1. Goal

This guide shows one way to install WordPress on FreeBSD.

Here’s a full transcript of the guide being carried out.

Security Hazard

Deploying Web-based applications like WordPress is hard to do securely.

This guide’s steps bring about at least two temporary periods of vulnerability:


When MySQL first starts, its root account’s accessible to all local FreeBSD accounts, and the password’s empty.


When Apache first starts, WordPress allows a remote person to create its administration account. A malicious person could seize this opportunity to install a backdoor for later use.

Table 1. Versions
Software Version Package













PHP Module



Computer Type

This guide should work with any computer type for which the above packages are available. I used a Fusion 6.0.4 VM configured for a "FreeBSD 64-bit" guest.

2. Install Packages

  1. Install Apache, Apache’s PHP module, MySQL and WordPress.

    # pkg install apache24 mod_php5 mysql56-server wordpress
  2. Configure FreeBSD to start MySQL and Apache during boot, by adding this to /etc/rc.conf:


3. Configure MySQL

  1. Initialize MySQL. Some MySQL scripts will only run from a specific working directory (/usr/local here).

    # cd /usr/local
    # bin/mysql_install_db
  2. Allow only processes running as the mysql account to access MySQL’s database files.

    # chmod 700 /var/db/mysql
  3. Start MySQL.

    Security Hazard

    When MySQL first starts, the MySQL root account’s accessible to all local FreeBSD accounts—the password’s empty. A malicious person could seize this opportunity to install a backdoor for later use.

    This vulnerable state continues until mysql_secure_installation finishes.

    # service mysql-server start
  4. Run mysql_secure_installation to close the barn doors MySQL leaves open by default.

    Set a MySQL root password (this is MySQL’s root account, which is separate from the FreeBSD root account). Answer Y to all questions.

    # cd /usr/local
    # bin/mysql_secure_installation
  5. Make a MySQL database and account for WordPress to use. In this example, the database name’s WordPressFun, the account name’s alf, and the password’s t0pHatt25%.

    # mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 12
    Server version: 5.6.23 Source distribution
    Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    mysql> CREATE DATABASE WordPressFun;
    Query OK, 1 row affected (0.00 sec)
    mysql> GRANT ALL PRIVILEGES ON WordPressFun.* TO "alf"@"localhost" IDENTIFIED BY "t0pHatt25%";
    Query OK, 0 rows affected (0.00 sec)
    Query OK, 0 rows affected (0.00 sec)
    mysql> quit

4. Configure WordPress

  1. Make a copy of the default WordPress configuration file, taking care to avoid exposing its future content.

    # cd /usr/local/www/wordpress
    # umask 077
    # cp wp-config-sample.php wp-config.php
  2. Edit the WordPress configuration file to tell WordPress about its MySQL database and account.

    # ex wp-config.php
    wp-config.php: unmodified: line 80
    define('DB_NAME', 'WordPressFun');
    define('DB_USER', 'alf');
    define('DB_PASSWORD', 't0pHatt25%');
    wp-config.php: 80 lines, 2695 characters

    When finished editing, the diff output should look like this:

    # diff wp-config.php wp-config-sample.php
    < define('DB_NAME', 'WordPressFun');
    > define('DB_NAME', 'database_name_here');
    < define('DB_USER', 'alf');
    > define('DB_USER', 'username_here');
    < define('DB_PASSWORD', 't0pHatt25%');
    > define('DB_PASSWORD', 'password_here');
  3. Be sure that processes running as www can access the WordPress configuration file.

    # chown www:www wp-config.php
    # chmod 640 wp-config.php

5. Configure Apache

  1. Edit httpd.conf. This configuration will cause WordPress to appear at the host’s base URL, such as http://wordpress.example.net.

    Note that the php5_module line’s added automatically when the Apache PHP module’s installed. It’s shown in the ex session below just for context.

    # cd /usr/local/etc/apache24
    # cp httpd.conf httpd.conf.dist
    # ex httpd.conf
    httpd.conf: unmodified: line 534
       175  LoadModule php5_module        libexec/apache24/libphp5.so
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
       250  DocumentRoot "/usr/local/www/apache24/data"
       251  <Directory "/usr/local/www/apache24/data">
    <Directory "/usr/local/www/wordpress">
       250  DocumentRoot "/usr/local/www/wordpress"
       251  <Directory "/usr/local/www/wordpress">
        DirectoryIndex index.php
    httpd.conf: 541 lines, 20909 characters

    When the edits are complete, the diff between the edited and default configuration files should look like this:

    # diff httpd.conf httpd.conf.dist
    < <FilesMatch "\.php$">
    <     SetHandler application/x-httpd-php
    < </FilesMatch>
    < <FilesMatch "\.phps$">
    <     SetHandler application/x-httpd-php-source
    < </FilesMatch>
    < DocumentRoot "/usr/local/www/wordpress"
    < <Directory "/usr/local/www/wordpress">
    <     DirectoryIndex index.php
    > DocumentRoot "/usr/local/www/apache24/data"
    > <Directory "/usr/local/www/apache24/data">
  2. Start Apache:

    Security Hazard

    Starting Apache will cause WordPress to become remotely accessible, despite its incomplete configuration. In this state, WordPress allows an anonymous person to create its administration account. A malicious person could seize this opportunity to create an account that could be used later to view secret data.

    This vulnerable state continues until the WordPress Web-based interface’s used to create its initial administration account.

    # service apache24 start

6. Access WordPress

Accessing the host’s base URL with a Web browser should yield an administration account configuration screen:

WordPress First Load

After creating the administration account, logging in should yield this screen:

WordPress First Login

Copyright © 2015 Robroy Gregg