postgresql/bulk/retired10/main' port = 5433 mv /bulkvi /retiredetc/mediawiki26082020 postgresql/bulk12/retiredmaster/mediawiki20200826postgresql.conf mv data_directory = '/vardata/wwwpostgres' port = 5432 listen_addresses = '*' #While we are here do some performance tuning: shared_buffers = 512MB huge_pages = try temp_buffers = 8G work_mem = 4GB maintenance_work_mem = 64 effective_cache_size = 384GB #Note that I didn't reduce the number of connections (and the max_wal_senders, which must be < max connections), or change max_stack_depth (which gives an error if you set it too high) vi /htmletc/blog20200809 postgresql/bulk12/retiredmaster/pg_hba.conf Copy over the config to allow access from inside the network
===Wordpress Redux===Move the data: df #to check diskspace rm -R /var/lib/postgresql/10/main #Note that none of the config files in here were valid (though you should check this is true before you do it!) rsync -av /data/postgres/ /var/lib/postgresql/10/main #Takes awhile, but make sure it is all done before the next step rm -R /data/postgres rsync -av /var/lib/postgresql/12/master/ /data/postgres systemctl start postgresql pg_lsclusters Ver Cluster Port Status Owner Data directory Log file 10 main 5433 online postgres /var/lib/postgresql/10/main /var/log/postgresql/postgresql-10-main.log 12 master 5432 online postgres /data/postgres /var/log/postgresql/postgresql-12-master.log
====Install====Do the installs for some extensions: apt-get install postgresql-12-plr apt-get install postgresql-plperl-12 postgresql-plpython3-12
First, move the old folder to a new name, so that Check it is there for backup and then get the new install and unpack it.all works: psql postgres CREATE EXTENSION postgis; cd /bulk/installsCREATE EXTENSION plr; wget https://wordpress.org/latest.tar.gzCREATE EXTENSION plperl; mv /var/www/html/blog /var/www/html/blog20200809CREATE EXTENSION plpython3u; tar \dx List of installed extensions Name | Version | Schema | Description---------+---------+------------+------------------------------------------------------------------xzf latest--- plpgsql | 1.tar.gz -C /var/www/html0 | pg_catalog | PL/pgSQL procedural language cd /var/www/html/postgis | 3.0.0 | public | PostGIS geometry, geography, and raster spatial types and functions mv wordpress/ blog/(2 rows) Make the user: chown -R wwwcreateuser -data:www-data bloginteractive researcher
Put an .htaccess file Then restore the databases (as researcher in that folder to restrict access while we work/bulk/backup): vi blog/createdb stockmarket pg_restore -Fc -d stockmarket stockmarket_Fc_20201023.htaccessdump <RequireAny> createdb vcdb4 Require ip 192.168.2 pg_restore -Fc -d vcdb4 vcdb4_Fc.1 </RequireAny>dump
====Set up====The restore threw some errors related to not having extension plpythonu, but otherwise seemed fine. The issue seems to be that pythonu is python2[https://www.postgresql.org/docs/12/plpython-python23.html], and python2 is not available for postgres 12 (it might be here: https://wiki.postgresql.org/wiki/Apt): apt-cache search ".*plpython*.*"
Then set up the dbase by editing wp-config.php (it's easiest to modify the sample). cp blog/wp-config-sample.php blog/wp-config.php vi blog/wp-config.php Note get some keys from: https://api.wordpress.org/secret-key/1.1/salt/====Other Fixes====
Then the backend works - go to httpRemove redundant user accounts: cat /etc/www.edegan.com/blog/wp-admin! However the health check shows a missing required module and two missing recommended modules. Fix that: apt-get install php7.3-gdpasswd aptuserdel -get install php7.3-curl apt-get install php7.3-imagick apachectl restartr username
Ironically, it then recommends that I upgrade need to PHP7get Xwindows set up again.4... but that would just give issues for mediawiki. On My best guess as to the other hand, everything cause of this issue is now green and just 4 groups of recommendations remain.leftover Nvidia drivers from my attempts to install the GPUs on this box went bad in an earlier apt-get upgrade but I can't see them listed: dpkg -l | grep nvidia-driver
====Config====There is a .Xauthority file, and an .ICEauthority file, in /home/ed and both are owned by ed:ed. The former is empty (0 bytes) and the latter has some non-UTF8 (I think?) characters in it. I'm not sure if either is an issue.
See [[Wordpress Blog Site (Tool)]] for I didn't see xserver-xorg-video-nouvea in the McNair Centerpackage list or any video driver module, so I installed nouveau: dpkg -l lsmod | more apt install xserver-xorg-video-nouveau I's buildm not sure if I should be fixing my boot image or not... shutdown -r now lsmod | more
Using wwwAfter doing this the login would give a local desktop but neither the keyboard nor mouse worked.edegan.com/blog/wp-admin I configured tried uninstalling and reinstalled the blog as follows:keyboard-configuration again.*Select Twenty Twenty as the theme apt-get remove keyboard-configuration*Add the permalink code to the .htaccess file, so that the URLs will work with postnames*Copy over images to wp apt-content/uploads (use cp get install keyboard-a to maintain permissions)configuration *Change the site name to https (after fixing the https setup, see below) shutdown -r now
Install pluginsBut that just put me back where I was: with a login loop problem. So I tried switching to lightdm:*Yoast SEO*Wordfence Security*Disable Comments*Site Kit by Google (set up once live!)*Pixabay apt-get install lightdm
And it worked even before a reboot. After a reboot, I also addedhad a different login screen but the actual desktop looked the same. The .Xauthority file is now 51 bytes big and I suddenly have a .xsession-errors, which contains a list of environment settings taking place... However, the machine then silently crashed that night and again the following morning. I couldn't find a specific cause in the logs but there did seem to be a number X and GNOME problems:*CoBlocks (free)*Advanced Gutenberg (free) journalctl -b -1*Otter journalctl --since "1 hour ago"
I didn't add Co-Authors Plus ran an update from the GUI, which may have helped. However, there was a warning about an issue with a screensaver the first time that I loaded lightdm, and the crashes seemed to happen sometime after a clean boot. So I uninstalled lightdm, and installed gdm (https://wordpress.org/plugins/co-authors-plus/which failed as installed already) as it hasn't been tested on the latest version of wordpressand rebooted but got no GUI. There are other plugins that offer equivalent functionality if Then I need one lateruninstalled and reinstalled gdm and everything seems fine now. apt-get remove lightdm apt-get remove gdm3 apt-get install gdm3
Other plugins Incidentally, I might want areleft a clock running in a terminal so that I could see when the box went down if it crashed again. The clock code is:*Revive Old Post (share with twitter)*Optimole (optimize images)*WP Rocket while [ 1 ] ; do echo -en "$(implement cachedate +%T)\r" ; sleep 1; done
Notes:*Twitter embedding: https://www.wpbeginner.com/wp-tutorials/how-to-display-recent-tweets-in-wordpress-with-twitter-widgets/====Important Moves====
====Hardening Wordpress====I kept the old versions of mediawiki and wordpress and moved them to /bulk/retired (using yyymmdd dates) mv /var/lib/mediawiki26082020 /bulk/retired/ mv /bulk/retired/mediawiki26082020 /bulk/retired/mediawiki20200826 mv /var/www/html/blog20200809 /bulk/retired/
I hardened the wordpress installation: https://wordpress.org/support/article/hardening-wordpress/===Wordpress Redux===
This included:*Fixing file ownership: For fully hardened, change ownership of everything to root, except wflogs, uploads and themes in wp-content, which should be owned by www-data. However, then you won't be able to install plugins etc. A compromise is -R root:root for blog and then www-data:www-data for wp-content.*Check file permissions: Everything is 644, except wp-content which is 755*Checking dbase rights and setting new passwords.*Changing passwords on old accounts (with posts, so the accounts shouldn't be deleted) to random strong strings.*Fixing up .htaccess file to impose restrictions*====Install Sucuri *Enable more logging====
Checking user rights in First, move the dbase old folder to a new name, so that it is there for backup and changing their password:then get the new install and unpack it. mysql -user=root -pcd /bulk/installs use wget https://wordpress.org/latest.tar.gz mv /var/www/html/blog /var/www/html/blog20200809 SELECT User FROM mysqltar -xzf latest.user;tar.gz -C /var/www/html/ SHOW GRANTS FOR 'username'@'localhost';cd /var/www/html/ SET PASSWORD FOR 'username'@'localhost'='newpassword';mv wordpress/ blog/ (Note that this shouldn't be logged in clear on the server, but might be on a client. Delete .mysql_history at the end of your session.) chown -R www-data:www-data blog
Put an .htaccess file in wp-includesthat folder to restrict access while we work: # Block the include-only filesvi blog/.htaccess <IfModule mod_rewrite.cRequireAny> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\ Require ip 192.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/168.+\2.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]1 </IfModuleRequireAny> # BEGIN WordPress
The #BEGIN WordPress tag is redundant as the file is 644 root.====Set up====
Add Then set up the following dbase by editing wp-config.php (it's easiest to modify the sample).htaccess in the wordpress dir: <files cp blog/wp-config-sample.php blog/wp-config.php> order allow,denyvi blog/wp-config.php deny Note get some keys from all <: https://api.wordpress.org/secret-key/1.1/salt/files>
If there are plugin installation issues then add Then the backend works - go to http://www.edegan.com/blog/wp-configadmin! However the health check shows a missing required module and two missing recommended modules. Fix that: apt-get install php7.3-gd apt-get install php7.php3-curl apt-get install php7.3-imagick define('FS_METHOD','direct');apachectl restart
Once Ironically, it then recommends that I'm all done with upgrade to PHP7.4... but that would just give issues for mediawiki. On the theme etc.other hand, I can uncomment the following from wp-configeverything is now green and just 4 groups of recommendations remain.php define('DISALLOW_FILE_EDIT', true);
====RedesignConfig====
I built a See [[BrandingWordpress Blog Site (Tool)]] palette, to standardize for the colors. And I installed the Twentig plugin, to give extra configuration optionsMcNair Center's build.
Using www.edegan.com/blog/wp-admin I changed configured the blog as follows:*Select Twenty Twenty as the theme*Add the permalink code to the site colors.htaccess file, added so that the logo and URLs will work with postnames*Copy over images to wp-content/uploads (use cp -a to maintain permissions)*Change the tag linesite name to https (after fixing the https setup, and made other config changes.see below)
Then, I added custom CSS as follows.Install plugins:*Yoast SEO*Wordfence Security*Disable Comments*Site Kit by Google (set up once live!)*Pixabay
To reduce the header spacingI also added: .header-inner {*CoBlocks (free) padding: 1.5rem 0;*Advanced Gutenberg (free) }*Otter
To remove the title from the landing pageI didn't add Co-Authors Plus (https: //wordpress.pageorg/plugins/co-idauthors-2169 plus/) as it hasn't been tested on the latest version of wordpress.entry-title{ display:none !important; } There are other plugins that offer equivalent functionality if I need one later.page-id-2169 .entry-header { padding: 0; }
To doOther plugins I might want are:*Revive Old Post (share with twitter)*Optimole (optimize images)*WP Rocket (implement cache) Notes:*Twitter embedding: https://www.wpbeginner.com/wp-tutorials/how-to-display-recent-tweets-in-wordpress-with-twitter-widgets/ ====Hardening Wordpress==== I need to add social media icons! That might be as easy as adding hardened the social media menu [wordpress installation: https://wordpress.org/support/article/twentyhardening-twentywordpress/#add-social-icons].*Get a '''related posts widget'''? There's Yet Another Related Posts Plugin, Contextual Related Posts, and Inline Related Posts... I went with YARPP, as it is the most popular. It is apparently resource-heavy.
I tried the following blocks pluginsThis included:*'''Ultimate Addons for Guttenberg'''*It's free and adds some nice basic functionality**Post blocks includeFixing file ownership: Post CarouselFor fully hardened, Post Gridchange ownership of everything to root, Post Masonryexcept wflogs, Post Timelineuploads and themes in wp-content, Advanced Columns which should be owned by www-- but customization is limited and I candata. However, then you won't do one post*'''Getwid''':**Pretty highly customizablebe able to install plugins etc. **Can specify which posts to show in 3 blocks (Custom Post Type, Post Carousel, and Post Slider) and can build custom templates to arrange how they are displayed**Post blocksA compromise is -R root: Recent Posts, Custom Post Type, Post Carousel, root for blog and Post Slider*'''Redux''' then www-data:www- It's a templates library. You get 5 data for free and they upsell hardwp-content.*'''ZeGuten''' Check file permissions: Everything is 644, except wp- Couldn't find itcontent which is 755*'''Advanced Gutenberg''' - It's free Checking dbase rights and widely used..setting new passwords. *'''CoBlocks''' -- Does the basics**Posts -- Can't specify specific Changing passwords on old accounts (with posts. Can do category.**Post Carousel -- Likewise.*'''Stackable''':**It requested opt-in, which I didn't like, and it wants you to 'Go Premium'. **It has settings for everything! By far so the most detailed configuration.**Useful blocks:***Posts -- canaccounts shouldn't seem to specify a specific post***Advanced Columns and Grids -- for layout***Card -- could make posts links with buttons***Feature/Feature Grid -- likewise***Container? Might be helpful*'''Gutenberg Post Blocks'''**Untested with my version. Seems deleted) to workrandom strong strings. **Has lots of options but does full-page things. Can limit to a post using include but has next page linksFixing up ...**Tried to push for an update htaccess file to pro.impose restrictions*'''Magical Posts Display''' -- I dumped it for being too weird.Install Sucuri *'''Otter Blocks'''**Google maps block and other useful things... I just don't need it right now.Enable more logging
Checking user rights in the dbase and changing their password: mysql -user=root -p use wordpress SELECT User FROM mysql.user; SHOW GRANTS FOR 'username'@'localhost'; SET PASSWORD FOR 'username'@'localhost'='newpassword'; (Note that this shouldn't be logged in clear on the server, but might be on a client. Delete .mysql_history at the end of your session.) .htaccess in wp-includes: # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress The #BEGIN WordPress tag is redundant as the file is 644 root. Add the following to .htaccess in the wordpress dir: <files wp-config.php> order allow,deny deny from all </files> If there are plugin installation issues then add to wp-config.php define('FS_METHOD','direct'); Once I'm all done with the theme etc., I can uncomment the following from wp-config.php define('DISALLOW_FILE_EDIT', true); ====Redesign==== I built a [[Branding]] palette, to standardize the colors. And I installed the Twentig plugin, to give extra configuration options. I changed the site colors, added the logo and the tag line, and made other config changes. Then, I added custom CSS as follows. To reduce the header spacing: .header-inner { padding: 1.5rem 0; } To remove the title from the landing page: .page-id-2169 .entry-title{ display:none !important; } .page-id-2169 .entry-header { padding: 0; } To do:*I need to add social media icons! That might be as easy as adding the social media menu [https://wordpress.org/support/article/twenty-twenty/#add-social-icons].*Get a '''related posts widget'''? There's Yet Another Related Posts Plugin, Contextual Related Posts, and Inline Related Posts... I went with YARPP, as it is the most popular. It is apparently resource-heavy. I tried the following blocks plugins:*'''Ultimate Addons for Guttenberg'''*It's free and adds some nice basic functionality**Post blocks include: Post Carousel, Post Grid, Post Masonry, Post Timeline, Advanced Columns -- but customization is limited and I can't do one post*'''Getwid''':**Pretty highly customizable. **Can specify which posts to show in 3 blocks (Custom Post Type, Post Carousel, and Post Slider) and can build custom templates to arrange how they are displayed**Post blocks: Recent Posts, Custom Post Type, Post Carousel, and Post Slider*'''Redux''' -- It's a templates library. You get 5 for free and they upsell hard.*'''ZeGuten''' - Couldn't find it*'''Advanced Gutenberg''' - It's free and widely used... *'''CoBlocks''' -- Does the basics**Posts -- Can't specify specific posts. Can do category.**Post Carousel -- Likewise.*'''Stackable''':**It requested opt-in, which I didn't like, and it wants you to 'Go Premium'. **It has settings for everything! By far the most detailed configuration.**Useful blocks:***Posts -- can't seem to specify a specific post***Advanced Columns and Grids -- for layout***Card -- could make posts links with buttons***Feature/Feature Grid -- likewise***Container? Might be helpful*'''Gutenberg Post Blocks'''**Untested with my version. Seems to work. **Has lots of options but does full-page things. Can limit to a post using include but has next page links...**Tried to push for an update to pro.*'''Magical Posts Display''' -- I dumped it for being too weird.*'''Otter Blocks'''**Google maps block and other useful things... I just don't need it right now. Built-in:*Latest Posts (widget) Chosen block plugins:*'''Getwid''' -- It's outstanding and embraces templates for serious bespoke customization*'''Stackable''' -- For its option-based customization*I might add back '''coblocks''', '''Advanced Gutenberg''' and '''Ultimate Addons for Gutenberg''' ====Email==== I installed WP Mail SMTP Lite. I first set it up to use Google. Essentially you need to sign in to Google and set up an API in the console: https://console.developers.google.com/flows/enableapi?apiid=gmail&pli=1. However, this seemed to introduce a massive security hole unless you have G Suite, so I abandoned this approach. I had previously set up SMTP through Google for the wiki (See [[Research_Computing_Configuration#Confirm_Account]]). So, I used the same approach with Wordpress. In WP Mail SMTP Lite choose 'Other' (see the [https://www.wpbeginner.com/plugins/how-to-send-email-in-wordpress-using-the-gmail-smtp-server/ second method]). Then [https://wpmailsmtp.com/docs/how-to-secure-smtp-settings-by-using-constants/ edit wp-config.php to hardcode the values] (this ensures that the password, which is stored plain-text, is a little more secure.): define( 'WPMS_ON', true ); //You MUST set this if you want hardcoded values to work! define( 'WPMS_LICENSE_KEY', '' ); define( 'WPMS_MAIL_FROM', 'blog@edegan.com' ); define( 'WPMS_MAIL_FROM_FORCE', true ); define( 'WPMS_MAIL_FROM_NAME', 'The Blog at EdEgan.com' ); define( 'WPMS_MAIL_FROM_NAME_FORCE', true ); define( 'WPMS_MAILER', 'smtp' ); // Possible values: 'mail', 'gmail', 'mailgun', 'sendgrid', 'smtp'. define( 'WPMS_SET_RETURN_PATH', true ); define( 'WPMS_SMTP_HOST', 'ssl://smtp.gmail.com' ); define( 'WPMS_SMTP_PORT', 465 ); define( 'WPMS_SSL', 'ssl' ); // Possible values '', 'ssl', 'tls' - note TLS is not STARTTLS. define( 'WPMS_SMTP_AUTH', true ); define( 'WPMS_SMTP_USER', 'username@gmail.com' ); // SMTP authentication username, only used if WPMS_SMTP_AUTH is true. define( 'WPMS_SMTP_PASS', 'password generated by Google' ); define( 'WPMS_SMTP_AUTOTLS', true ); =====Author Comments===== The blog supports multiple authors and by default, Wordpress emails an author whenever one of their posts gets a comment. If you'd like to disable author comment emails but keep the moderator emails, there's a simple fix: '''Just go to wp-admin/options.php and set 'comments_notify' to 0.''' (See https://codex.wordpress.org/Option_Reference) More complicated methods involve writing your own plugin [https://wordpress.stackexchange.com/questions/150125/disabling-comment-notifications-for-post-author] to refine wp_new_comment_notify_postauthor[https://developer.wordpress.org/reference/functions/wp_new_comment_notify_postauthor/] or changing the hooks[https://developer.wordpress.org/reference/hooks/notify_post_author/] used in wp-includes/comment.php: $maybe_notify = apply_filters( 'notify_post_author', $maybe_notify, $comment_ID ); ====Social Media Integration==== Getting the social media icons on the menu and correctly linked up is very straight forward. Follow the [https://wordpress.org/support/article/twenty-fifteen/#add-social-icons guide for twenty-fifteen], which also works for 2020. Getting some share buttons was more problematic, particular as my planned social media usage is somewhat atypical (Twitter, LinkedIn, and Reddit, really in reverse order), and because I don't want to pay anything.  The free version of [https://revive.social/plugins/revive-old-post/ Revive Old Posts] lets you push content to Twitter and Facebook, but they want you pay to push to LinkedIn. The best free options seem to be:*[https://wordpress.org/plugins/add-to-any/ AddToAny Share Buttons] - Integrates with Google Analytics*[https://wordpress.org/plugins/simple-social-icons/ Simple Social Icons] - The simplest option*[https://wordpress.org/plugins/shared-counts/ Shared Counts] -- Counts hits (but using a 3rd party for data?)*[https://wordpress.org/plugins/wordpress-social-login/ WordPress Social Login] - if you want users to log in using their SM accounts (note: has a bimodal ratings distro)*[https://wordpress.org/plugins/jetpack/ JetPack] -- The plugin used by wordpress.com for this functionality. The free version should suffice, but this thing is a monster. It also uses an account on the wordpress.com cloud, which is a pain for those who are self-hosting. I went with AddToAny, as it had the most installations, is entirely open-source, and offers all the functionality I need. ====Avoiding JetPack==== I tried to add a profile picture, but by default, WordPress uses [https://en.gravatar.com/ Gravitar], which, surprise, surprise, links to your WordPress.com account... and to add a self-hosted site, you have to install JetPack. At this point, I felt harassed and doubly so because I didn't install JetPack and yet, some how, the profile picture correctly updated from the one I'd posted on Gravitar. What the hecK? ===SEO=== I used Site Kit plugin for wordpess, and for mediawiki I made a sitemap to submit to Google. See https://www.mediawiki.org/wiki/Manual:GenerateSitemap.php In mediawiki: mkdir sitemap php maintenance/generateSitemap.php --memory-limit=50M --fspath=/var/www/html/mediawiki/sitemap/ --identifier=edegancom --urlpath=/sitemap/ --server=https://www.edegan.com --compress=yes Then submit it to Google... I did this by making an alias in apache2.conf from sitemap to /var/www/html/mediawiki/sitemap/, then submitting https://www.edegan.com/sitemap/sitemap-index-edegancom.xml #in retrospect, I wish I'd used an identifier with 'wiki' in it but what the hey. And with that success behind you, install Google XML Sitemaps on Wordpress, chose some settings (on Settings -> XML-Sitemap), and then post the URL to Google: https://www.edegan.com/blog/sitemap.xml It seems Yoast already builds a sitemap, you just need to submit to it Google... (I uninstalled XML Sitemaps): https://www.edegan.com/blog/sitemap_index.xml ===HTTPS=== To set up HTTPS using Let's Encrypt, see https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-20-04/ Install it and make some directories... apt update apt install certbot openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 takes ~20 secs mkdir -p /var/lib/letsencrypt/.well-known chgrp www-data /var/lib/letsencrypt chmod g+s /var/lib/letsencrypt Set up the config files vi /etc/apache2/conf-available/letsencrypt.conf Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencrypt/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>  vi /etc/apache2/conf-available/ssl-params.conf SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" Header always set Strict-Transport-Security "max-age=63072000" Enable some apache2 mods! a2enmod ssl a2enmod headers a2enconf letsencrypt a2enconf ssl-params sudo a2enmod http2 systemctl reload apache2
===HTTPS===Run certbot! certbot certonly --agree-tos --email ed@edegan.com --webroot -w /var/lib/letsencrypt/ -d edegan.com -d www.edegan.com Note that I needed an @ entry in my A record for edegan.com pointed to my IP address to get the main challenge to succeed.
To Then set up HTTPS using Let's Encrypt, see https:a new apache2 config file (in /etc/linuxize.com/post/secure-apache): mv sites-withavailable/000-letdefault.conf sites-savailable/000-encrypt-on-ubuntudefault.conf.bak vi sites-20-04available/edegan.com.conf <VirtualHost *:80>Install it and make some directories ServerName www.edegan.com ServerAdmin ed@edegan.com Redirect permanent / https://www.edegan.com/ apt update</VirtualHost> apt install certbot<VirtualHost *:443> ServerName www.edegan.com Protocols h2 http/1.1 DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile /etc/letsencrypt/live/edegan.com/fullchain.pem openssl dhparam -out SSLCertificateKeyFile /etc/sslletsencrypt/live/certsedegan.com/dhparamprivkey.pem 2048 takes ~20 secs # Other Apache Configuration mkdir -p Alias /wiki /var/libwww/html/letsencryptmediawiki/index.well-knownphp RewriteEngine On chgrp www-data RewriteRule ^/*$ %{DOCUMENT_ROOT}/varmediawiki/libindex.php [L] </letsencryptVirtualHost> chmod g+ln -s sites-available/varedegan.com.conf sites-enabled/lib/letsencryptedegan.com.conf systemctl reload apache2
Set up the config files vi Test it by going to https:/etc/apache2/conf-available/letsencryptwww.conf Alias /ssllabs.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencryptcom/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS <ssltest/Directory>
vi Finally, edit /etc/apache2cron.d/confcertbot and append the following to the last line (after -available/ssl-params.confrenew): SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHErenew-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling On SSLStaplingCache hook "shmcb:logs/ssl_stapling(32768)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pemsystemctl reload apache2" Header always set Strictcertbot renew -Transport-Security "maxdry-age=63072000"run Tests the renewal!
Enable some apache2 mods! a2enmod ssl a2enmod headers a2enconf letsencrypt a2enconf ssl-params sudo a2enmod http2 systemctl reload apache2====PDFEmbed Issue====
Run certbot! certbot certonly --agree-tos --email ed@edeganEnabling and requiring HTTPS causes an issue with PDFEmbed on mediawiki, where you get a blank frame. The PDF is still there, other images load fine, but the PDF frame won't render the PDF.com --webroot -w The problem is actually that the PDF is served with HTTP and the rest of the page is served with HTTPS, and Chrome (and perhaps other browsers) don't render the insecure content as a consequence (see [https:/var/lib/letsencrypt/ -d edegan.com -d www.edeganmediawiki.com Note that I needed an @ entry in my A record org/wiki/Topic:Uhgnq0wbmzfurbj0] for edegana description of the symptoms, but not the solution.com pointed to my IP address to get the main challenge to succeed).
Then set up a new apache2 config file (in The solution is to edit mediawiki/etcextensions/apache): mv sites-availablePDFEmbed/000-defaultPDFEmbed.conf sites-available/000-defaulthooks.confphp.bakFor me it was line 103 that previously said: vi sites'src' => $file-available/edegan>getFullUrl().com'#page='.conf$page, <VirtualHost *I changed this line to:80 'src' => ServerName wwwpreg_replace("/^http:/i", "https:", $file->getFullUrl()).edegan'#page='.com$page, ServerAdmin ed@edegan.com Redirect permanent / This is mentioned in a comment on a topic page, though presumably for an earlier version: https://www.edeganmediawiki.comorg/wiki/Topic:Syxow0why4c0cvvm </VirtualHost> ===Install VSFTPD=== <VirtualHost *:443> ServerName wwwWith the security restrictions on wordpress, I now need an FTP server to get files for themes, plugins, etc.edeganI like VSFTPD, as its simple, secure, and has a nice standalone config.com Protocols h2 http/1Old documentation on an earlier install on the old [[Wordpress Blog Site (Tool)]] page.1 DocumentRoot Instructions are here: https:/var/wwwlinuxconfig.org/htmlhow-to-setup-ftp-server-on-ubuntu-20-04-focal-fossa-linux ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined apt-get install vsftpd SSLEngine On SSLCertificateFile cp /etc/letsencryptvsftpd.conf /live/edegan.cometc/fullchainvsftpd.pemconf_orig SSLCertificateKeyFile vi /etc/letsencrypt/live/edeganvsftpd.com/privkey.pemconf #Change the following write_enable=YES local_umask=022 ssl_enable=YES # Other Apache ConfigurationAdd the following (forces ssl) Alias /wiki /var/www/html/mediawiki/index.php allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES RewriteEngine On ssl_sslv2=YES RewriteRule ^/*$ %{DOCUMENT_ROOT}/mediawiki/index.php [L] ssl_sslv3=YES </VirtualHost> ln -s sites-available/edegan.cometc/init.conf sites-enabledd/edegan.com.conf systemctl reload apache2vsftpd restart
Test Then add a user and set it by going to httpsup: useradd -m blog passwd blog usermod -a -G www-data blog usermod -d /var/www/html/blog blog Test it: ftp 127.ssllabs0.com/ssltest/0.1 sftp 127.0.0.1
Finally, edit See also: *http://praveen.kumar.in/2009/05/31/setting-up-ftps-using-vsftpd-for-wordpress-plugins-auto-upgrade/*https:/etc/cronaskubuntu.dcom/questions/14371/certbot and append how-to-setup-ftp-to-use-in-locally-hosted-wordpress To address some of the issues with the following FTP server's file permissions in wordpress add to wp-config.php: define( 'WP_CONTENT_DIR', 'wp-content' ); define( 'FTP_BASE', '/var/www/html/blog/' ); If I chmod blog:blog /var/www/html/blog then everything seems to work find when I sftp but wordpress is unable to create a directory... I can't work out why this is happening. I expect it has to do with the last line need for another wordpress specific define(after ) statement, but I'm spending too much time on it. So I'm going to use direct installation of plugins instead, and remove the FTP server as it is a point of vulnerability. apt-renewget remove vsftpd userdel blog ===Final Configuration Changes=== Lock down apache somewhat further (as now there are directories that shouldn't be listable, etc.): cd /etc/apache2 vi apache2.conf #Change the directory definitions. Notes that if -SomeOption is used then other options must have + or -renewin front of them: <Directory /var/www/html> Options -hook "Indexes +FollowSymLinks AllowOverride All Require all granted </Directory> systemctl reload apache2" certbot renew #To debug: systemctl status apache2.service ====Remove the debug setup==== In the wiki (LocalSettings.php), comment the debug lines (I can't see when I added them from the documentation, but if you want to see error messages during the config, you'd want them uncommented): #error_reporting( --dry-run1 ); #ini_set( 'display_errors',1 ); #$wgShowExceptionDetails = true; #$wgShowDBErrorBacktrace = true; #$wgShowSQLErrors = true;  Tests Check the renewal!permissions set using $wgGroupPermissions - see https://www.mediawiki.org/wiki/Manual:User_rights
====PDFEmbed Issue====Run all the updates to the blog, etc., from the consol before locking it down. Then in wp-config.php, lock down the ability to install plugins, etc., by commenting: #define('FS_METHOD','direct');
Enabling and requiring HTTPS causes an issue with PDFEmbed on mediawiki, where you get a blank frame. The PDF is still there, other images load fine, but the PDF frame won't render Edit the PDF. The problem is actually that the PDF is served with HTTP and the rest of the page is served with HTTPS, htaccess files in blog and Chrome (and perhaps other browsers) don't render the insecure content as a consequence (see [https://www.mediawiki.org/wiki/Topic:Uhgnq0wbmzfurbj0] for a description of the symptoms, to allow access but not the solution.)with appropriate restrictions.
The solution is to edit mediawikiNote that the rewrite rules for the blog are in its .htaccess file <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /extensionsblog/PDFEmbed/PDFEmbed.hooks RewriteRule ^index\.php. For me it was line 103 that previously said:$ - [L] RewriteCond %{REQUEST_FILENAME} !-f 'src' => $fileRewriteCond %{REQUEST_FILENAME} !->getFullUrl()d RewriteRule .'#page='/blog/index.$page,I changed this line to:php [L] 'src' => preg_replace("</^http:/i", "https:", $file-IfModule>getFullUrl()).'#page='.$page,
This To make the blog the default, edit /etc/apache/sites-available-edegan.com.conf, add an alias (don't alias to index.php as it will cause design issues, the rewrite rule for that is mentioned already in a comment on a topic page, though presumably for an earlier version: httpsthe .htaccess file!): Alias /blog /var/www.mediawiki.org/wikihtml/blog/Topic:Syxow0why4c0cvvm
===Install VSFTPD===And change: RewriteRule ^/*$ %{DOCUMENT_ROOT}/mediawiki/index.php [L]
With the security restrictions on wordpress, I now need an FTP server to get files for themes, plugins, etc. I like VSFTPD, as its simple, secure, and has a nice standalone config. Old documentation on an earlier install on the old [[Wordpress Blog Site (Tool)]] page. Instructions are here: httpsTo: RewriteRule ^/*$ %{DOCUMENT_ROOT}/blog/linuxconfigindex.org/how-to-setup-ftp-server-on-ubuntu-20-04-focal-fossa-linuxphp [L]
apt-get install vsftpd cp /etc/vsftpd.conf /etc/vsftpd.conf_orig vi /etc/vsftpd.conf #Change the following write_enable=YES local_umask=022 ssl_enable=YES #Add the following (forces ssl) allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES /etc/init.d/vsftpd restart Then add a user and set it up: useradd -m blog passwd blog usermod -a -G www-data blog usermod -d /var/www/html/blog blogsystemctl reload apache2
Test itNote: ftp 127.0.0.1 sftp 127.0.0.1 See also: *http://praveen.kumar.in/2009/05/31/setting-up-ftps-using-vsftpd-for-wordpress-plugins-auto-upgrade/*https://askubuntu.com/questions/14371/how-Don't change the DocumentRoot to-setup-ftp-to-use-in-locally-hosted-wordpress To address some of the issues with the FTP server's file permissions in wordpress add to wp-config.php: define( 'WP_CONTENT_DIR'blog, 'wp-content' ); define( 'FTP_BASE', '/var/www/html/blog/' ); If I chmod blog:blog /var/www/html/blog then everything seems to work find when I sftp but wordpress is unable to create a directory... I can't work out why as this is happening. I expect it has to do with will destroy the need for another wordpress specific define() statement, but I'm spending too much time on it. So I'm going to use direct installation design of plugins instead, and remove the FTP server as it is a point of vulnerabilitywiki. apt-get remove vsftpd userdel blogThe last rewrite rule will decide the default site!
==Old machines==

Navigation menu