LightSail VPS WordPress notes

I recently moved a couple WordPress-based websites from an older Amazon Linux 2 based LightSail VPS to a newer Ubuntu 22 based VPS. These are my notes in case I want to refer to them later (with some info redacted for posting publicly).

Ensure you can access and edit the domain records since the IP address will change and you’ll need to reassign the “A” records. I usually do this for some combination of the main domain, www subdomain and subdomain wildcard (depending on what needs to resolve to the server).

Backup commands from old VPS

mysqldump --password=MyDBpass --user=MyDBuser --host=127.0.0.1 --add-drop-table MyDB > MyDB.sql
tar -czf www.MyDomain.com.tar.gz www.MyDomain.com/

Copy MyDB.sql and www.MyDomain.com.tar.gz to your local hard drive (or some place for backup, and to copy tot he new VPS). This is done for each website, but I’ll keep my notes simpler and just refer to one generic “www.MyDomain.com” website.

Ubuntu 22 was not an AWS LightSail option, so I started from an Ubuntu 20 image and updated it. I’ve used EC2 images in the past, but found LightSail to be quicker to setup and works fine for my simple VPS needs.

Make a note of the AWS LightSail VPS management URLs – new and old (e.g., something like https://lightsail.aws.amazon.com/ls/webapp/us-west-2/instances/MyOldVPS and https://lightsail.aws.amazon.com/ls/webapp/us-west-2/instances/MyNewVPS) and AWS root user. After setting up the new VPS, set a static IP address and make a note of the address (address is dynamic by default and will change when the LightSail instance is rebooted). Use the address to reassign the domain “A” records in your name servers (usually managed directly from your registrar, but sometimes a third party DNS service). Make a note of the VPS username (e.g., “ubuntu”) and save the identity file associated with the VPS (generated by AWS when you created the VPS, or you might have assigned an existing key). Also ensure that both ports 80 (HTTP) and 443 (HTTPS) are open. I believe 80 is open by default, but 443 is not. 22 is also open for SSH access.

You can use the identity file to access the running VPS via an SSH client. This will look something like this (after the domain is properly resolving to the new IP address):

ssh -i MyIdentityFile.pem ubuntu@mydomain.com

You can create a new account, add it to the sudo group, and remove the more well-known account name for additional security. I’ll just keep the username “ubuntu” in these notes. You can also change the SSH server port from 22 to “something else” for additional security, but this is relatively easy to figure out by a malicious user with enough time. There are also ways of keeping port 22 active so it behaves like a valid SSH server port if you’re really into obfuscation, but your main security will be in how you protect your identity file(s). In any case, if you do lose the identity file to a malicious user somehow, these additional measures won’t hurt!

Copy the website backup files from old VPS to new VPS via scp:

scp -i MyIdentityFile.pem MyDB.sql www.MyDomain.com.tar.gz ubuntu@MyDomain.com:~/

Upgrade the LightSail Ubuntu 20.04 VPS to Ubuntu 22.04:

sudo apt update
sudo apt upgrade
sudo reboot
sudo apt install update-manager-core
sudo apt autoremove
sudo do-release-upgrade -d

This will prompt a reboot. After the reboot, install Apache web server, PHP and MariaDB:

sudo apt install apache2
sudo systemctl enable apache2
sudo systemctl start apache2
sudo apt-get install php php-cli php-common php-imap php-redis php-snmp php-xml php-zip php-mbstring php-curl php-gd php-mysql -y
sudo apt install mariadb-server -y
sudo systemctl start mariadb
sudo systemctl enable mariadb

At this point it’s a good idea to set the MariaDB root password. I’ll assume the password is “MyDBrootPass”

sudo mysql --user=root --password=MyDBrootPass

From the SQL prompt, run the following SQL commands to create the new database and a new database user (don’t use the DB root account for WordPress!):

create database MyDB;
CREATE USER 'MyDBuser'@'localhost' IDENTIFIED BY 'MyDBpass';
GRANT ALL PRIVILEGES ON MyDB.* TO 'MyDBuser'@'localhost';
flush privileges;
quit;

Now we can copy the old database information into the new database:

mysql MyDB --user=MyDBuser --password=MyDBpass < MyDB.sql

Then we can copy the old website files to the new website file directory (there’s a better way to run tar so I didn’t have the full path in the archive, but I was lazy here):

tar xf www.MyDomain.com.tar.gz
cd var/www/
sudo mv * /var/www/
cd /var/www/
sudo chown -R www-data:www-data *

Now, we’ll go ahead and configure Apache to run this website. It’s probably easiest to use nano to create a configuration file like I’m going to suggest below, but there are other ways of doing this (different editors, different ways of configuring websites in Apache, etc.). But let’s create and edit a new website configuration using nano:

sudo nano /etc/apache2/sites-available/www.MyDomain.com.conf

This will open the nano editor with no content. I’m electing to forward port 80/HTTP to port 443 HTTPS and leaving some currently-unused configuration items for HTTP in case I need to troubleshoot later. I’m also making some assumptions about the original directory structure and location of files, which will vary from website to website, and should be modified as needed. Add the following text to www.MyDomain.com.conf:

<VirtualHost *:80>
  ServerName www.MyDomain.com
  ServerAlias MyDomain.com
  Redirect permanent / https://www.MyDomain.com/
  DocumentRoot /var/www/www.MyDomain.com/html
  ServerAdmin MyUser@MyDomain.com  
  <Directory /var/www/www.MyDomain.com/html/>
    Require all granted
    Options FollowSymlinks MultiViews
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
  ErrorLog /var/www/www.MyDomain.com/log/error_log
  CustomLog /var/www/www.MyDomain.com/log/access_log common
</VirtualHost>
<VirtualHost *:443>
  ServerName www.MyDomain.com
  ServerAlias MyDomain.com
  DocumentRoot /var/www/www.MyDomain.com/html
  ServerAdmin MyUser@MyDomain.com
  <Directory /var/www/www.MyDomain.com/html/>
    Require all granted
    Options FollowSymlinks MultiViews
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
  ErrorLog /var/www/www.MyDomain.com/log/error_log
  CustomLog /var/www/www.MyDomain.com/log/access_log common
  <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile /var/www/www.MyDomain.com/ssl/www.MyDomain.com.cert.pem
    SSLCertificateKeyFile /var/www/www.MyDomain.com/ssl/www.MyDomain.com.key.pem
  </IfModule>
</VirtualHost>

Now we can enable the site and restart Apache (run these one at a time and stop to fix any reported issues before continuing to the next command):

sudo a2ensite www.MyDomain.com.conf
sudo a2enmod rewrite
sudo a2enmod ssl
apachectl -t

At this point, you should be able to test the site by going to MyDomain.com in a web browser. Apache should immediately attempt to forward to https://www.MyDomain.com (assuming you copied over valid SSL certificates).