Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Wordpress debian repository or latest from wordpress site

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
cuchumino
Posts: 48
Joined: 2015-10-09 20:09

Wordpress debian repository or latest from wordpress site

#1 Post by cuchumino »

Hello all!

I've deployed a Wordpress instance using the wordpress package in the stable (stretch) repos.

I installed it on a cloud instance last night using Nginx. I'm glad that it's up and running as I enjoy and trust Debian's security updates that come from the project.

I have been testing out my installs before putting them in production by spinning up a VM on my main computer, simulating any changes that I would or would not make, and verify it works/doesn't take anything down.

I'm running into an issue, though I'm not sure if it's my issue, or if the WP package is not intended to be used this way. It seems that it's not fetching correctly any external plugins. On loading the Wordpress Debian Stretch package, it recommends some updates that are available for installed plugins and themes. None seem to install correctly on enabling the updates to happen, and it seems that something gets messed up on trying to update the wordpress themes, for example.

Which leads me to ask a couple of questions.

1) Am I doing something wrong? Might I have some file permissions wrong? Or it's simply not the way to manage themes from the Debian repo version of Wordpress?

current file permissions in /usr/share/wordpress are all set to www-data group and user:

Code: Select all

$ ls -lat /usr/share/wordpress
total 180
drwxr-xr-x   5 www-data www-data  4096 Feb 15 22:32 .
drwxr-xr-x 135 root     root      4096 Feb 15 22:17 ..
-rw-r--r--   1 www-data www-data  7413 Feb 15 22:14 readme.html
lrwxrwxrwx   1 www-data www-data    21 Feb 14 20:03 wordpress -> /usr/share/wordpress/
drwxr-xr-x   5 www-data www-data  4096 Feb 14 20:00 wp-content
drwxr-xr-x  18 www-data www-data 12288 Feb 14 20:00 wp-includes
drwxr-xr-x   9 www-data www-data  4096 Feb 14 20:00 wp-admin
lrwxrwxrwx   1 www-data www-data    23 Jan  4 02:19 .htaccess -> /etc/wordpress/htaccess
-rw-r--r--   1 www-data www-data  5706 Jan  4 02:19 wp-activate.php
-rw-r--r--   1 www-data www-data  2381 Jan  4 02:19 wp-config.php
-rw-r--r--   1 www-data www-data   418 May 17  2017 index.php
-rw-r--r--   1 www-data www-data   364 May 17  2017 wp-blog-header.php
-rw-r--r--   1 www-data www-data  1627 May 17  2017 wp-comments-post.php
-rw-r--r--   1 www-data www-data  2853 May 17  2017 wp-config-sample.php
-rw-r--r--   1 www-data www-data  3286 May 17  2017 wp-cron.php
-rw-r--r--   1 www-data www-data  2422 May 17  2017 wp-links-opml.php
-rw-r--r--   1 www-data www-data  3301 May 17  2017 wp-load.php
-rw-r--r--   1 www-data www-data 33939 May 17  2017 wp-login.php
-rw-r--r--   1 www-data www-data  8048 May 17  2017 wp-mail.php
-rw-r--r--   1 www-data www-data 16255 May 17  2017 wp-settings.php
-rw-r--r--   1 www-data www-data 29896 May 17  2017 wp-signup.php
-rw-r--r--   1 www-data www-data  4513 May 17  2017 wp-trackback.php
-rw-r--r--   1 www-data www-data  3065 May 17  2017 xmlrpc.php
I've symbolic linked /usr/share/wordpress to /var/www/html/wordpress.

2) Given the vast majority of guides out there on setting up Wordpress on Debian Stretch which recommend installing the "latest.tar.gz" file out there directly from wordpress, would this actually be the best way to go about having the site installed?

Fortunately, there's no content yet, so I could just do a full wipe and reinstall from scratch.

Any recommendations?

Let me know if you guys would need any information that I may have not given.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Wordpress debian repository or latest from wordpress sit

#2 Post by debiman »

i will try to respond with my personal experience running various blogging platforms or CMS on my server.
  • the CMS devs usually assume that you use their versions. there's no installation per se, you just unzip to your web root and take care of dependencies & setup yourself, following the wordpress wiki.
  • installing via apt might pose permission problems later on
  • i'm not sure how outdated stretch's wordpress is, and if debian applies the same security update philosophy as with system components
  • wordpress is well liked by attackers, they look for every possible security hole so hardening & updating is a must. not so much with other CMS's.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Wordpress debian repository or latest from wordpress sit

#3 Post by kedaha »

I use wordpress from Debian's main repository because I prefer the stable version and have an aversion to continual updates. I don't need anything fancy and just stick with the default themes but I did unzip one or two plugins from the upstream site.
I don't have much time at present but I'll try and give a more detailed reply later.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

cuchumino
Posts: 48
Joined: 2015-10-09 20:09

Re: Wordpress debian repository or latest from wordpress sit

#4 Post by cuchumino »

debman and kedaha, thanks for your replies. Appreciate the feedback as a brand new wordpress user on Debian.
kedaha wrote:I use wordpress from Debian's main repository because I prefer the stable version and have an aversion to continual updates. I don't need anything fancy and just stick with the default themes but I did unzip one or two plugins from the upstream site.
I see. This was what I was expecting to do in order to take advantage of Debian's security updates as well. I share the aversion of multiple locations or ways to update, and would rather have a single update point to update, preferably an apt-get update/upgrade.

I'll stay tuned for your more detailed reply as well kedaha.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Wordpress debian repository or latest from wordpress sit

#5 Post by debiman »

@kedaha: do you think debian's security updates also apply to wordpress, notoriously insecure and under constant attack because so widely used?

User avatar
acewiza
Posts: 357
Joined: 2013-05-28 12:38
Location: Out West

Re: Wordpress debian repository or latest from wordpress sit

#6 Post by acewiza »

/usr/share/wordpress/ requires either the appropriate filesystem permission "and/or" plugin updates run by a user with said permissions.

Works either way. :wink:
Nobody would ever ask questions If everyone possessed encyclopedic knowledge of the man pages.

cuchumino
Posts: 48
Joined: 2015-10-09 20:09

Re: Wordpress debian repository or latest from wordpress sit

#7 Post by cuchumino »

Thank you for this information @acewiza! Very useful.

Also, to complement this information a little bit, the document I stumbled upon today `vim /usr/share/doc/wordpress/README.Debian.gz` is excellent and describes which permissions to use, as well as how to Alias the `wp-content` folder in Apache to be able to upgrade external themes and plugins. I'm using NGINX to serve this, but the concept is the same.

The README also addresses setting up multi-site. Which I'm going to try to take a stab at later on, as I may plan to use 2 separate domains for 2 separate wordpress sites. But that's a project once I get the first one up and running correctly

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Wordpress debian repository or latest from wordpress sit

#8 Post by kedaha »

debiman wrote:@kedaha: do you think debian's security updates also apply to wordpress, notoriously insecure and under constant attack because so widely used?
As a user I follow the recommendation to use official packages. With regard to security, all I have to go on is the information provided by the Debian package maintainer, who could surely provide an informed answer to this question. If the onslaught of wordpress vulnerabilities is such that these can't be fixed in a timely manner, this would certainly go against the usual rationale for using official packages in preference to upstream versions. I'm not an expert in matters of security but I'd hazard a guess that another good reason for using wordpress from Debian is this:
Amongst other things, it [/usr/share/doc/wordpress/README.Debian] explains the great way that the Debian WordPress package utilises the WordPress wp-config.php framework, and more importantly, how to handle the infamous "themes" and "plugins" directories in a WordPress install. The key point is that by symlinking under /var/lib/wordpress, users better abide by the FilesystemHierarchyStandard, and can use the in-app upgrade mechanisms of WordPress to upgrade plugins and themes, without clobbering the package, and risking server security.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Wordpress debian repository or latest from wordpress sit

#9 Post by dilberts_left_nut »

Plenty of other packages have been dropped because of security non-maintainability (owncloud, joomla etc. where upstream changes were not readily backportable by the debian maintainers).

My thoughts are that if Debian Security team is responsible for a package, I can spend less time worrying about it ;).
AdrianTM wrote:There's no hacker in my grandma...

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Wordpress debian repository or latest from wordpress sit

#10 Post by debiman »

^ & ^^ ok, thanks for additional info/opinion.

if i ever decide i want to use wordpress, it's good to know that i can use a debian package.

Post Reply