Setting up a WordPress blog using Amazon Web Services (AWS) with SSL support

Several tutorials with several different instructions sets try to guide you on how to set up your website or your blog using Amazon Web Services (AWS) with your domain being hosted on a different domain service but none of those tutorials are complete and accurate. Having struggled for days in figuring out the intricate details of the process, I think I am now in a good position to write this tutorial for everyone else who is struggling with setting up their websites on EC2. I will also explain how to integrate an SSL certificate with your website as Google Chrome has marked all websites without an SSL certificate insecure, which is drastically going to affect the search engine ranking of your website. We will be covering the following steps:

#1: Setting up an Amazon EC2 instance on AWS
#2: Generating the SSL certificate for your blog using the Amazon Certificate Manager (ACM)
#3: Creating a Load Balancer to integrate the SSL certificate
#4: Creating a Public Host Zone using Amazon Route 53 service
#5: Importing your existing DNS records to Route 53
#6: Configuring WordPress for HTTPS (SSL)
#7: Updating DNS record in Route 53 to point to the Load Balancer

In this tutorial, I am assuming that your domain is with GoDaddy, however, the steps are similar with other domain services as well.

STEP 1: Setting up an Amazon EC2 instance on AWS

For everyone who does not know, Amazon provides a free tier usage for new users to try out their services.

Go to the AWS console and create an account if you do not have one already. Once you have successfully created your AWS account and logged in you will be on the AWS console dashboard. From there you need to click on the EC2 link which will redirect you to the EC2 dashboard.

Now on the EC2 dashboard you need to click on Launch instance to open the EC2 instance creation wizard. We will use an Amazon Machine Image (AMI) which has been already configured with WordPress to make the process easy for you. From the Quick Start menu click on the AWS Marketplace and search for WordPress using the search box.

Many results will be displayed but you need to select WordPress powered by Bitnami as shown in the screenshot below. Make sure you select the correct image to avoid running into problems at a later stage.

Now you will be asked which type of instance do you prefer for your project. For the purpose of this tutorial we will go with the t2.micro instance which is also free tier eligible so you can experiment with it all you want. Click on the Configure Instance Details button at the bottom right corner of your screen. Leave all the options at default settings and click on the Add Storage button. The storage would be 10GB by default, which is okay for the tutorial. You can increase it to 30GB without incurring any extra charges under the free tier eligibility. Now click on the Add Tags button to give a name to your instance. Click on Add Tag and set Name as the Key and the name of your project in the Value box. Next click on Add Security Groups which will take you to the next and a very important step where you can configure rules for the inbound and outbound traffic. If you are new to all this, then I will suggest you leave the settings at default and click on Review and Launch.

Note: You can click on Select Existing Security Group and select the default security group but for some reason it did not work for me. I was not able to access my EC2 instance using the internet-facing IPv4 address provided.

After reviewing all your settings click on the Launch button on the final step of the Wizard to launch your EC2 instance. However, just as your click Launch, you will be presented with a screen to create a key pair for your instance. This key pair is highly important and would be required to create a FTP connection to your EC2 instance. Give your key pair a name and download and save it. After this, click on Launch Instance to have your EC2 instance up and running the WordPress blog.

You can access the EC2 instance your just created from the EC2 dashboard.

Obtain the IPv4 Public IP of your running instance and paste it in your browser and hit Enter. If everything went right you should see a WordPress blog titled User’s blog.

Now click on the Actions dropdown and select Instance Settings and click on Get System Log. Scroll down till you reach the part where you will get the initial password for your WordPress admin account. The password would be towards the end, surrounded by pound symbols (#).

Type the IPv4 address of your instance followed by /admin in the browser (xx.xx.xx.xx/admin) and you would be redirected to the wp-login.php page of your blog. Enter ‘user’ as the username and the password you obtained from the system logs as the password. You should be logged in successfully.

STEP 2: Generating the SSL certificate for your blog using the Amazon Certificate Manager (ACM)

After completing the first step successfully go back to the services menu and from there using the search box or navigating through the services go to the Amazon Certificate Manager. AWS lets you generate an Amazon issued, ready-to-use SSL certificate in a few easy steps.

To create a SSL certificate for a domain you need to be the owner of the domain to approve the certificate creation request. Now click on Request a certificate button and type in ‘*.yourdomain.com’ and click on Add another name to the certificate button. Make sure to add ‘www.yourdomain.com’ as well as ‘yourdomain.com’. Now after adding all three, click on Review and request. You will receive approval requests on the email registered with the WhoIS records of your domain and after you have approved the certificate generation requests your certificate will be generated and ready to be used. You can easily manage your certificates using ACM.

STEP 3: Creating a Load Balancer to integrate the SSL certificate

AWS load balancer is used to distribute incoming traffic across multiple EC2 instances to increase fault tolerance of the hosted applications, however, in this case it is required to integrate the SSL certificate with your website/blog.  The load balancer will offload the certificate at the presentation layer and then send the secured user down into our website.

For a WordPress blog, we will use the Classic Load Balancer despite Amazon’s recommendation of using the Application Load Balancer. It is easy to set up and requires only a few minutes and a few easy steps.

Click on the Create Load Balancer button and select the Classic Load Balancer on the following screen. Now follow the next steps very carefully. Making a mistake in these steps can disrupt the traffic to your website.

In the first step of the setup Wizard give your Load Balancer a name. By default, the HTTP protocol will already be added which works on the Load Balancer Port 80. Click on the Add button and add the HTTPS protocol as well. Do not change the Instance Port and Instance Protocol as we want the load balancer to forward all the incoming traffic to HTTP Port 80 of the instance.

Now click on Assign Security Groups and on the following screen let the security group be default. Now click on Configure Security Settings and select the option to choose an existing ACM certificate. At this step, you are going to attach the SSL certificate to the Load Balancer.

Select the appropriate certificate that you had generated for your domain and click on Configure Health Check.  Now change the Ping Protocol from HTTP to TCP and Ping Port to 443. Now click on the Attach EC2 instance button and attach the instance you had created in the beginning of this tutorial. Next click on Add Tags and do the same thing you did for the EC2 instance, give your Load Balancer a name tag. Now click on the Review and Launch button; review your settings once again and click on Launch button when you are ready.

STEP 4: Creating a Public Host Zone using Amazon Route 53 service

The AWS Route 53 service is a Domain Name System (DNS) which gives developers and business a highly reliable way to route traffic by translating domain names to the respective IP addresses at a very minimal price.

From the services menu search for Route 53 or select it from the list of services. Now you might see a screen which says GetStarted or you might be directly taken to a screen like the one shown below. Click on the Create Hosted Zone button, type in the name of your domain and click Create.

A public hosted zone should now be displayed which at first contains only two records – Nameservers (NS) and Start of Authority (SOA). Now comes one of the most important part of this tutorial.

STEP 5: Importing your existing DNS records to Route 53

For this tutorial, I would use GoDaddy as a reference but the process is similar for other domain services as well. Login into your GoDaddy account and open the DNS records of your domain. On the DNS management page for your domain scroll down to find the Advanced features section and click on Export Zone File. You can select either Windows or Unix, both work with Route 53. Now you will have the DNS records of your domain in a text file.

The next step is to change the Nameservers for your domain and point them to the Nameservers provided by AWS when you created the hosted zone in Route 53 (four different Nameservers will be provided, add all four).

Now go back to the hosted zone you had created in Route 53 and click on Import Zone File. It will provide you a text area to paste the contents of your zone file. Copy the contents of the zone file you had exported earlier and paste it there and click on import. Refresh the page to see the imported records.

Now in your record set, find the CNAME record with the name www.yourdomain.com and change it to *.yourdomain.com. This will save the effort of creating CNAME records for subdomains.

STEP 6: Configuring WordPress for HTTPS (SSL)

At this point, take a backup of all your WordPress files as you will be editing some important configuration files. Read thoroughly before attempting the following changes as it may break your blog. If anything goes wrong, just undo the steps to restore your blog back to normal.

For this part of the tutorial you will need a FTP client which supports Secure FTP (SFTP) such as CyberDuck, Putty or FizeZilla and the key you obtained in Step 1 to create the connection. The details of creating the connection are for another tutorial.

We will be editing the files .htaccess and wp-config.php to redirect all inbound traffic to ‘HTTPS’. As the Load Balancer will be adding the SSL certificate and encrypting all the traffic before sending it down to our WordPress instance running on port 80, we want to make sure that WordPress exclusively uses the HTTPS protocol for all inbound traffic.

Let’s start by editing the .htaccess first. The file typically resides in the bitnami/apps/wordpress/htdocs folder. You might need to turn on the option to view hidden files in your FTP client. If this does not work, login into your WordPress admin panel and open Settings -> Permalinks and click Save Changes once. This will generate the .htaccess for you.

Now add the following rewrite rule at the very top of your .htaccess file and make sure there is nothing else above it. Make sure to replace the ‘your-domain’ with your actual domain name.

# Begin force ssl
<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{SERVER_PORT} 443
 RewriteRule ^(.*)$ https://your-domain/$1 [R,L]
</IfModule>

Note: If the FTP client does not allow the .htaccess file to be edited install and activate the Yoast SEO plugin in WordPress. Now go the plugin’s dashboard and switch to the ‘Features’ tab and enable ‘Advanced Features’ from there and save the changes. Now you would be able to access the Tools menu of the plugin where you can find the File Editor. Inside the File Editor you can edit your .HTACCESS and ROBOTS.txt.

We also want to force SSL on the WordPress admin pages as well. For that we need to edit the wp-config.php using the FTP client. The following code needs to be added to the file just before the comment reads ‘That’s all, stop editing’.

/** force SSL on admin pages **/
define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
$_SERVER['HTTPS']='on';

Now scroll down a bit to find the WP_SITEURL and WP_HOME and change the ‘http’ to ‘https’ as shown below.

STEP 7: Updating DNS record in Route 53 to point to the Load Balancer

Now for the final step, we will point the A record in the Route 53 hosted zone and point it to the Load Balancer. Luckily Amazon makes it a one click task. Go the hosted zone and select the A record. On the right side of the screen, switch the option of ‘Alias’ to Yes and select your Load Balancer as the Alias Target from the dropdown list.

There is a possibility that HTTPS still does not work correctly when you try to open your blog/website using ‘yourdomain.com’ and ‘www.yourdomain.com’. If this happens, please install the plugin ‘http to https forced url’ using your WordPress dashboard. Now if you followed the steps correctly your blog/website should be working with SSL on the HTTPS protocol. If you have any confusion or encounter any problem please feel free to leave a comment. We will respond within 24 hours.

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.