Overview
Centmin Mod has an inbuilt WordPress + WP Super Cache auto installer invoked via centmin.sh menu option 22. It is recommended to always ensure your Centmin Mod installed code is up to date before running the installer. To update, follow instructions at centminmod.com/upgrade.html.
This WordPress installer uses the WP-CLI command line tool to automate installation of WordPress itself, database setup, and auto-installing/activating a curated set of WordPress plugins.
What the auto-installer sets up:
- WordPress core with WP Super Cache plugin
- Security plugins (Sucuri, Limit Login Attempts, Disable XML-RPC)
- Performance plugins (Autoptimize, Rocket Lazy Load)
- SEO (Yoast SEO), backup (UpdraftPlus), and monitoring plugins
- HTTP auth protected wp-login.php with rate limiting
- Self-signed SSL certificate and HTTPS vhost
- FTP user account via Pure-FTPD
- Automated WordPress update cronjob
Additional Performance & General Notes
- Guide to moving WordPress to a subdirectory (e.g. /blog)
- Add Redis Object Caching WP Plugin to complement WP Super Cache
- Setup Nginx level CDN usage outlined in FAQ 33
Key Output Sections
Uninstall Script & Auto-Update Cronjob
The installer automatically creates an uninstall script and WordPress auto-updating cronjob:
# Uninstall script created at:
/root/tools/wp_uninstall_newdomain2.com.sh
# Auto-updater script created at:
/root/tools/wp_updater_newdomain2.com.sh
# Cronjob entries:
*/15 * * * * sleep 119s ; wget -O - -q -t 1 http://newdomain2.com/wp-cron.php?doing_wp_cron=1 > /dev/null 2>&1
0 */8 * * * sleep 214s ;/root/tools/wp_updater_newdomain2.com.sh 2>/dev/nullCredentials Output
The installer outputs FTP, WordPress admin, and MySQL database credentials:
Wordpress domain: newdomain2.com
Wordpress DB Name: wp20480db_8333
Wordpress DB User: wpdb8333u21571
Wordpress DB Pass: wpdbskyTckdBbFJSp7982
Wordpress Admin User ID: 265902
Wordpress Admin User: zfDawCEvFRqn0U4VQ+wp28801
Wordpress Admin Pass: zNOnATs3Mutwps15760
Wordpress Admin Email: MY@EMAILADDRESS
wp-login.php protection file: /home/nginx/domains/newdomain2.com/htpasswd_wplogin
wp-login.php protection Username: ueZ7ghBHIxMlTnx6972
wp-login.php protection Password: pTRnQhwn6Vin6o6mRlY2y6972The WordPress Admin user ID is randomized at install time (not the default user id = 1) for security. The installation log is saved to /root/centminlogs/*_wordpress_addvhost.log.
Rate Limiting Configuration
The auto-generated Nginx vhost includes rate limiting for wp-login.php and xmlrpc.php:
location ~* /(wp-login\.php) {
limit_req zone=xwplogin burst=1 nodelay;
#limit_conn xwpconlimit 30;
auth_basic "Private";
auth_basic_user_file /home/nginx/domains/newdomain2.com/htpasswd_wplogin;
include /usr/local/nginx/conf/php-wpsc.conf;
}
location ~* /(xmlrpc\.php) {
limit_req zone=xwplogin burst=2 nodelay;
#limit_conn xwpconlimit 30;
include /usr/local/nginx/conf/php-wpsc.conf;
}Installed Plugins
The auto-installer installs 26 plugins, activating most of them:
| Status | Plugin | Purpose |
|---|---|---|
| Active | WP Super Cache | Page caching |
| Active | Autoptimize | HTML/CSS/JS optimization |
| Active | Rocket Lazy Load | Image lazy loading |
| Active | Sucuri Security | Malware scanning & hardening |
| Active | Disable XML-RPC | Security: disables XML-RPC |
| Active | Limit Login Attempts | Brute force protection |
| Active | Yoast SEO | Search engine optimization |
| Active | UpdraftPlus | Backups & restoration |
| Inactive | Query Monitor | MySQL query stats (enable as needed) |
| Inactive | Google Authenticator | Two-factor authentication |
Post-Install Steps
Complete these steps after the installer finishes:
- Enable Permalinks — Do NOT use links with .html extensions for performance reasons. Use
/%post_id%/%postname%/ - WP Super Cache — Settings > Super Cache > Easy tab: check "Caching On (Recommended)" and hit Update Status
- Advanced tab — Check "Use mod_rewrite", "Don't cache pages with GET parameters", "Known User (Recommended)", "Cache rebuild for anonymous users", "Clear all cache when a post or page updated"
- WP Security — Settings > Check All except "Enable Live Traffic tool" and hit Update settings
- Updates Notifier — Settings > Updates Notifier: setup notify email address and cronjob
- Autoptimize — Settings > Autoptimize: check Optimize HTML, JavaScript and CSS options
- Limit Login Attempts — Configure as desired or leave as defaults
- Sucuri Security — Click "Generate API key" and configure Settings tab
- WP-Optimize — Configure as needed
- GTmetrix — Register your GTmetrix Account and API Key
- Yoast SEO — Configure accordingly
- UpdraftPlus — Settings: set file/database backup intervals & optional remote storage
- Google Analytics — Settings: configure your Google Analytics UA Code
Verifying WP Super Cache is Working
In a private/incognito browser session, view the page source. Near the footer you should see:
<!-- Dynamic page generated in 0.209 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2015-09-03 17:58:31 -->Or verify via SSH command line:
curl -s http://yourwpdomain.com | tail -5Look for a line that says Cached page generated by WP-Super-Cache.
WordPress Nginx Vhost Contents
Auto-generated non-HTTPS Nginx vhost at /usr/local/nginx/conf/conf.d/newdomain2.com.conf:
server {
server_name newdomain2.com www.newdomain2.com;
# ngx_pagespeed & ngx_pagespeed handler (deprecated - no longer supported)
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;
access_log /home/nginx/domains/newdomain2.com/log/access.log combined buffer=256k flush=5m;
error_log /home/nginx/domains/newdomain2.com/log/error.log;
root /home/nginx/domains/newdomain2.com/public;
include /usr/local/nginx/conf/wpsupercache_newdomain2.com.conf;
location / {
# for wordpress super cache plugin
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
}
location ~* /(wp-login\.php) {
limit_req zone=xwplogin burst=1 nodelay;
auth_basic "Private";
auth_basic_user_file /home/nginx/domains/newdomain2.com/htpasswd_wplogin;
include /usr/local/nginx/conf/php-wpsc.conf;
}
location ~* /(xmlrpc\.php) {
limit_req zone=xwplogin burst=2 nodelay;
include /usr/local/nginx/conf/php-wpsc.conf;
}
include /usr/local/nginx/conf/wpsecure_newdomain2.com.conf;
include /usr/local/nginx/conf/php-wpsc.conf;
include /usr/local/nginx/conf/staticfiles.conf;
include /usr/local/nginx/conf/drop.conf;
include /usr/local/nginx/conf/vts_server.conf;
}SSL Certificate Setup
The auto-installer generates a self-signed SSL certificate. To switch to a paid/trusted SSL certificate, update these parameters in the HTTPS vhost file:
ssl_certificate /usr/local/nginx/conf/ssl/newdomain2.com/newdomain2.com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/newdomain2.com/newdomain2.com.key;And enable (uncomment) OCSP stapling:
resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain2.com/newdomain2.com-trusted.crt;For free SSL certificates, see Let's Encrypt SSL setup. For SSL security headers and testing, see the Security Headers and SSL Testing sections.
Resetting wp-login.php Protection
To reset the HTTP authentication credentials for wp-login.php:
# Step 1: Remove existing protection file
rm -rf /home/nginx/domains/newdomain2.com/htpasswd_wplogin
# Step 2: Create new credentials
/usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/newdomain2.com/htpasswd_wplogin YOURUSERNAME YOURPASSWORD
# Step 3: Restart Nginx + PHP-FPM
nprestart