How to Make a Secure WordPress Site with AWS Lightsail

user

2 years ago

Table of Contents

Introduction

Today, I’m going to explain how to set up a WordPress site with AWS Lightsail. This will be the exact same process I used for setting up this very website.

It’s never been more economical and easier to set up a blog than it is today. Not only is there an abundance of resources online about how to do it, but there are also more services than ever to help you get the site launched and hosted online.

With this excess choice, it can be hard to know which way to go.

You don’t need to know anything about WordPress or AWS to get something from this article, however. I’m going to assume no prior knowledge of anything.

What Services are Involved?

So, before we dive into the details of how to go about setting up a WordPress website with AWS Lightsail, let me give you a quick overview of the different services actually involved in this process:

WordPress

WordPress is a content management system. It makes the process of managing a website extremely simple.

It has a built-in database that can host all of your images.
There are various plugins which are services you can download which provide some use to your site: some are for health monitoring, and others are advice on SEO – which is necessary if you want your site to be seen by people.
There are also Themes, which is how your site looks. Themes are mostly customizable. You can drag and drop elements in and out of the site and so you don’t need to know any coding languages such as HTML, CSS, or JS. Knowledge of these would help you customize your site further, but are not necessary.

AWS Lightsail

Lightsail is a service provided by Amazon Web Service which is a Cloud Computing service.

It provides the user with Virtual Private Servers (VPS) and also databases, containers, and more. This is what is going to host our WordPress instance.

Why do it this way?

Why should we even set up a site in this way?

It’s a good question. There are a number of reasons why this is an effective way to set up a website, whether it be a blog site, business site, or whatever. WordPress can cover all of these use cases.

Also, WordPress itself is FREE.

Furthermore, while AWS Lightsail is not free, it is very reasonably priced, especially when compared to other hosting services out there.

For example, I am paying $10 a month for hosting on Lightsail.

The first 3 months of which are free!

It also offers great flexibility in terms of the types of instances you can provision. If you’re going to need lots of memory for your site, then you can choose Memory from the options in the image above.

Now, combine this with WordPress – which as I mentioned is free – then you have a very cheap website while still retaining lots of flexibility in terms of management.

Creating a Site

With all that out of the way, let’s now talk about actually setting up a WordPress website with AWS Lightsail.

I’m going to take you through the steps I did when creating this site, but know that there are certain times when you may choose different options than me depending on the site you’re creating.

I will let you know when these options arise.

If you’re creating a blog site, you can pretty safely follow all of these steps verbatim.

Okay, let’s get going.

WordPress site with AWS Lightsail

Create an AWS Account

If you’re familiar with how to set up an AWS account then you can safely skip this step.

I’ve made a slightly more in depth post on this topic here.

I’m just going to briefly explain the process as well as a quick best practice thing you should be doing when making a new AWS Account.

So, to get started, go to this link and click on “Create a new AWS Account” at the bottom.

So, here, we’re going to choose the root user of the account. For this, you’ll need to provide an email address and account name.

As part of the best practice procedure, I’m going to show you, we’re gonna need a few emails. So, to avoid you having to set up multiple emails here’s a little trick.

You can add a “+XYZ” to the end of your email to customize it.

For example, “adamherd@gmail.com” could be an email I would use. But I can change it to something like:

adamherd+RootUser@gmail.com
adamherd+GeneralUsers@gmail.com

Now, these two emails don’t require any extra setup. They are linked to the original email “adamherd@gmail.com”. And any emails received to these addresses will be redirected to that base email.

The great thing is though, AWS will treat these as separate accounts. So you can use them to set up multiple AWS accounts, all of which will receive emails to the same base account.

This eliminates overhead on your end having to manage multiple emails for multiple accounts, so I would definitely recommend doing this.

So, go ahead and enter a root email address – maybe something like “…+RootUser@gmail.com” – and also an account name.

So when you’ve entered these details, you’re going to need to verify the email. You will receive a verification code that will be valid for 10 minutes that you need to enter into the box on the screen.

After that, you’ll be able to set your password for the root account.

Now I would recommend using a password management app. The one I use is called KeePass, and that will safely store all of your passwords in one place where you don’t have to remember anything. You can just copy and paste them when you need them.

After this, you’ll need to enter some usual personal details like your address and name, etc.

You will now need to choose the account type.

Personally, I use the personal account type, which is for my own projects. But if you’re using this for a business need, then you can choose the business account.

And the next thing you’ll need to enter then is your credit card details.

Following this, you need to enter your phone number and then receive a text message with a verification code that you need to enter.

And now we get to choose the support plan that we want to use. Now, personally, I used the basic support free account.

So, it is limited in some senses in terms of actually contacting AWS, etc., but for what I’m doing, it’s perfect. And unless you’re a big business, it’s likely the basic support plan will be suitable for you.

And once this is done, we have our account set up and we can now sign in with those credentials. So go ahead and do that.

From here we could go straight to Lightsail and get going creating our WordPress website.

But remember that best practice procedure I mentioned earlier? Well, this is where we implement it.

In general, you shouldn’t use the root account for everyday tasks in AWS. It’s more secure to use IAM users for that.

An IAM user is a resource that has credentials and permissions to interact with AWS in certain ways. You can control these credentials and permissions from the root account. Which is what we’re going to do here.

Before we can create any IAM users, however, we need to go to Account which you’ll find under the dropdown in the top right of the screen.

Then from there, scroll down until you see “IAM User and Role Access to Billing Information”. Click edit and tick the box that appears. This will grant you access to IAM.

Now, from there we go to the IAM service and navigate to the Users section in the left-hand side column. Click on Add Users in the top-right.

The user we’re going to create is going to be an administrator, so I’d suggest naming it “iamadmin”. It’s best to be descriptive with the names.

We have to choose what kind of credentials we want to associate with this user to log in. I’d suggest choosing Password and then Custom Password. You can use a password manager – like KeePass – to generate and save a secure password. Or you can save it yourself wherever you like.

And then lastly, for simplicity’s sake, let’s untick the box Require password reset. This means we won’t need to reset this password the next time we sign in.

Click next to the Permissions page and navigate to Attach existing policies directly. One of the first ones you should see is Administrator Access.

Tick that and move on to Tags. We’re not gonna add any tags so move on to Review and then Create User.

Success!

We now have an IAM user with administrator access that we can use to create the WordPress site with Lightsail.

Before we do that, navigate back to the IAM service and make note of the account ID. Save this somewhere safe as we’ll need this to log in to the iamadmin user. Optionally, you can create an account alias to use instead, but let’s go with the account ID for now.

So, with that done, let’s log out of the root account and sign in with the iamadmin password we made.

Click on the IAM user box on the sign-in page and enter your credentials.

Your username will be “iamadmin” if you followed what I did or whatever else you may have entered when creating the user.

Now you should be in the IAM user account. You can verify this in the top right of the screen.

And now, we’re ready to work with Lightsail!

WordPress site with AWS Lightsail

Setting up the Lightsail Instance

Navigate to the Lightsail service from the search bar at the top of the main console.

From there, you will see a screen like this below:

Click on Create instance.

That will bring you to the below page:

Pick the Availability Zone where you want your instance to be based. Note, this will mean people closest to that zone will have fast load times when accessing the site, and people far away will have a slower connection speed. Don’t worry too much about this, we will put a fix in place for this later in the tutorial.

To create a WordPress site, we need to choose Linux/Unix as our platform and then choose WordPress as our blueprint.

For the instance plan, I chose the $10/month plan. You can choose a different plan depending on your computing/storage/processing needs.

Lastly, we need to make the instance. This is not so important, but choose an appropriate name for what you’re doing.

So, now you have a WordPress instance online. You can navigate to the public IP and see it.

There are a few more things that need to be done, however.

Firstly, you should create a static IP address. A static IP is fixed and will not change, unlike public IPv4s which can change if the instance goes down or restarts, etc.

Also, they are FREE as long as they are attached to an instance.

So, navigate to the Networking tab and click Create static IP.

Give it a name and attach it to your WordPress instance.

Now, you’ll be able to navigate to the given static IP and see your WordPress site.

WordPress site with AWS Lightsail

Domain Name

At the moment, the site just has an IP address that you use to navigate to it, but likely, you want an actual website name that people can type in to be brought there.

So, let’s set up a domain name for your site.

Navigate to the Domains & DNS tab.

Click on Register Domain.

From here, you can follow the steps to create a domain name. It needs to be unique to you.

Note that some domains are cheaper than others. For example, codedefined.com was a lot cheaper for me to register than codedefined.io because .io is a highly sought-after domain. So, choose wisely which would you would like to have.

You can set automatic renewal so you can keep the domain year after year without having to manually do anything.

This will also create a DNS zone for you (which is included in the price of the domain).

This will allow you to route traffic from the domain to the actual Lightsail instance.

Now, to actually assign the domain to the static IP, which will allow users to connect to our site via the domain name, we need to click on our WordPress instance in the Instances tab.

Navigate to the Domains tab found within your instance.

You can see I have my domain already assigned here, but for you, you will click on Assign domain.

Choose your domain name from the dropdown. There should only be one there. Select the address as the static IP address you already created.

Great!

It can take a long time for the domain name to be registered, so don’t worry if you can’t access the site with it for a while. Just keep checking back every now and then until it’s done.

Once the domain has been registered and you can navigate to the site with it, we can move on to the next step.

WordPress site with AWS Lightsail

SSL/TLS Certificates

The next thing we should do is create an SSL/TLS certificate for our website which will allow users to connect over HTTPS which is more secure than the current HTTP. you know you’ve connected to a site over HTTPS when the small lock is seen in the top left before the URL.

Otherwise, you’ll either see something like this:

Or a lock with a red line slashed through it.

These both mean you have connected over HTTP which is less secure. We want to make this site as secure as possible, so let’s enable HTTPS connections.

To do that, navigate into your WordPress instance and hit click on the Connect using SSH button.

This will open a new terminal with a connection to your instance. We now need to run a number of commands to enable an SSL/TLS cert on it.

Firstly, run sudo /opt/bitnami/bncert-tool

It will ask you to enter the domain name you want to apply this cert too, so enter the domain name you created in the previous step.

You might get some warnings, you can ignore these and move on.

You will then see a prompt asking if you want to enable HTTP to HTTPS redirection. Enter “Y” and hit enter.

Agree to the proposed changes that appear next, then enter your email address, ideally the one associated with the AWS account.

Once this is all done, you should be able to navigate to the site now and see the lock in the top-left indicating that you are now connected over secure HTTPS.

Congratulations, you now have a working WordPress website with Lightsail and it is secured over HTTPS.

You could stop here if you like, but there’s another step I’d recommend doing in order to increase the load times for your users.

Remember, the instance is based on whatever availability zone you specified when creating it, so people far away from that zone will experience longer load times for the site than those closer.

To mitigate this, we can make use of a CloudFront distribution which will speed up load times for users accessing the site. It does this by creating a cache of the site closer to the users so the site can load faster for them.

Again, it’s not necessary but I’d highly recommend setting one up. And it’s quite simple to do.

To do this, navigate to the networking tab on the main instance page and click on Create distribution.

From here. Choose your origin from the dropdown list. Then choose what kind of cashing behavior you would like. I chose Best for WordPress.

And then for the distribution plan, I chose 50 gigabytes per month, which offers the first year entirely free.

The last thing you need to do then is to give your distribution and name and click on Create Distribution at the bottom.

It will take some time for the distribution to become enabled, you will just need to wait.

So, there you have it, you now have a functioning WordPress website with Lightsail. It’s also very fast for users to access thanks to the CloudFront distribution we created.

Note: to access the admin page for the WordPress instance, navigate to “<domain name>/wp-admin”. From here, you need to enter a username and password.

The default username is “user”.

You can find the password by connecting to the WordPress instance within the Lightsail console and running the command “cat bitnami_application_password”.

These two credentials will allow you to sign in to the admin side of the WordPress site so you can make all the changes you want.

If you got anything from this article, then please check out my other posts here.

Furthermore, you can check out how to make a local instance of your website here. This will enable you to safely make and review changes for your site before publishing.