Azure Sentinel is a cloud SIEM and SOAR. It is therefore used for the supervision of a customer environment, from which it...
WordPress as a web application in AzureLukas Beran
You can have a website, including WordPress, on a regular server, ie as part of infrastructure services (IaaS – Infrastructure as a Service). But a much better option is to move up a level to platform services (PaaS – Platform as a Service). In platform services, you do not have to worry about operating system, applications, updates, security, upgrades, etc., all this is handled by the provider for you. Plus, you automatically get high availability and easy scalability. This greatly simplifies administration.
Services in Azure for web applications
WordPress is an application written in PHP using MySQL database. So we will need the Azure App Service (linux web application with PHP support) and the Azure Database for MySQL (MySQL as a service in Azure).
Create services in Azure for WordPress
As I mentioned, we will need to create two services in Azure – a web application and a database.
Create a web application in Azure for WordPress
First we will create a new web application. Select Create a resource and then search the Web App. Choose the subscription where the service will be based. Create a new resource group for the web application. Next, we must specify the application instance name, which is actually the domain name on the azurewebsites.net domain, so the name must be globally unique. Using this address, the web application will also be available (including HTTPS), of course you can then use any custom domain name. We select PHP 7.3 as the Runtime stack, Linux operating system and region. I recommend Western Europe or Northern Europe.
In the Linux plan section, create a new plan. The plan is essentially a SKU, the size of the instance. For small sites or some testing you can use B1. For production environments or larger applications I recommend Standard or Premium plans. However, even the basic B1 plan has a 99.95% uptime guarantee, which is typically more than a regular local web hosting provider can usually offer. Of course, this basic plan also supports custom domains, HTTPS, manual scaling, etc.
Create a database in Azure for WordPress
As in the case of a web application, we create a database. It can be found under the name Azure Database for MySQL. Select the subscription again and select the same resource group that you used for the web application. Set the database server name, admin username, and enter the password twice. Choose the same location as the web application for latency. Choose 8.0 for the database version.
The size of the database server for common applications should be enough basic, ie Basic with one processor core and 5 GB database capacity. Optionally, you can set the retention period for database backups.
Configure Azure Web App for WordPress
Once we have created the web application, we look at the configuration options. You may notice that creating the first application created two resources – App Service plan and App Service.
Setting Azure App Service plan
The Azure App Service plan is the SKU you pay for. It’s basically a purchased computing power in Azure. As part of this performance, you can create as many apps as you like, depending on how much of your resources they use. These are primarily storage capacity and processing power in the form of processor time (known as ACU – Azure Compute Unit in Azure Web Apps) and operating memory.
In the App Service plan settings you can see all the applications associated with this plan and the used storage space in all applications. However, you also have the option to change the scaling settings for both the width (number of instances – scale out) and height (size of instances – scale up) serving the given App Service plan.
Azure App Service settings
Azure App Service are already individual applications running in Azure. Typically, these are the individual sites you host in Azure. There are many settings here, to describe everything would be a separate article, so maybe next time 🙂 So I will focus on the settings that are important or necessary for running WordPress.
In the Deployment Center tab, you need to configure the deployment options for your web application. The most versatile is FTP, for which we need to set up credentials. Also available is Azure DevOps Service (formerly known as VSTS), GitHub, BitBucket or Local Git.
Configuration – Application settings
Important settings can be found on the Configuration tab. Here in Application Settings, we must set the path to the certificate authority that issued the certificate to encrypt the connection to the MySQL server. Related information can be found in the article Encrypted database connection in Adminer. The name of the setting is MYSQL_SSL_CA, the value for the setting is the absolute path to the downloaded authority certificate, such as /site/wwwroot/bin/cert.pem. Without this configuration, the encrypted database connection that we will enforce in the database server configuration would not work.
Below we set the Connection string to connect to the database. This is not necessary – it can be set directly in the wp-config.php file in the WordPress source files, but storing your login credentials in a readable form in the configuration files is very inappropriate for security reasons. Anyone who gains access to files will also get readable login data to your database, which is a great security risk. Therefore, we set the data into variables within the connection string and read it from the wp-config file, which is significantly safer. It would be optimal to use Azure KeyVault, but another time 🙂 We will create a new Connection string and name it arbitrarily. The connection string type is MySQL. The value of the connection string will be as follows:
Database=dbname; Data Source=dbserver.mysql.database.azure.com; User Id=user@dbserver; Password=superSecretStrongPassword123456
Database is the name of the database within the database server. Data source is the address of the database server. User Id is the user name of the user who has the rights to perform the operations on the defined database and Password is the password of the user. The procedure for creating a database is described later in this article.
Configuration – General settings
On the General settings tab we can change the version of PHP if the currently set version would cause any problems. Next, we need to set up FTP to use it to copy data – I recommend enforcing encrypted FTPS. I recommend setting the HTTP version to 2.0 (a more modern version allowing parallel processing of requests). Always on set to On (we do not want to suspend the service in case of inactivity).
If you want to use your own domain, you must add it in the Custom domains settings. You can add multiple domains or subdomains. For each domain, it is necessary to confirm its ownership via TXT record before adding it.
It is also possible to force HTTPS (setting HTTPS Only to On), which I recommend.
There is no need to change anything on this page, but I recommend setting HTTPS Only to On and Minimum TLS Version to 1.2 (older ones are no longer considered completely safe).
Configure Azure Database for MySQL for WordPress
No major changes are required for database settings. The most important thing is to allow connection to the database from Azure services, because otherwise our web application will not connect.
In the Firewall rules section, change the Allow access to Azure services setting to On. This will allow access from all Azure services to the firewall of our database server, which is not a big problem, as access is protected by a strong password and traffic to the server is monitored.
In SSL settings, it is recommended to force Enforce SSL connection to Enabled.
Create a database for WordPress
We have a database server ready, but we don’t have a database. The database can be created simply via Adminer, see my previous article. Here we enter the following commands into the SQL command window.
CREATE DATABASE dbname character set utf8 collate utf8_czech_ci;
CREATE USER 'user'@'%'IDENTIFIED WITH mysql_native_password BY 'superSecretStrongPassword123456';
GRANT ALL ON dbname.* TO 'user'@'%';
WordPress settings for Azure
Now we have set up the Azure services themselves. All that remains is to copy the WordPress source files via FTP and edit the wp-config.php file so that it can connect securely to our Azure database.
We must also copy to the FTP the certificate of the certification authority that issued the certificate to encrypt the connection to Azure MySQL. The procedure is described directly in the documentation. The path to the FTP certificate must match the path defined in Configuration – Application settings.
Set up wp-config for Azure web applications
Because I had redirection loop problem the first time, I put the following into the wp-config.php file
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
For an encrypted connection to the database to work, you need to add the following to the wp-config.php file
define( 'MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT );
define( 'MYSQL_SSL_CA', getenv('MYSQL_SSL_CA'));
For the connection to the database to work, it is necessary to define settings for the connection, ie database name, username, password and database server address
$connectstr_dbhost = '';
$connectstr_dbname = '';
$connectstr_dbusername = '';
$connectstr_dbpassword = '';
$value = getenv('MYSQLCONNSTR_bridgesConnection'); //bridgesConnection is the name of the connection string defined in the Azure Web App before
$connectstr_dbhost = preg_replace("/^.*Data Source=(.+?);.*$/", "\\1", $value);
$connectstr_dbname = preg_replace("/^.*Database=(.+?);.*$/", "\\1", $value);
$connectstr_dbusername = preg_replace("/^.*User Id=(.+?);.*$/", "\\1", $value);
$connectstr_dbpassword = preg_replace("/^.*Password=(.+?)$/", "\\1", $value);
Thanks to the code above, we have defined the database connection parameters without having to write them in readable form directly into the source code.
By default, Azure Web App allows you to upload files up to 2 MB in size. The easiest way to allow uploading larger files for a single application is through the .htaccess file, where we put the following
php_value upload_max_filesize 128M
php_value post_max_size 128M