How do I host multiple WordPress sites on one Linode server?
I want to move my websites to my own Linode server to save costs. Since my knowledge isn't very advanced, I want to know what steps I need to take regarding actions, security, and other recommended server configurations in the right order.
I contacted support, and they provided me with a handful of guides.
Best Practices when Migrating to Linode: https://www.linode.com/docs/guides/best-practices-when-migrating-to-linode/
How to Migrate a WordPress.com Website to Linode: https://www.linode.com/docs/guides/migrate-a-wordpressdotcom-site-to-linode/
Set Up Apache to Run Multiple WordPress Sites on a Single Linode: https://www.linode.com/docs/guides/configure-apache-to-run-multiple-wordpress-sites-on-one-linode/
How do setup multiple WordPress Sites?: https://www.linode.com/community/questions/20456/how-do-setup-multiple-wordpress-sites
Thanks in advance guys.
3 Replies
Security:
Since your clients will need to access your hosted websites, your Linode will need to be Internet-facing which inherently increases your system/application surface for attack. Your very first step after deploying your Linode should be to properly secure it using multiple (if not all) of the methods linked bellow:
- Set up and secure a Compute Instance
- How to Use SSH Public Key Authentication | Linode Docs
- Getting started with Cloud Firewalls
- How to Configure a Firewall with UFW | Linode Docs
- How to Use Fail2ban to Secure Your Server (A Tutorial) | Linode Docs
When choosing firewalls, we typically do not recommend mixing system-local (UFW, iptables, etc) with our Cloud Firewall unless you have a specific use case that will benefit from both. The order of operations for traffic which is allowed/blocked by Cloud Firewall (platform) versus UFW (local) is:
Local - UFW:
Inbound traffic reaches the host and is routed to your Linode, and then UFW either allows or blocks that traffic. Outbound Traffic will be processed by UFW before being sent to the host for routing. UFW processing firewall rules and allowing/blocking traffic results in increased usage of your Linode's CPU/RAM.
Platform - Cloud Firewall:
Inbound traffic is processed by the firewall rules on the host, any traffic which is allowed is then routed to your Linode. Outbound traffic will egress your Linode for the host after which point it will either be blocked or allowed to leave based on your rules. The processing of Cloud Firewall rules does not require the usage of system-local resources.
DNS & Webserver Configuration:
Then once your Linode has been secured, you would want to begin migrating existing website data to your new system. Since DNS propagation is not immediate, you may want to consider updating any existing records or creating new ones simultaneous to this step:
Presumably, you would be creating separate domain entries for each individual website and then could CNAME alias www.$domain to each primary domain A/AAAA Record. I'm personally not familiar with WordPress, but as noted in the guide you had linked, you would handle multiple websites using NGINX Proxies or Apache Virtual Hosts:
- Use NGINX as a Reverse Proxy | Linode Docs
- Apache Configuration Basics | Linode Docs
- Apache Virtual Host documentation - Apache HTTP Server Version 2.2
Troubleshooting & Other Considerations:
Depending on the scale of your deployment and how critical uptime/availability is for your client base (hobby, small business, enterprise, etc), you should consider the following:
Making your websites Highly Available or implementing Failover:
Adding a frontend NodeBalancer to increase service reliability:
Enabling our Backup Service and/or implementing supplemental backup strategies:
Troubleshooting issues with your Linode and applications:
Just to be clear, are you talking about the security of the server itself or WordPress …or perhaps both?
Unless you've a need to keep the sites separate, it's worth looking at configuring a WordPress Network (used to be called "Multisite") and then you only have the one installation to maintain.
The following is a good starting guide to securing WP. If you're the only administrator, you can lock down the file permissions (effectively making WP read-only apart from specific folders such as uploads) and only relax the permissions when you apply updates to WP.
https://developer.wordpress.org/advanced-administration/security/hardening/
Personally, I'd suggest using something like WPS Hide Login to change the WP login URL for all the sites and then use Fail2Ban+UFW to detect and block bad actors hitting the default login page. Installing something like WordFence gives you another layer of protection and optionally provides 2FA.
https://en-gb.wordpress.org/plugins/wps-hide-login/
https://en-gb.wordpress.org/plugins/wordfence/
No matter how much you do to secure your site, make sure you still plan for the worst case scenario. Bare minimum, you want to be making occasional backups of your database and site content to somewhere other than the server itself so that you could rebuild from scratch if needed.
Thanks @jhartman & @davepattern