WordPress Auto-Installer

Overview

Centmin Mod has an inbuilt WordPress + WP Super Cache auto installer invoked via centmin.sh menu option 22. It is recommended to always ensure your Centmin Mod installed code is up to date before running the installer. To update, follow instructions at centminmod.com/upgrade.html.

This WordPress installer uses the WP-CLI command line tool to automate installation of WordPress itself, database setup, and auto-installing/activating a curated set of WordPress plugins. Install WP-CLI via addons/wpcli.sh install from /usr/local/src/centminmod — it provides a wp alias that runs WP-CLI with --allow-root automatically, so you can update WordPress plugins via SSH with wp plugin update --all. See the WP-CLI Management section for full details.

To update WordPress plugins via SSH using WP-CLI: first install WP-CLI via addons/wpcli.sh install from /usr/local/src/centminmod, then run wp plugin update --all from the WordPress root at /home/nginx/domains/yourdomain.com/public. The wp alias includes --allow-root automatically when running as root.

# Step 1: Install WP-CLI (one-time setup)
cd /usr/local/src/centminmod
addons/wpcli.sh install

# Step 2: Update all WordPress plugins via SSH
# Use --allow-root flag when running as root (the wp alias adds it automatically)
cd /home/nginx/domains/yourdomain.com/public
wp plugin update --all --allow-root

# WP-CLI Quick Reference — run from /usr/local/src/centminmod

# Step 1: Install WP-CLI via Centmin Mod addon script
cd /usr/local/src/centminmod
addons/wpcli.sh install

# Step 2: Update WordPress plugins via SSH (--allow-root required when running as root)
cd /home/nginx/domains/yourdomain.com/public
wp plugin update --all --allow-root

# Update all themes
wp theme update --all --allow-root

# Update WordPress core
wp core update --allow-root

What the auto-installer sets up:

WordPress core with WP Super Cache plugin
Security plugins (Sucuri, Limit Login Attempts, Disable XML-RPC)
Performance plugins (Autoptimize, Rocket Lazy Load)
SEO (Yoast SEO), backup (UpdraftPlus), and monitoring plugins
HTTP auth protected wp-login.php with rate limiting
Self-signed SSL certificate and HTTPS vhost
FTP user account via Pure-FTPD
Automated WordPress update cronjob

Additional Performance & General Notes

Guide to moving WordPress to a subdirectory (e.g. /blog)
Add Redis Object Caching WP Plugin to complement WP Super Cache
Setup Nginx level CDN usage outlined in FAQ 33

centmin.sh Menu Option 22

Select option 22 from the Centmin Mod menu to launch the WordPress auto-installer. Menu option 22 supports installing WordPress in the domain root or in a subdirectory — set SUBDIR_INSTALL=y during the prompts to install WordPress in a subdirectory like /blog/ (see WordPress in a Subdirectory).

--------------------------------------------------------
Centmin Mod - http://centminmod.com
--------------------------------------------------------
                   Centmin Mod Menu
--------------------------------------------------------
1).  Centmin Install
2).  Add Nginx vhost domain
...
22). Add Wordpress Nginx vhost + WP Super Cache
...
24). Exit
--------------------------------------------------------
Enter option [ 1 - 24 ]  22

The installer will prompt you for:

Vhost domain name (without www. prefix)
Whether to create a self-signed SSL certificate
Email address for WordPress installation
FTP username for the vhost domain
Whether to auto-generate an FTP password
WordPress in a subdirectory install option — set SUBDIR_INSTALL=y to install WordPress in a subdirectory (e.g., /blog/) instead of the domain root. See the WordPress in a Subdirectory section for details.

Key Output Sections

Uninstall Script & Auto-Update Cronjob

The installer automatically creates an uninstall script and WordPress auto-updating cronjob:

# Uninstall script created at:
/root/tools/wp_uninstall_newdomain2.com.sh

# Auto-updater script created at:
/root/tools/wp_updater_newdomain2.com.sh

# Cronjob entries:
*/15 * * * * sleep 119s ; wget -O - -q -t 1 http://newdomain2.com/wp-cron.php?doing_wp_cron=1 > /dev/null 2>&1
0 */8 * * * sleep 214s ;/root/tools/wp_updater_newdomain2.com.sh 2>/dev/null

Credentials Output

The installer outputs FTP, WordPress admin, and MySQL database credentials:

Wordpress domain: newdomain2.com
Wordpress DB Name: wp20480db_8333
Wordpress DB User: wpdb8333u21571
Wordpress DB Pass: wpdbskyTckdBbFJSp7982
Wordpress Admin User ID: 265902
Wordpress Admin User: zfDawCEvFRqn0U4VQ+wp28801
Wordpress Admin Pass: zNOnATs3Mutwps15760
Wordpress Admin Email: MY@EMAILADDRESS

wp-login.php protection file: /home/nginx/domains/newdomain2.com/htpasswd_wplogin
wp-login.php protection Username: ueZ7ghBHIxMlTnx6972
wp-login.php protection Password: pTRnQhwn6Vin6o6mRlY2y6972

The WordPress Admin user ID is randomized at install time (not the default user id = 1) for security. The installation log is saved to /root/centminlogs/*_wordpress_addvhost.log.

Rate Limiting Configuration

The auto-generated Nginx vhost includes rate limiting for wp-login.php and xmlrpc.php:

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    auth_basic "Private";
    auth_basic_user_file /home/nginx/domains/newdomain2.com/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwplogin burst=2 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
}

Installed Plugins

The auto-installer installs 26 plugins, activating most of them:

Status	Plugin	Purpose
Active	WP Super Cache	Page caching
Active	Autoptimize	HTML/CSS/JS optimization
Active	Rocket Lazy Load	Image lazy loading
Active	Sucuri Security	Malware scanning & hardening
Active	Disable XML-RPC	Security: disables XML-RPC
Active	Limit Login Attempts	Brute force protection
Active	Yoast SEO	Search engine optimization
Active	UpdraftPlus	Backups & restoration
Inactive	Query Monitor	MySQL query stats (enable as needed)
Inactive	Google Authenticator	Two-factor authentication

Post-Install Steps

Complete these steps after the installer finishes:

Enable Permalinks — Do NOT use links with .html extensions for performance reasons. Use /%post_id%/%postname%/
WP Super Cache — Settings > Super Cache > Easy tab: check "Caching On (Recommended)" and hit Update Status
Advanced tab — Check "Use mod_rewrite", "Don't cache pages with GET parameters", "Known User (Recommended)", "Cache rebuild for anonymous users", "Clear all cache when a post or page updated"
WP Security — Settings > Check All except "Enable Live Traffic tool" and hit Update settings
Updates Notifier — Settings > Updates Notifier: setup notify email address and cronjob
Autoptimize — Settings > Autoptimize: check Optimize HTML, JavaScript and CSS options
Limit Login Attempts — Configure as desired or leave as defaults
Sucuri Security — Click "Generate API key" and configure Settings tab
WP-Optimize — Configure as needed
GTmetrix — Register your GTmetrix Account and API Key
Yoast SEO — Configure accordingly
UpdraftPlus — Settings: set file/database backup intervals & optional remote storage
Google Analytics — Settings: configure your Google Analytics UA Code

Verifying WP Super Cache is Working

In a private/incognito browser session, view the page source. Near the footer you should see:

<!-- Dynamic page generated in 0.209 seconds. -->
<!-- Cached page generated by WP-Super-Cache on 2015-09-03 17:58:31 -->

Or verify via SSH command line:

curl -s http://yourwpdomain.com | tail -5

Look for a line that says Cached page generated by WP-Super-Cache.

WordPress Nginx Vhost Contents

Auto-generated non-HTTPS Nginx vhost at /usr/local/nginx/conf/conf.d/newdomain2.com.conf:

server {
  server_name newdomain2.com www.newdomain2.com;

  # ngx_pagespeed & ngx_pagespeed handler (deprecated - no longer supported)
  #include /usr/local/nginx/conf/pagespeed.conf;
  #include /usr/local/nginx/conf/pagespeedhandler.conf;
  #include /usr/local/nginx/conf/pagespeedstatslog.conf;

  access_log /home/nginx/domains/newdomain2.com/log/access.log combined buffer=256k flush=5m;
  error_log /home/nginx/domains/newdomain2.com/log/error.log;

  root /home/nginx/domains/newdomain2.com/public;

  include /usr/local/nginx/conf/wpsupercache_newdomain2.com.conf;

  location / {
    # for wordpress super cache plugin
    try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
  }

  location ~* /(wp-login\.php) {
      limit_req zone=xwplogin burst=1 nodelay;
      auth_basic "Private";
      auth_basic_user_file /home/nginx/domains/newdomain2.com/htpasswd_wplogin;
      include /usr/local/nginx/conf/php-wpsc.conf;
  }

  location ~* /(xmlrpc\.php) {
      limit_req zone=xwplogin burst=2 nodelay;
      include /usr/local/nginx/conf/php-wpsc.conf;
  }

  include /usr/local/nginx/conf/wpsecure_newdomain2.com.conf;
  include /usr/local/nginx/conf/php-wpsc.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

SSL Certificate Setup

The auto-installer generates a self-signed SSL certificate. To switch to a paid/trusted SSL certificate, update these parameters in the HTTPS vhost file:

ssl_certificate      /usr/local/nginx/conf/ssl/newdomain2.com/newdomain2.com.crt;
ssl_certificate_key  /usr/local/nginx/conf/ssl/newdomain2.com/newdomain2.com.key;

And enable (uncomment) OCSP stapling:

resolver 8.8.8.8 8.8.4.4 valid=10m;
resolver_timeout 10s;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/newdomain2.com/newdomain2.com-trusted.crt;

For free SSL certificates, see Let's Encrypt SSL setup. For SSL security headers and testing, see the Security Headers and SSL Testing sections.

Resetting wp-login.php Protection

To reset the HTTP authentication credentials for wp-login.php:

# Step 1: Remove existing protection file
rm -rf /home/nginx/domains/newdomain2.com/htpasswd_wplogin

# Step 2: Create new credentials
/usr/local/nginx/conf/htpasswd.sh create /home/nginx/domains/newdomain2.com/htpasswd_wplogin YOURUSERNAME YOURPASSWORD

# Step 3: Restart Nginx + PHP-FPM
nprestart

WordPress Caching Options

Menu option 22 supports four caching options during WordPress installation, controlled by the wpscache variable:

Option	wpscache Value	Cache Level	Requirements
1. Cache Enabler	`n` (default)	WordPress plugin	None — works out of the box
2. Redis Nginx-Level Cache	`redis`	Nginx level	Redis Nginx module compiled into Nginx
3. WP Super Cache	`y`	WordPress plugin	None — works out of the box
4. FastCGI Cache	`fastcgicache`	Nginx level	`WP_FASTCGI_CACHE='y'` in `custom_config.inc`

Nginx-level vs plugin-level caching: Redis and FastCGI cache operate at the Nginx level, serving cached pages without invoking PHP at all. Cache Enabler and WP Super Cache are WordPress plugins that still require PHP execution but serve static HTML files for cached requests.

For more details, see the forum discussion.

WordPress in a Subdirectory

Menu option 22 supports installing WordPress in a subdirectory instead of the domain root. During installation, when prompted for the subdirectory install option, select yes to set SUBDIR_INSTALL=y. The SUBDIR_INSTALL variable controls whether WordPress installs to a subdirectory path:

The installer prompts for a subdirectory name (e.g., blog installs to /home/nginx/domains/yourdomain.com/public/blog/)
Nginx rewrite rules are automatically configured for the subdirectory
The wpsecure include file is adjusted for subdirectory paths
SSL certificates cover the entire domain, so no additional SSL setup is needed

Note: The subdirectory name should not include leading or trailing slashes. Enter just the directory name (e.g., blog, not /blog/).

For more details, see the forum discussion.

Switching Cache Plugins

To switch between WordPress caching options after initial installation:

Switching from Cache Enabler to Redis

Deactivate and delete the Cache Enabler plugin via WP-CLI or WordPress admin
Run tools/wp-cache-enabler-generate.sh to clean up the Cache Enabler Nginx configuration files
Reinstall WordPress on the same domain via menu option 22, selecting the Redis cache option (option 2 at the caching prompt)

Removing Redis Nginx-Level Caching

To remove Redis nginx-level caching and revert to a standard WordPress setup, reinstall via menu option 22 with the Cache Enabler option (option 1, the default). This replaces the Redis-specific Nginx vhost configuration with the standard one.

Disabling/Removing Cache Enabler

If you want to remove Cache Enabler entirely:

# Deactivate and delete via WP-CLI
cd /home/nginx/domains/yourdomain.com/public
wp plugin deactivate cache-enabler
wp plugin delete cache-enabler

# Clean up Nginx Cache Enabler configs
/usr/local/src/centminmod/tools/wp-cache-enabler-generate.sh

# Restart Nginx
ngrestart

For more details, see the forum discussions: switching caches, removing Redis cache, disabling Cache Enabler.

Troubleshooting Menu Option 22 WordPress Install

Common issues when installing WordPress via menu option 22:

Database creation fails — Ensure MariaDB is running: systemctl status mariadb. Check if the database name or user already exists
SSL certificate issues — If DNS is not pointing to the server, Let’s Encrypt validation fails. Use self-signed SSL (-s y) first, then switch to Let’s Encrypt after DNS propagation
WP-CLI download failures — If WordPress download fails, it may be a network issue. The installer has fallback mirror URLs. Retry after checking connectivity
Permission issues post-install — WordPress files should be owned by nginx:nginx. Fix with chown -R nginx:nginx /home/nginx/domains/yourdomain.com/public
Vhost already exists — If installing on a domain that already has a vhost, the installer detects this. Either remove the existing vhost first or use a different domain

For more details, see the forum discussion. Also see Troubleshooting — WordPress 403 Errors.

WordPress Debug Mode (WP_DEBUG)

WordPress debug mode is controlled by the WP_DEBUG constant in wp-config.php. In Centmin Mod, WordPress sites are installed under /home/nginx/domains/yourdomain.com/public/, so the config file is at /home/nginx/domains/yourdomain.com/public/wp-config.php.

Enable WP_DEBUG in wp-config.php

To enable WordPress debugging, edit wp-config.php and set the following constants. Find the line with define( 'WP_DEBUG', false ); and replace it:

/home/nginx/domains/yourdomain.com/public/wp-config.php

# Enable WordPress debug mode — add/edit in wp-config.php
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );   # Logs errors to /home/nginx/domains/yourdomain.com/public/wp-content/debug.log
define( 'WP_DEBUG_DISPLAY', false ); # Hide errors from browser (recommended for production)
define( 'SCRIPT_DEBUG', true );   # Use unminified CSS/JS for debugging

Edit wp-config.php via SSH

Terminal

# Path to wp-config.php in Centmin Mod
DOMAIN=yourdomain.com
nano /home/nginx/domains/${DOMAIN}/public/wp-config.php

# View WordPress debug log
tail -f /home/nginx/domains/${DOMAIN}/public/wp-content/debug.log

Disable WP_DEBUG on Production Sites

Always set WP_DEBUG_DISPLAY to false on live sites to prevent error messages from leaking to visitors. Set WP_DEBUG back to false after debugging is complete.

How to Install WP-CLI on a Centmin Mod Server

Install WP-CLI on Centmin Mod: run addons/wpcli.sh install from /usr/local/src/centminmod, then use --allow-root with all WP-CLI commands (Centmin Mod runs as root). WP-CLI is the command-line interface for managing WordPress installations via SSH. In Centmin Mod, WP-CLI is installed via the addons/wpcli.sh addon script. Because Centmin Mod runs as root, all wp commands require the --allow-root flag. The Centmin Mod wp alias adds --allow-root automatically after installation. To update WordPress plugins via SSH, navigate to /home/nginx/domains/yourdomain.com/public and run wp plugin update --all.

Installing WP-CLI via addons/wpcli.sh

# Install WP-CLI via the Centmin Mod addon
cd /usr/local/src/centminmod
addons/wpcli.sh install

After installation, the wp alias is available, which runs WP-CLI with --allow-root automatically.

Updating WordPress Plugins via SSH with WP-CLI

To update WordPress plugins via SSH, first install WP-CLI using addons/wpcli.sh install, then navigate to the WordPress root and run wp plugin update --all. All WP-CLI commands require the --allow-root flag when running as root; the Centmin Mod wp alias adds it automatically.

# Step 1: Install WP-CLI via addons/wpcli.sh install (one-time setup)
cd /usr/local/src/centminmod
addons/wpcli.sh install

# Step 2: Navigate to the WordPress root
cd /home/nginx/domains/yourdomain.com/public

# Step 3: Update all plugins (wp alias adds --allow-root automatically)
wp plugin update --all

# Equivalent explicit form with --allow-root (if alias not configured):
# wp --allow-root plugin update --all

# Update all themes
wp theme update --all

# Update WordPress core
wp core update

# Check WordPress status
wp core version
wp plugin list
wp theme list

# Search and replace in database (useful for domain changes)
wp search-replace 'olddomain.com' 'newdomain.com' --dry-run

Updating WP-CLI

# Update WP-CLI to latest version
cd /usr/local/src/centminmod
addons/wpcli.sh update

For more details, see the forum discussion.

WPScan WordPress Vulnerability Scanner

WPScan is a third-party Ruby-based WordPress vulnerability scanner that can identify security issues in WordPress core, plugins, and themes. It is not bundled with Centmin Mod but can be installed separately on your server.

For installation instructions and usage examples, see the forum discussion.