Deploy your Bitnami WordPress Stack on Microsoft Azure Multi-Tier Solutions now! Launch Now

Bitnami WordPress for Microsoft Azure Multi-Tier Solutions

Description

Wordpress is the world's most popular blogging and content management platform. Powerful yet simple, everyone from students to global corporations use it to build beautiful, functional websites.

What are the differences between a Bitnami Single-Tier Solution and Multi-Tier Solution?

Single-tier architecture implies that all the required components of an application run on a single server. If your environment is growing and becoming more complex, a single layer architecture will not meet your scalability requirements. Single-Tier Solutions are great for departmental applications, smaller production environments, new users, or those applications that don't support multi-tier architectures.

The typical architecture of a Bitnami Single-Tier Solution looks like this:

Single-tier architecture

Multi-tier architecture involves more than one server and infrastructure resource. For example, the Front End-Database topology separates the application server from the database server. This allows you to extend workloads in the cloud and tailor your application to meet specific scalability and reliability goals. Multi-Tier Solutions provide more sophisticated deployment topologies for improved scalability and reliability for larger production or mission critical environments.

TIP: Not sure if you have chosen the right solution? Check out the Bitnami Multi-Tier solutions features and benefits to learn more about the benefits of Multi-Tier.

This Bitnami Multi-Tier Solution uses the front-end and database resource topology, illustrated below:

Multi-tier architecture

First steps with the Bitnami WordPress Stack

Welcome to your new Bitnami application running on Microsoft Azure Multi-Tier Solutions! Here are a few questions (and answers!) you might need when first starting with your application.

What credentials do I need?

You need two sets of credentials:

  • The application credentials that allow you to log in to your new Bitnami application. These credentials consist of a username and password.
  • The server credentials that allow you to log in to your Microsoft Azure Multi-Tier Solutions server using an SSH client and execute commands on the server using the command line. These credentials consist of an SSH username and key.

What is the administrator username set for me to log in to the application for the first time?

Username: user

What SSH username should I use for secure shell access to my application?

SSH username: bitnami

How to start or stop the services?

NOTE: The steps below require you to execute the commands on the remote server. Please check our FAQ for instructions on how to connect to your server through SSH.

Each Bitnami server includes a control script that lets you easily stop, start and restart all the services installed on the current individual server.

Obtain the status of a service with the service bitnami status command:

$ sudo service bitnami status

Use the service bitnami command to start, stop or restart all the services in a similar manner:

  • Start all the services.

    $ sudo service bitnami start
    
  • Stop all the services.

    $ sudo service bitnami stop
    
  • Restart all the services.

    $ sudo service bitnami restart
    
TIP: To start, restart or stop individually each server of the cluster, check the FAQ section about how to start or stop servers in a Multi-Tier Solution.

How to connect to cluster nodes?

Some operations such as changing the application password, require that some actions will be repeated in each cluster node. That way, you need to connect to each node for the changes to take effect in the whole cluster. Follow the steps below to connect the cluster nodes in your Azure deployments:

  • Log in to the Microsoft Azure portal.
  • Navigate to the "Virtual Machines" section and find your deployment.
  • Select the primary node from the virtual machines list. It usually finishes with the number 0:

    Select the primary node

  • In the resulting screen, click "Connect". It displays the command to connect through SSH to the selected node:

    Connect through SSH to the primary node

  • Open a new terminal window on your local system and paste the command shown above. You will be prompted to enter your password. After this, you should be connected to the primary node as shown below:

    Connect through SSH to the primary node

Once you have connected to the primary node, you are able to connect to the rest of the nodes establishing an SSH connection to each node IP address as follows:

  • To find the private IP address of a node, select it in the list of virtual machines and click "network/default-subnet".

    Find node private IP address

  • Copy the IP address of the node you want to connect.

    Copy node IP address

  • In the terminal window, execute the following command (within the primary node). Remember to replace the NODE_IP_ADDRESS placeholder with the correct value:

    $ ssh bitnami@NODE_IP_ADDRESS
    

    Connect to a secondary node

    NOTE: Remember to repeat the same operation to connect to each cluster node.

How to create a Virtual Network peering?

To connect two instances internally you can enable a Virtual Network (VNet) peering from the Azure Portal. Depending if the instances were launched in the same or in different resource groups, there are two methods for performing a internal connection: sharing a virtual network or enabling a virtual network peering.

How to access the administration panel?

Access the administration panel by browsing to http://SERVER-IP/wp-admin/.

How to change the WordPress domain name?

If you are using WordPress v3.3.1-5 or higher, only specify your domain name in the /opt/bitnami/wordpress/wp-config.php file. Edit and replace the following lines as shown, remembering to replace the DOMAIN placeholder with the actual domain name you wish to use:

define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/');
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '/');

with

define('WP_SITEURL', 'http://DOMAIN/');
define('WP_HOME', 'http://DOMAIN/');
NOTE: Your domain name should be correctly propagated for this to work. You can verify the new DNS record by using the Global DNS Propagation Checker and entering your domain name into the search field.

How to change the interface language?

Bitnami WordPress has already installed English and Spanish translations currently. To change the WordPress language, follow the steps below:

Change language using the WordPress administration panel

If the language you wish to use is already available in WordPress, follow these steps:

  • Log in to the WordPress administration panel.

  • Click on the "Settings -> General" tab located in the menu on the left.

  • Scroll down until "Site Language" and select the one you prefer and click ."Save Changes".

WordPress change language

Change language manually

If the language you wish to use is not available in WordPress, you must first install the necessary translation files:

  • Download the translation files for your language from http://codex.wordpress.org/WordPress_in_Your_Language

  • Once you have downloaded the files, copy the .po and .mo files into the /opt/bitnami/wordpress/wp-content/languages directory. If this directory does not exist, create it manually as follows:

     $ sudo mkdir /opt/bitnami/wordpress/wp-content/languages
    
  • Log in to the WordPress administration panel.

  • Click on the "Settings -> General" tab located in the menu on the left.

  • Scroll down until "Site Language". The newly-installed language should now appear in the list. Select it and click "Save Changes".

WordPress change language

How to reset the WordPress admin password from the command line?

NOTE: A multi-tier environment typically consists of multiple servers. The steps below should be performed on the runtime server (the server instance running the application), which includes a mysql client. For more information on connecting via SSH, refer to the FAQ.

Use the command below to reset the administrator password from the command line.

$ mysql -u root -h DATABASEHOST -p bitnami_wordpress -e "UPDATE wp_users SET user_pass=MD5('NEWPASSWORD') WHERE ID='1';"

Remember to replace the NEWPASSWORD placeholder with your desired password and DATABASEHOST placeholder with the host where the database is running.

To obtain the hostname where the database is running, you can execute the following command

$ sudo cat /opt/bitnami/wordpress/wp-config.php | grep 'DB_HOST'

You should see an output similar to this:

define('DB_HOST', 'provisioner-peer:3306');

In this case DATABASEHOST placeholder should be replace by "provisioner-peer".

How to disable the WordPress cron script?

The wp-cron.php script will run once a user visits your site. If you get a lot of traffic, this could be a problem. This cron task is really necessary when you make updates in the blog. You can move this cron script to a system cron task to help lower resource usage on the server.

Disable the wp-cron.php script in the /opt/bitnami/wordpress/wp-config.php file. The location is important - add the line below just before the database settings:

 define('DISABLE_WP_CRON', true);

Then, add the cron task to the system. For example, this cron task will run the wp-cron.php process every hour. You can add it using the following command:

 $ sudo crontab -e
 0 * * * * su daemon -s /bin/sh -c "cd /opt/bitnami/wordpress/; /opt/bitnami/php/bin/php -q wp-cron.php"

How is the Multi-Tier Solution configured?

Bitnami Multi-Tier Solutions are pre-configured, ready to run templates for running applications. This environment will consist of two cloud servers, one for the application and the other for the database, and you will be able to configure them further once launched.

The runtime server contains the following main components, in addition to the required libraries and dependencies already installed and configured:

  • The Apache server
  • The PHP runtime and the mod_php module for Apache
  • The application files

The default configuration opens the default ports for each application - in most cases, these are ports 80 and 443. For the database server, the port is configured to only have access through the runtime server for security reasons.

How to configure outbound email settings?

You can install or enable the "WP Mail SMTP" plugin from the WordPress administration page. Follow these steps to activate this plugin.

  • Log in to the WordPress administration panel.
  • Navigate to "Plugins" and click the "Activate" option for the "WP-Mail-SMTP" plugin.

    Activate WP-Mail-SMTP

  • Go to the "Settings -> WP Mail SMTP" panel and the "Settings" tab to configure the SMTP settings of your email provider. Select "Other SMTP" as the mailer.

    Mailer selection

  • Here is an example of configuring WordPress to use a Gmail account. Replace USERNAME and PASSWORD with your Gmail account username and password respectively.
    • SMTP Host: smtp.gmail.com
    • SMTP Port: 587
    • Encryption: Use TLS encryption.
    • Authentication: On
    • SMTP Username: USERNAME@gmail.com
    • SMTP Password: PASSWORD

      WordPress SMTP Options

    If you are using a different provider, remember to replace these values with the valid data for your SMTP provider.

  • Click "Save Settings" to save the changes.
  • Send a test email using the "Email Test" tab to ensure that everything is working smoothly.

To configure the application to use other third-party SMTP services for outgoing email, such as SendGrid or Mandrill, refer to the FAQ.

Troubleshooting Gmail SMTP issues

If you are using Gmail as the outbound email server and you are not able to send email correctly, Google may be blocking sign-in attempts from your apps or devices. Depending on whether or not you use Google Apps, the steps to correct this will differ.

For Google Apps users

If you are a Google Apps user, you will need your administrator to allow users to change the policy for less secure apps. If you are a Google Apps administrator, follow these steps:

  • Browse to the Google Apps administration panel.

  • Click on "Security" and then "Basic settings".

  • Look for the section "Less secure apps" and then click on "Go to settings for less secure apps".

  • Select "Allow users to manage their access to less secure apps".

For other Google users

If you do not use Google Apps, follow the steps in the following sections, depending on whether 2-step verification has been enabled on the account or not.

If 2-step verification has not been enabled on the account, follow these steps:

  • Browse to the "Less secure apps" page and log in using the account you are having problems with. This option is typically required by many popular email clients, such as Outlook and Thunderbird, and should not be considered unsafe.

  • Select the "Turn on" option.

    Security settings

If 2-step verification has been enabled on the account, you have to generate an app password. Follow these steps:

  • Browse to the "App passwords" page.

  • Click "Select app" and choose the app you're using.

  • Click "Select device" and choose the device you're using.

  • Click the "Generate" button.

  • Enter the app password on your device.

  • Click the "Done" button.

Here are other options you may try:

  • Browse to the web version of Gmail and sign in to your account. Once you're signed in, try to enable access for the application again.

  • Browse to the "Unlock Captcha" function page and sign in with your Gmail username and password.

  • Disable IMAP from the Gmail web server interface and enable it again.

    IMAP settings

How to install a plugin on WordPress?

You can install any plugin or theme from the WordPress administration panel.

  • Browse to the "Plugins -> Install Plugins" menu item and then click the "Add New" button to search for plugins.

    WordPress plugin installation

  • Once you find a plugin, click the "Install Now" button to download and install it.

    WordPress plugin installation

  • Once the plugin is installed, activate it from the "Install Plugins" page. You can also deactivate it later if you wish.

    WordPress plugin installation

For more information about installing and managing plugins, such as Full API Access, refer to the WordPress documentation.

How to install the All-in-One WP migration plugin?

The following steps assume that

  • You are using the Bitnami WordPress Stack (not the WordPress Multisite Stack) and
  • You are able to log in to the WordPress dashboard by visiting http://SERVER-IP/wp-login.php.

Follow these steps:

  • Log in to your WordPress dashboard.
  • Browse to the "Plugins -> Install Plugins" menu item and then click the "Add New" button to search for plugins.
  • Find the plugin named "All-in-One WP Migration" and click the "Install Now" button to download and install it.
  • Once the plugin is installed, Select the "Plugins -> Installed Plugins" option.
  • Find the newly-installed "All-in-One WP Migration" and select "Activate" to activate it.

    WordPress plugin configuration

The plugin will now be activated. Select the "All-in-One WP Migration" option in the WordPress menu to export or import your WordPress blog.

How to install WP-DBManager?

If you install WP-DBManager you will need to create the /opt/bitnami/wordpress/wp-content/backup-db directory. To do it, you must connect to your machine through SSH, and run this command:

   $ mkdir /opt/bitnami/wordpress/wp-content/backup-db

Once you have done it, you must add the htaccess example provided by the plugin into the htaccess.conf file and you must create an empty .htaccess file in the backup-db directory to pass the plugin checks. To do it, run the commands below:

   $ echo '<Directory "/opt/bitnami/wordpress/wp-content/backup-db">' >> /opt/bitnami/wordpress/htaccess.conf
   $ cat /opt/bitnami/wordpress/wp-content/plugins/wp-dbmanager/htaccess.txt >> /opt/bitnami/wordpress/htaccess.conf
   $ echo '</Directory>' >> /opt/bitnami/wordpress/htaccess.conf
   $ touch /opt/bitnami/wordpress/wp-content/backup-db/.htaccess

Finally, once you activate the plugin in your WordPress dashboard, you must ensure that in the plugin DB Option the mysql and mysqldump paths are correct. For example, use the paths /opt/bitnami/mysql/bin/mysql and /opt/bitnami/mysql/bin/mysqldump.

How to install the Accelerated Mobile Pages (AMP) plugin in WordPress?

Install the Accelerated Mobile Pages (AMP) plugin via the WordPress dashboard and run a scan of your WordPress installation, as follows:

  • Log in to your WordPress dashboard.
  • Select the "Plugins -> Add New" option.
  • Type "amp" in the search box.
  • Install the "AMP" plugin by clicking the "Install Now" button.

    WordPress plugin installation

  • Click the "Activate plugin" link.

    WordPress plugin installation

You can verify that the plugin is working by adding /amp prefix to any WordPress post URL, as shown below:

WordPress AMP post

Read more about the Accelerated Mobile Pages project.

NOTE: As of this writing, the AMP plugin only works for WordPress posts and not pages.

How to enable CORS in WordPress?

Edit the WordPress configuration file for Apache (/opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf) and add the following line inside the Directory directive:

...
<Directory /opt/bitnami/wordpress/>
...
Header set Access-Control-Allow-Origin "*"
...
</Directory>

Enable other methods or headers for other directories (e.g /opt/bitnami/wordpress/wp-admin):

...
<Directory /opt/bitnami/wordpress/wp-admin>
...
Header set Access-Control-Allow-Origin "\*"
Header set Access-Control-Allow-Methods "GET, OPTIONS, POST"
Header set Access-Control-Allow-Headers "origin, x-requested-with, content-type, accept"
...
</Directory>

If the request is an OPTIONS request, the script exits with either access control headers sent, or a 403 response if the origin is not allowed. By default, only the server where the application is hosted is allowed (see /opt/bitnami/wordpress/wp-includes/http.php). For other request methods, you will receive a return value.

How to enable installed plugins?

Bitnami WordPress Stack comes with the following plugins preinstalled but disabled:

  • Akismet
  • All in One Seo Pack
  • All in One WP Migration
  • Google Analytics for WordPress
  • Jetpack
  • Simple tags
  • WordPress MU Domain Mapping
  • WP Mail STMP

Bitnami WordPress Stack v4.5.1-0 removed several plugins, such as "Contact Form", "WP Touch" and "Google XML Sitemaps". The functionality previously provided by those plugins is now included in the Jetpack plugin in form of switchable features.

All the installed plugins are disabled by default. To enable them follow the instructions below:

  • Log in to the WordPress dashboard.
  • Browse to the "Plugins" menu item.
  • Look for the plugin you want to activate and click the "Activate" link that appears below the plugin name.

    WordPress enable plugins

To enable several plugins at once, follow the instructions below:

  • Select the checkboxes of the plugins to be enabled.
  • Click the dropdown that says "Bulk Actions", select "Activate" and click on the "Apply" button next to the dropdown.

    WordPress enable plugins

How to connect to the database server?

By default, the database port in this solution cannot be accessed over a public IP address. As a result, you will only be able to connect to your database server from the runtime server (the server instance running the application). Follow these instructions to connect to the database server:

  • Connect to the application server via SSH following the steps in the Forwarding your key using SSH Agent section.
  • Once logged in the application server, you must obtain the server hostname where the database is running by executing the following command:

       $ sudo cat /opt/bitnami/wordpress/wp-config.php | grep 'DB_HOST'
    

    You should see an output similar to this:

       define('DB_HOST', 'provisioner-peer:3306');
    

    In this case, the server hostname where the database is running is "provisioner-peer".

  • Inside the application server, with the SSH key forwarded, run the following command to connect to the database server through SSH. Remember to replace SERVER-IP with the value obtained for the DB-HOST:

       $ ssh bitnami@SERVER-IP
    

    In the current example, the command would be the following:

       $ ssh bitnami@provisioner-peer
    

How to change the MariaDB root password?

NOTE: A multi-tier environment typically consists of multiple servers. The steps below should be performed on the database server (the server instance hosting the database), which includes a mysql client.

In order to change the database password, you need to connect to the database. By default, the database port in this solution cannot be accessed over a public IP address. Follow these instructions to learn how to connect to the database server.

Once logged in the database server, you can modify the MariaDB password by running the following command:

$ /opt/bitnami/mariadb/bin/mysqladmin -p -u root password NEW_PASSWORD

Remember to replace the NEWPASSWORD placeholder with your desired password.

How to reset the MariaDB root password?

NOTE: A multi-tier environment typically consists of multiple servers. The steps below should be performed on the database server (the server instance hosting the database), which includes a mysql client.

In order to reset the database password, you need to connect to the database server. By default, the database port in this solution cannot be accessed over a public IP address. Follow these instructions to learn how to connect to the database server pivoting in the application server.

If you don't remember your MariaDB root password, once logged in the database server, you can follow the steps below to reset it to a new value:

  • Create a file in /home/bitnami/mysql-init with the content shown below (replace NEW_PASSWORD with the password you wish to use):

     UPDATE mysql.user SET Password=PASSWORD('NEW_PASSWORD') WHERE User='root';
     FLUSH PRIVILEGES;
    
  • Stop the services:

     $ sudo service bitnami stop
    
  • Start the MariaDB service with the following command:

     $ sudo /opt/bitnami/mariadb/bin/mysqld_safe --defaults-file=/opt/bitnami/mariadb/conf/my.cnf --pid-file=/opt/bitnami/mariadb/tmp/mysqld.pid --init-file=/home/bitnami/mysql-init 2> /dev/null &
    
  • Restart the services:

     $ sudo service bitnami start
    
  • Remove the init script:

     $ rm /home/bitnami/mysql-init
    

You should now be able to access the database server with the new password.

How to modify the allowed limit for uploaded files?

Modify the following options in the /opt/bitnami/php/etc/php.ini file to increase the allowed size for uploads:

; Maximum size of POST data that PHP will accept.
post_max_size = 16M

; Maximum allowed size for uploaded files.
upload_max_filesize = 16M

Restart PHP-FPM and Apache for the changes to take effect.

$ sudo service bitnami restart

How to install the memcached module using the libmemcached library?

Memcached is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. This extension uses the libmemcached library to provide an API for communicating with memcached servers.

If this module is not in your stack, you can install it manually following these steps.

Installation

  • Install development tools:
    • Debian:

        $ sudo apt-get update
        $ sudo apt-get install -y libc6 libevent-2.0-5 libsasl2-2 sasl2-bin build-essential libtool autoconf unzip wget git pkg-config
      
    • CentOS:

        $ sudo yum install glibc-devel libevent libevent-devel cyrus-sasl cyrus-sasl-devel
        $ sudo yum groups mark install "Development Tools"
      
  • Download the latest source code from the web page, uncompress it and compile the library:

      $ wget https://downloads.bitnami.com/files/stacksmith/memcached-1.5.4-1-linux-x64-debian-8.tar.gz
      $ tar zxf memcached-1.5.4-1-linux-x64-debian-8.tar.gz
    
  • Install the library. The example below allocates 3 GB of memory for the cache.

      $ sudo nami install memcached-1.5.4-1-linux-x64-debian-8 --cacheSize '3072'
    
  • Download the latest source code from the web page, uncompress it and compile the library. Replace the placeholder version X.Y with the most current version.

      $ wget https://launchpad.net/libmemcached/1.0/1.X.Y/+download/libmemcached-1.X.Y.tar.gz
      $ tar -zxf libmemcached-1.X.Y.tar.gz
      $ cd libmemcached-1.X.Y
      $ ./configure --prefix=/opt/bitnami/common
      $ make
      $ sudo make install
    
  • Copy the zlib.h header file to the correct directory:

      $ sudo cp /usr/include/zlib.h /opt/bitnami/common/include/
    
  • Download and compile the PHP7 memcached module:

      $ export PHP_AUTOCONF=/usr/bin/autoconf
      $ export PHP_PREFIX=/opt/bitnami/php
      $ cd ~/
      $ git clone https://github.com/php-memcached-dev/php-memcached.git
      $ cd php-memcached
      $ git checkout php7
      $ /opt/bitnami/php/bin/phpize
      $ ./configure --enable-memcached --with-zlib-dir=/opt/bitnami/common --with-libmemcached-dir=/opt/bitnami/common --with-php-config=/opt/bitnami/php/bin/php-config --disable-memcached-sasl
      $ make
      $ sudo make install
    
  • Enable the module in the php.ini file:

      $ echo 'extension=memcached.so' | sudo tee -a /opt/bitnami/php/lib/php.ini
    
  • Start the memcached server as below:

      $ sudo /opt/bitnami/nami/bin/nami start memcached
    
  • Restart other services:

      $ sudo service bitnami restart
    

If you would like the memcached service to start automatically on boot, you can add it to the init script. Follow the steps below:

  • Stop all services:

      $ sudo service bitnami stop
    
  • Edit the /etc/init.d/bitnami file and update the start/stop/restart methods so that they look like this:

      case "$1" in
        start)
          ulimit -u 64000 ; ulimit -n 100000 ; ulimit -v unlimited ; ulimit -f unlimited ; ulimit -t unlimited ; ulimit -m unlimited ; ulimit -l unlimited
          /opt/bitnami/nami/bin/provisioner start && sudo /opt/bitnami/nami/bin/nami start memcached
          exit $?
          ;;
        stop)
          /opt/bitnami/nami/bin/provisioner stop && sudo /opt/bitnami/nami/bin/nami stop memcached
          exit $?
          ;;
        restart|force-reload|reload)
          ulimit -u 64000 ; ulimit -n 100000 ; ulimit -v unlimited ; ulimit -f unlimited ; ulimit -t unlimited ; ulimit -m unlimited ; ulimit -l unlimited
          /opt/bitnami/nami/bin/provisioner stop && sudo /opt/bitnami/nami/bin/nami stop memcached || exit 1
          sleep 5
          /opt/bitnami/nami/bin/provisioner start && sudo /opt/bitnami/nami/bin/nami start memcached
          exit $?
          ;;
      esac
    
  • Start services again:

      $ sudo systemctl daemon-reload
      $ sudo service bitnami start
    

Testing

Check that the PHP memcached extension is installed:

    $ php -m | grep memcached

Once installed, check if the PHP memcached extension is working properly. To do this, create a PHP script file under your Web server root directory with the code below and access it using your Web browser:

    <?php
    $mc = new Memcached();
    $mc->addServer("127.0.0.1", 11211);

    $result = $mc->get("test_key");

    if($result) {
        echo $result;
    } else {
        echo "No data in cache. Please refresh page.";
        $mc->set("test_key", "test data pulled from cache!") or die ("Failed to save data in memcached server");
    }
    ?>

How to enforce WordPress security?

How to detect malicious software on a WordPress installation?

Install the Wordfence Security plugin via the WordPress dashboard and run a scan of your WordPress installation, as follows:

  • Log in to your WordPress dashboard.
  • Select the "Plugins -> Add New" option.
  • Type "wordfence" in the search box.
  • Install the "Wordfence Security" plugin by clicking the "Install Now" button.

    WordPress plugin installation

  • Click the "Activate plugin" link. A new entry should now appear in the left navigation menu.

    WordPress plugin installation

  • Click the "Wordfence" menu item and then the "Start a Wordfence Scan" option.
  • Wait until the scan ends.

    WordPress plugin installation

How to re-enable the XML-RPC pingback feature?

A pingback is a special type of comment that is created when you link to another blog post and it is a functionality of the WordPress XML-RPC module.

IMPORTANT: Since the Bitnami WordPress Stack 4.4.2-3, the pingback feature in the XML-RPC module has been disabled.

Other XML-RPC features continue working as before so you can still publish content in your WordPress blog/website from Web clients or smartphone apps.

In order to enable it again, edit the WordPress configuration file (located at /opt/bitnami/wordpress/wp-config.php) and remove the last two filters related to XML-RPC and pingback. Specifically these lines:

    // remove x-pingback HTTP header
    add_filter('wp_headers', function($headers) {
      unset($headers['X-pingback']);
      return $headers;
    });
    // disable pingbacks
      add_filter( 'xmlrpc_methods', function( $methods ) {
      unset( $methods['pingback.ping'] );
      return $methods;
    });

Why is pingback functionality disabled by default?

WordPress implements an interface to use the XML-RPC protocol. This allows features like remote publishing from Web clients, smartphone apps and more. You can find more info in the WordPress Codex XML-RPC Page.

The XML-RPC feature of WordPress is known to be susceptible to two types of attacks:

If most of the entries in your logs come from the same IP address, it's likely your site is either under a brute force amplification attack or being used to launch a pingback attack towards a different site. If the entries come from different IP addresses, your site is probably the victim of a pingback attack.

Please keep in mind that none of these attacks are related to a security issue, but are the result of abusing pingbacks and the XML-RPC mechanism.

The DDoS attack became more popular after WordPress version 3.5 was released with the pingback feature enabled by default.

Current countermeasures:

  • Since Bitnami WordPress Stack 4.4, the brute force amplification attack is no longer exploitable, although a common brute force attack is still possible.
  • Since Bitnami WordPress Stack 4.4.2-3, the pingback feature has been disabled. This means a malicious agent won't be able to use your WordPress to perform DDoS attacks on other instances.
  • We also ship the Jetpack plugin, which can help protect a site against Brute Force attacks thanks to the Protect module. You can find more information at Jetpack website. The plugin is inactive by default, you should enable it using the WordPress admin panel.

Even with these actions, you will still be vulnerable to common brute force attacks using the XML-RPC module.

Apart from these, there are at least two more countermeasures you can apply, although each one has their own drawbacks:

  • Enable mod_security: The mod_security Apache module supplies an array of request filtering and other security features to the Apache HTTP server.
  • Disable XML-RPC: It will avoid both types of attacks but smartphone apps, remote publishing and some plugins won't work. You can find more information at this blog post about disabling XML-RPC in WordPress.
  • Block the offending IP addresses: This should be considered a fragile, short-term solution.

How to upgrade WordPress?

It is strongly recommended to create a backup before starting the update process. If you have important data, create and try to restore a backup to ensure that everything works properly.

You can update WordPress easily from its administration panel, as follows:

  • Log in to WordPress using the administrator account.

  • Select the "Dashboard -> Updates" menu item.

    WordPress update

  • Review the resulting page to see if WordPress needs an update. If an update is available, you can install it by clicking the "Update Now" button.

    WordPress update

How to use the WP-CLI command line tool?

WP-CLI is the command-line interface for WordPress. You can update plugins, configure multisite installs and much more, without using a Web browser. It is already included with the Bitnami solution so you can start using it easily. In order to check that everything is working properly, you can run the info command:

$ /opt/bitnami/apps/wordpress/bin/wp cli info
NOTE: The wp utility is also included in the system path so you can run the command without specifying the whole path to the file.
azure-templates

Bitnami Documentation