Gridpane Site Setup – Web Magic Studio

Adding a new Gridpane site ~~must be done in a Chrome browser~~.

In the field labelled “URL”, enter the host name of the site. Do not include the “www”, even if you intend to use it, we’ll set that up later.
Select the server you want to use from the drop-down menu.
In almost all cases you should create a new system user, so select that from the drop-down, then in the next field enter a brief mnemonic name, limited to about 8 characters.
At this time there are no bundles to select, so leave that set to “None”.
Unless you know there will be software incompatibilities with plugins or themes you intend to use, leave the PHP version as-is, currently PHP 7.4.
All the rest of the options will be set properly, so just click “Add Site”. Except for the SSL setup, it only takes about a minute to create the site. The SSL setup may take a few minutes more.

If everything goes well, you should be able to find the site in the site list and click the Single Sign-On icon (the little WordPress icon). That will get you into the back-end of the site even though you haven’t setup any credentials for the admin account yet. Sometimes the SSL setup is a little persnickety, so use the SSO button now to make sure it has worked, if not, the resolution depends on the problem.

Next, let’s go back to the Gridpane Sites tab.

Click on the site name to bring up the settings popup. It will be on the Settings tab when it comes up.
Verify that the AutoSSL setting is enabled, and if not, resolve that problem before continuing.
The Single Sign-On, Clickjacking Protection, and Nginx Redis Page Caching settings should all be enabled, and everything not already mentioned should be disabled.
Click on the Security tab.
Click on the ModSec WAF heading. Turn on the Enable WAF setting, then set the Paranoia Level to 2, and the Anomaly Threshold to 66.
Click the wpFail2Ban heading. Turn on the Enable wpFail2Ban integration setting, then double-check to make sure all the other settings are enabled.
Click on the Additional Measures heading. Enable all the settings in both the Hardening and Beta columns EXCEPT “Block upgrade.php”.
Click on the Backups tab. In the Local Backups section, enable the Automated Backups setting and make sure the frequency is set to Hourly.
Click on the Domains tab. Verify that the API Integration setting is set to “Cloudflare Full” and the SSL setting should be enabled, correct if not. The Routing setting should be changed to either “root” or “www”, depending on the client’s preference.
Close the settings popup.

Normally, WordPress will make sure you have the three most recent Twenty-Something themes installed every time it updates itself. To prevent that, edit file /var/www/sitename/user-configs.php and add this line:

define( 'CORE_UPGRADE_SKIP_NEW_BUNDLED', true );
add_filter('wp_is_application_passwords_available', '__return_false');

If this is a new site installation, go to /var/www/sitename/htdocs/wp-content/themes/ and delete the two oldest themes, leaving just the most recent one. If you’ll be migrating a theme over, after the import is done, go to the same directory and delete all of the twenty* themes, assuming they aren’t in use…you need to log into the site and check to see what the currently active theme is. If you do leave one of the twenty* themes available, turn on auto-updates.