WordPress is one of the most popular content management systems in the world estimated to be running over 40% of all websites. Its easy to use of use, has a massive theme and plugin ecosystem, and it’s super flexible for both personal websites and businesses.
I’ve been using WordPress since the start of my career over 15 years ago. It’s always been my first choice as a Website platform and is the option that I recommend for many use cases.
In this post I’ll outline the steps for installing and configuring WordPress as a multisite. WordPress Multisite is a powerful feature that allows you to run multiple WordPress sites from a single WordPress installation. This is particularly useful for businesses or individuals who need to manage multiple websites but want the convenience of a single dashboard. With Multisite, you can create a network of sites with shared plugins and themes, making it easier to maintain consistency and control across all your sites.
I built my first WordPress Multisite a few years ago, around 2018, when I worked as Technical Lead for a publishing company. We had 30 websites all with similar functionality and design that I thought would suit the multisite features. It was painful having to manage all 30 sites as separate instances with separate user logins, having to keep all 30 up to date. Moving the sites into a multisite reduced the maintenance load, and the cost of running that amount of websites, and since then I’ve built and managed several fairly large multisite installations.
I’ve chosen to install WordPress multisite on a Linux distribution such as CentOS or AlmaLinux. Enterprise Linux distributions are well known for their stability, security, and support and used heavily in Web hosting. Using any of these distributions as a web server for WordPress ensures a reliable and secure hosting environment, critical for maintaining website performance.
Before you begin, ensure you have the following:
- A server running RHEL, Oracle Linux, CentOS, or AlmaLinux.
- A non-root user with sudo privileges.
I wont detail where to host your server in this article. I assume for the sake of convenience that you’ve already got a Linux server running in either a public cloud such as Amazon AWS or on a virtual machine running on your own PC. Any of the Enterprise Linux variants should do fine, the steps should be the same regardless.
Install Apache, PHP and MySQL
Apache is one of the most popular web servers in the world and is well-supported by WordPress and the web development community. It’s usually the default choice when installing WordPress.
$ sudo dnf install httpd -y
$ sudo systemctl enable --now httpd
MariaDB is a popular open-source relational database management system and is fully compatible with MySQL, which is the database system that WordPress uses.
$ sudo dnf install mariadb-server mariadb -y
$ sudo systemctl enable --now mariadb
Run the following command to secure your MariaDB installation.
$ sudo mysql_secure_installation
Follow the prompts to set the root password and remove anonymous users, disallow root login remotely, remove test databases, and reload privilege tables.
PHP is the progamming language that WordPress is built on. Your server needs to have PHP installed so that it can execute the code and produce your website. By default, Enterprise Linux 8 will install PHP 7.2, which is bit old and past it’s end-of-life, so we’ll install PHP 8.2 from App Streams instead.
$ sudo dnf module list php
$ sudo dnf module enable php:8.2
$ sudo dnf install php php-mysqlnd -y
$ sudo systemctl restart httpd
Log in to MariaDB and create a database and user for WordPress.
$ sudo mysql -u root -p
Then, run the following commands.
CREATE DATABASE wordpress;
GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpressuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
EXIT;
Changing ‘wordpressuser’ and ‘password’ for a username and secure password of your choice. This is the user details that WordPress will use to connect to the database, so it’s critical that these details are secure.
Navigate to the web root directory and download the latest WordPress package
$ cd /var/www/
$ sudo rm -rf html/
$ sudo wget https://wordpress.org/latest.tar.gz
$ sudo tar -xzvf latest.tar.gz
$ sudo mv wordpress html
$ sudo chown -R apache:apache /var/www/html
$ sudo chmod -R 755 /var/www/html
Create an Apache configuration file for WordPress.
$ sudo vim /etc/httpd/conf.d/wordpress.conf
Add the following configuration.
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ServerName example.com
ServerAlias www.example.com
<Directory /var/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/httpd/wordpress-error.log
CustomLog /var/log/httpd/wordpress-access.log combined
</VirtualHost>
Include the email address and domain name you wish to use for your website. In a WordPress multisite the domain name will be the primary network domain, however when you add subsites to the network you can change the subsite domain names from the WordPress dashboard.
Configuring SELinux
After configuring Apache, you might need to configure SELinux to allow Apache to serve WordPress files and communicate with the database. If you’ve followed the above configuration and your website doesn’t appear to work or you’re getting forbidden error messages, you will need to complete the follow configuration.
Note: Many people online suggest disabling SELinux out of convienience. Please don’t do that, SELinux is built into the Linux kernel to provide security access controls and is important to maintain the security of your Linux system, it’s better to configure SELinux properly rather than disabling it.
Set the proper file context for WordPress files
$ sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html(/.*)?"
$ sudo restorecon -Rv /var/www/html
Allow Apache to connect to the database
$ sudo setsebool -P httpd_can_network_connect_db 1
Restart Apache
$ sudo systemctl restart httpd
You should now be able to access your WordPress installation. Open your web browser and navigate to http://your-server-i
p. Follow the on-screen instructions to complete the initial installation.
If everything went correctly and the installation was able to connect to the database properly, you should now be able to login to your WordPress admin dashboard by navigating to http://your-server-ip/wp-admin.
After the initial installation, follow these steps to configure WordPress Multisite with subdomains:
Edit wp-config.php: Add the following lines above the line that says /* That's all, stop editing! Happy publishing. */
:
define('WP_ALLOW_MULTISITE', true);
Install the Network: Refresh your WordPress dashboard. Navigate to Tools -> Network Setup
. Select “Sub-domains” and click “Install”.
You will most likely need to enable the Apache mod_rewrite module to allow for WordPress to rewrite the site URLs.
Enter the following command, and if there’s no output you’ll need to enable the module by editing the file /etc/httpd/conf.modules.d/00-base.conf and uncommenting the line for rewrite_module.
$ httpd -M | grep rewrite
rewrite_module (shared)
Update wp-config.php and .htaccess: WordPress will provide some code to add to your wp-config.php
and .htaccess
files. Edit these files and add the provided code. wp-config.php: Add the following code just below the line define('WP_ALLOW_MULTISITE', true);
:
define('MULTISITE', true);
define('SUBDOMAIN_INSTALL', true);
define('DOMAIN_CURRENT_SITE', 'example.com');
define('PATH_CURRENT_SITE', '/');
define('SITE_ID_CURRENT_SITE', 1);
define('BLOG_ID_CURRENT_SITE', 1);
.htaccess:
Replace the existing WordPress rules with the provided Multisite rules:
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
If necessary, you might need to restart Apache.
sudo systemctl restart httpd
You should be able to refresh your Web browser and re-login to WordPress and if everything was successful, you should be able to access the Network Admin section of the WordPress dashboard.
From here you can add sub-sites, you can install themes and plugins that all sub-sites will be able to use, and you’ll be able to manage user access across each site in your network.
Configuring the Linux Firewall
To ensure that your WordPress site is accessible from the web, you will need to configure the firewall on your server to allow HTTP and HTTPS traffic as well as SSH traffic, but restricting access to everything else.
First, check if firewalld
is running on your server:
sudo systemctl status firewalld
If it is not running, start and enable it:
$ sudo systemctl enable --now firewalld
To allow HTTP (port 80) and HTTPS (port 443) and SSH (port 22) traffic through the firewall, run the following commands:
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --permanent --add-service=ssh
After making these changes, reload the firewall to apply the new rules:
$ sudo firewall-cmd --reload
To verify that the rules have been added correctly, you can list the current firewall rules:
$ sudo firewall-cmd --list-all
Security Improvements
By default WordPress is relatively secure if you keep it up to date, however it’s only as secure as it’s weakest part. By following a few basic security practices you’ll minimise the risk of your website being vulnerable to attack.
Update WordPress regularly
Ensure your WordPress installation, themes, and plugins are always up-to-date to protect against vulnerabilities.
Use strong passwords
Use complex passwords for your WordPress admin account, database user, and any other user accounts.
Install security plugins
Consider using security plugins like Wordfence to add an extra layer of protection. Wordfence lets you limit login attempts, it scans your site for security vulnerabilities and automatically blocks malicious activity.
Secure Your .htaccess File
Add rules to your .htaccess
file to prevent unauthorized access to sensitive files:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>
Enable SSL
Install an SSL certificate to encrypt data transmitted between your server and your users. You can obtain a free SSL certificate from Let’s Encrypt and configure Apache to use it.
Another option for providing SSL certificates is to host your website behind Cloudflare and use their SSL certificates and Web Application firewall. I won’t detail Cloudflare setup in this post but it’s well worth considering.
Regular backups
Set up regular backups of your WordPress site, including the database and files, to ensure you can quickly recover in case of an incident.
You should now have a robust and flexible platform configured to host multiple websites from a single dashboard running on a solid, Enterprise grade Linux operating system.