WordPress One-Click Application Quickstart - whats going on here

January 14, 2019 1k views
Quickstart WordPress Ubuntu 18.04

I have been using your one click WP app for years now, starting with 14LTS to now 18LTS.

I use this for all of my WP setups because it is a decent setup that allows me to shave start up time.

Now you have added the Quickstart script and changed some of the default configuration in the vhosts. I would like to know how this is going to work with specific setups and what is happening with the setup.

Where is the $domain variable being pulled and how does that work.
How does this affect custom vhost configurations and setting up my own SSL (I have sites that utilize wildcard ssl certs and subdomains that are created on the fly)

Moving this into production without more knowing what has changed is not responsible. I know the differences between 16 - 18 and where to get them, this new Quickstart though not so much.

I could investigate this more but hoping that someone can break it down for me or give me a link to more thorough documentation on the new Quickstart script.

Thanks!!

4 Answers
ryanpq MOD January 14, 2019
Accepted Answer

Hello. First, I apologize if the recent changes caused issues with your automation. The change that was made to the vhost file had two parts:

  • Rather than just using a default the file uses the $domain variable as a placeholder for the FQDN to be used on the site. This is filled in by the interactive script triggered on the first login.

  • UseCanonicalName is now set in the configuration.

These changes were put in place to address CVE-2017-8295 which can allow an attacker to cause WordPress to send a password reset email allowing the installation to be compromised.

Adding the interactive script also allowed us to add a prompt to kick off certbot automatically based on the FQDN provided.

It is possible to use cloud-init user data provided via the API or the option on the create page to get around this. The script that is run on first login is located at /opt/digitalocean/wp_setup.sh in the image. This bash script can be used as an example to write a user data script to fill in the variable and disable the script during first boot.

To do this in the most simple way you could use:

#!/bin/bash
sed -i "s/\$domain/[FQDN]/g"  /etc/apache2/sites-enabled/000-default.conf
a2enconf block-xmlrpc

service apache2 restart
cp /etc/skel/.bashrc /root

replacing [FQDN] with your domain. This snippet will

  • Write the domain in place of $domain in the vhost config
  • enable the xmlrpc.php block which prevents some methods of attack
  • restarts apache to load the changes
  • copies the default .bashrc from skel back to the root user (the interactive script is otherwise called by .bashrc on first login)

Hey friend,

Great questions. The one-click is more tailored to the new user who just wants to spin up a working system, or the advanced user who just wants to skip some steps and go straight to production. If you need to automate deployments it makes more sense to build your own deploy scripts. We may frequently update our one-click images to address software updates, vulnerabilities, new practices, or to address common misunderstandings that drive ticket volume. These can happen without notice, and we do not keep a public change-log (not against it, just not something we currently do), as they have no impact on previously deployed systems.

While there are other systems out there to assist in automating software deployments, we offer a function that can help you deploy direct from our control panel or API:

https://www.digitalocean.com/docs/droplets/resources/metadata/

We actually have an example for using this to deploy Wordpress on Ubuntu 16 (shouldn't be much adjustment for 18):

https://github.com/digitalocean/do_user_scripts/blob/master/Ubuntu-16.04/cms/wordpress.sh

With that said, I'll ping @ryanpq and see if he can provide some answers about the current iteration of the Wordpress one-click.

Jarland

Hi All,

No worries about the changes, although frustrating at times, change is a good thing!!

Thanks for the detailed response I really appreciate it and will put this to good use.

Have another answer? Share your knowledge.