wordpress bicycle wheels

AWS WordPress setup – Easy step-by-step guide to setting up Lightsail WordPress on AWS (2020)

AWS WordPress setup – Essential configuration

AWS WordPress setup with Lightsail is quite straightforward but it can require hunting around for instructions because the documentation is a bit all over the place. In this guide we’ve gathered together all the instructions for AWS WordPress setup covering the basic configuration and some essential security.

Other articles in this course cover other aspects of how to setup WordPress on AWS. Each guide covers one part of the overall setup to keep things simple.

In this guide we will

  1. Create a Lightsail WordPress server
  2. Assign a static public IP address
  3. Make the AWS WordPress server available on your domain
  4. Get the admin user password
  5. Remove the Bitnami advertising banner
  6. See how to check and control the server status
  7. Manage admin user accounts
  8. Make an important change to improve the security of your WordPress server
  9. Cleanup the default AWS Wordress environment
  10. Update AWS WordPress

You will need an AWS account already, and we will assume that you have registered a domain in AWS Route 53. If you don’t have either of those, you can find guides elsewhere in this AWS WordPress course.

As always with AWS, you should take care to ensure that you understand AWS pricing and that only you are responsible for any bills you incur.

Create a Lightsail WordPress server

The page to create a new AWS Lightsail instance is here.

Select your instance location

It is important to make sure that the “AWS Region and availability zone” is the one closest to where you expect most of your traffic to come from. Under “Instance location” click “Change AWS Region and Availability Zone” to see the options.

If you expect that your traffic will be quite evenly split between Europe and the US, then pick the region closest to you.

Pick your instance image

  1. Choose Linux/Unix (Windows is more expensive)
  2. Select “Apps + OS” and choose WordPress

Don’t choose WordPress Multisite unless you know what you are doing and are sure you have a need for Multisite. If you plan to have two or more different Wordprss sites with different themes and that aren’t all part of the same overall business, then you do not want to use Multisite.

aws wordpress setup lightsail instance

Choose your instance plan

Unless you know you have high traffic, pick the cheapest instance. If you’re on the free tier you only get the first month free on the cheapest instance.

Name your instance

Take the time to give it a sensible name rather than the default. Ideally use a number in the name as well. There will come a time when you have other instances for different sites or when expanding the site to use a load balancer. I suggest using your domain name plus the number 1 for your first server.

When you’re ready, click create instance.

aws wordpress setup lightsail instance pricing

Assign a static public IP address

A new instance will appear on your AWS Lightsail home page and initially the status will be “pending”. After a minute or two it should change to “running”, and you can click through to the instance management view.

On the instance management view you will see that your server has a public IP. However, this is not fixed. If you stop and restart your server, the IP address may change. If in the future you need to restore your WordPress server from a snapshot, a new instance will be created and you won’t be able to reuse the IP.

You need a static IP which will never change while it is associated with your account. That way you can control the IP used for your server and not lose it. For example, if you create a new instance by restoring a snapshot, you can then move your static IP over to that restored instance and the outside world won’t know the difference.

Create a static IP address

  1. Click on the Networking tab
  2. Click create static IP
  3. Check that the region is the same as your server and change if necessary
  4. Pick your server instance under “attach to an instance”
  5. Give it a name – I suggest using the same name as your server plus the letter A
  6. Click create
  7. You’ll then see that it is attached to your server instance and you can click on the instance name to go back to the management screen.
aws wordpress setup static IP

Your server is now running and is available on your public IP. Go to the IP in a browser and you’ll see the default home page for your new server. Don’t worry about what it looks like, it’s just a default installation. If you want to know how to design a really nice WordPress site then check out the other articles in this course.

Make the AWS WordPress server available on your domain

Before we go any further, let’s get your new AWS WordPress setup available on your domain name. It’s helpful to do this now because when you start doing things with user accounts and bookmarks it will all be based on your domain name.

Here’s how to do it if your domain name is registered in AWS Route 53. If you’re using a different DNS provider for your domain name then you need to create an Alias record pointing to your server’s public IP address. In Route 53:

  1. Go the Route 53 dashboard and select the Hosted Zone for your domain
  2. Click “Create record set”
  3. Over to the right in the new record set, leave name blank
  4. Enter your public IP address in the “Value” box
  5. Click create

Next, repeat the above but this time enter www in the name box. You should now have to record sets, each an Alias pointing to your static IP, one for www.example.com and one for example.com.

It may take a few minutes for your DNS settings to propagate. Type your domain name into your browser and refresh until your WordPress site appears. Check with and without the www. prefix.

aws wordpress setup route53 alias

Get the AWS WordPress admin user password

To complete your AWS WordPress setup on Lightsail you are going to need to be able to log in. Here’s how you get your admin user password.

  1. From the instance management screen, click on Connect using SSH
  2. In the window that opens, enter the following command and hit return – cat bitnami_application_password
  3. Copy the password shown and keep it safe somewhere
aws wordpress setup get password

Remove the Bitnami advertising banner

Looking at the page being served from your new AWS WordPress instance you will see a Bitnami logo in the bottom right corner. While you’re still connected via SSH we’ll get rid of that.

AWS wordpress setup default wordpress
  1. Enter the following command – sudo /opt/bitnami/apps/wordpress/bnconfig --disable_banner 1

See how to check and control the server status

While you’re still in the SSH console, here are two useful commands you will need to know.

Check AWS Lightsail server status

Enter the command sudo /opt/bitnami/ctlscript.sh status

You will see output something like:

php-fpm already running
apache already running
mysql already running

Those are the three components of your wordpress server – PHP, Apache, and MySQL.

Restart AWS WordPress

You will often need to restart Apache to pick up configuration changes during your AWS WordPress setup. Here’s the command you need:

sudo /opt/bitnami/ctlscript.sh restart apache

Change apache to mysql or php-fm if you needed to restart one of those, or restart everything by leaving off the “apache” part.

Feel free to try it now. It will take a minute or so for your WordPress server to come back online.

Manage admin user accounts

This is really important.

Most people would be horrified to know how many hacking attempts happen on the internet every minute of every day. Even most IT professionals would be surprised to see how many attempts there are to log into WordPress servers all day long.

It’s easy to feel unworried by this. If you’ve just this minute turned on your first WordPress server, for a domain you’ve only just bought, and you haven’t published even a single post yet, and nobody knows about your site, and there is nothing on your site that anyone would want, then surely nobody in their right mind is going to know that your server exists, and they certainly won’t waste time trying to hack in. right?

Wrong.

There are bots scouring the internet all day long looking for WordPress servers. There are millions of WordPress servers across the internet. Those bots know what a default WordPress installation looks like, where the login page is, what the default usernames often are, and have lists of compromised passwords.

Your WordPress server will be discovered within an hour of going online and bots will start trying to login using well-known usernames and compromised passwords.

But why hack you? You have no valuable information.

If a hacker gains access to your site they can do lots of things that they consider very valuable.

They can install software that can later be triggered to lock you out of your site and threaten you with permanent destruction unless you pay them some bitcoin, at which point they destroy your site anyway.

They can install code that redirects any of your visitors to other compromised sites that attempt to install malware.

They can install code that runs on your site mining cryptocurrency.

They can install code that intercepts logins and steals passwords form you and your users, which they can then use to try logging into email services, banks, amazon, and so on, which is why you should use a good password manager and never reuse passwords on different accounts.

A first step, though not enough on it’s own, is to change the default user.

  1. Go to http://example.com/wp-login.php in a browser (using your domain name instead of example.com)
  2. Log in with the default user password you obtained earlier, and the username user
  3. In the right-hand side menu, go to Users
  4. Click Add new
  5. Enter your chosen username and your email address
  6. Enter your names if you wish
  7. Uncheck the “Send user notification” box because we don’t have email setup yet and it will stop you creating a new user
  8. Change the user role from Subscriber to Administrator
  9. Click on “Show password” and you’ll see an automatically generated password. You can use this or you can enter your own password.
  10. Click Add new user
aws wordpress setup add user

It’s vital that you use a strong password that you don’t use on other services and which hasn’t ever been compromised.

If you’ve never done it before, I strongly advise checking your email address on https://haveibeenpwned.com/ to see if any of your passwords have ever been leaked in hacks. https://haveibeenpwned.com/ is a legit site. You will probably be horrified to discover how many times your email address and password has been leaked in hacks of hundreds of websites.

Never re-use an email and password combination that appears in the Have I Been Pwned lists. WordPress servers are a top target for hacking bots and you will eventually be hacked if you use a compromised email and password combination.

You have been warned.

Now that you’ve created your new user account, we can delete the default user account:

  1. Log out
  2. Log back in using your new user account
  3. Go back to the Users menu
  4. Delete the default “user” account

Make an important change to improve the security of your WordPress server

Unfortunately, just changing the user name and having a strong password is not enough. It won’t even stop bots attempting to login. Bots are smart enough to find your username because it appears on the posts that you create and can be accessed by well-known WordPress API calls.

Bots will also guess usernames and passwords based on your domain name.

Within as little as an hour after turning on your WordPress server, bots will find it and start trying to login. Say your domain name is example.com. Bots will start trying to log in with username and password combinations like these:

  • user user
  • user password
  • user example
  • example example
  • example admin
  • example examplelogin
  • user examplepwd
  • manager example.com

And so on. They’ll try hundreds of combinations like that, using default user names, common user names, compromised passwords, and well-known patterns that people use to make passwords.

If your domain is example.com then example1234 is not a secure password. Nor is elpmaxe. Nor is 3x4mpl3. The bots know all these common patterns. Use a password generator and make a strong password.

Even with a strong password we still don’t want bots grabbing the handle of our front door and trying to open it all day long. The bots all know that to log into WordPress you go to /wp-login.php. We can change that to somewhere they don’t know about.

  1. In the right hand menu go to Plugins and choose Add new
  2. In the top right search box, type WPS hide Login
  3. Find the WPS hide Login plugin by WPServeur (which should have over 500,000 installations) and click Install Now
  4. When the button changes to Active, click it to activate the plugin
  5. Go to Settings, General from the right-hand menu
  6. Scroll down to the WPS Hide Login section
  7. Enter a value for your new login path
  8. Click Save changes
aws wordpress setup hide login

For your new login path, pick something meaningful to you but not guessable. For example use your middle name or your pet’s name or your house number. You can use a random set of characters, but it’s not essential. Changing this path is just a way to stop bots finding it. A bot will know the standard path and may try obvious things like your domain name, but probably nothing else. If you’re not still on the default path you’re probably not still using default users and passwords so most bots will give up and move on.

Whatever you change it to, make absolutely sure that you bookmark your new login path and write it down somewhere safe. You won’t have any way to discover it again if you forget it.

Cleanup the default AWS Wordress environment

This is optional, but I like to do some tidying up now. There are 3 things I like to clean up:

  1. Info displayed on the dashboard
  2. Unused themes
  3. Unused plugins

Browse to the main dashboard page for your site and you’ll see a whole load of info from various plugins. I like to get rid of this because it’s not useful to me.

Up near the top right you’ll see “Screen options”. Click the down arrow, then uncheck all the things you don’t want to see on your dashboard.

Now for unused themes. Go to Appearance, Themes from the side menu. There will be several. Unused themes take up space on your server (which increases size of backups and the storage cost for snapshot backups) and causes annoying updates for themes you’re not using. Apart from the latest default theme, click on each theme and then click the “delete theme” link in the bottom corner.

Finally, unused plugins. The default AWS Bitnami installation comes with a load of plugins but you don’t need any of them. If there are ones you want to use, keep them. Otherwise I suggest removing them all so that you can start with a clean slate and gradually add only plugins that you need.

Click on Plugins, Installed plugins from the side menu. Select all except for your WPS Hide Login plugin. You should also keep the WP Mail SMTP plugin. If you don’t know that you definitely need a particular plugin, select it. If you need it in future it is easy to install.

Having selected all the plugins you don’t want, at the top of the page click “Bulk actions” then “Deactivate”, and press apply. Now choose bulk actions, delete and apply.

You’re now free of unused themes and unused plugins.

Update AWS WordPress

The final action in this initial AWS WordPress setup guide is to update WordPress and any themes or plugins you still have.

  1. From the side menu, choose Dashboard, Updates
  2. Follow any prompts to cary out updates

Note that when you update the WordPress software itself, you may have to refresh the page a couple of times to complete the update. If it looks like nothing is happening, just reload the page.

Next steps

Now we have an AWS WordPress setup but there are several important things we need to do to make it work properly.

Before we go any further, we’re going to make a backup and see how to configure automatic backups.

In the next article we’ll look at making snapshot backups in AWS Lightsail, and using a plugin to perform backups of the WordPress database, plugins, themes, and uploads.

It can be very easy to accidentally break your WordPress site. It can be very easy for plugins to cause problems with your site. If you got hacked your site could be destroyed.

It is essential that you continue to the next article, configuring backups in AWS WordPress.

2 thoughts on “AWS WordPress setup – Easy step-by-step guide to setting up Lightsail WordPress on AWS (2020)”

  1. This was awesome. I got a site migrated in much less time than I thought I would. Great tutorial. Thanks!
    One down, many more to do.

Comments are closed.

Scroll to Top