Tag Archives: wordpress

Backing up WordPress on Dreamhost

I had the following criteria when configuring the backup for my WordPress installation:

  1. Shell Script
  2. Protected from the webserver user
  3. Works with Dreamhost Enhanced User Security

This approach is based on the script from the WordPress Backup Guide at theme.fm.

In addition to your webserver_user, create a backup_user account. The backup_user will have read access to the website files; however, the webserver_user will not have read access to the backups.

Configure the Accounts

Login as backup_user and run ssh-keygen -t rsa -b <keysize>. Keysize should be 2048 or 4096 (pick the bigger size for more security). Accept all of the defaults. Run cat ~/.ssh/id_rsa.pub and copy the output. Create ~/backup and ~/scripts. Run chmod go-rw ~/backup.

Login as webserver_user and edit/create ~/.ssh/authorized_keys. Add the key copied from id_rsa.pub.

Script Files

Create the following files and make the *.sh files executable:





# Make sure we're working in the scripts directory
cd /home/webserver_user/scripts

# Backup the datbase
mysqldump --defaults-file=/home/webserver_user/scripts/opts <wp_datbase> > db.sql

# tar the database backup and all of the WordPress files
# --transform is not necessary, but removes home/webserver_user from the path when extracting
tar czf website-$(date +%Y-%m-%d).tar.gz --transform s,^home/webserver_user/www,www, db.sql /home/webserver_user/www

# Cleanup by removing the uncompressed database backup
rm db.sql



# Set the working directory
cd /home/backup_user/backup

# Run the save.sh script as the webserver_user
ssh webserver_user@webhost.com /home/webserver_user/scripts/save.sh

# Copy the backup to the backup_user account
scp webserver_user@webhost.com:/home/webserver_user/scripts/*.tar.gz ./

# Remove the copy of the backup from the webserver_user
ssh webserver_user@webhost.com 'rm /home/webserver_user/scripts/*.tar.gz'

# cleanup the backup directory and only keep the 3 most recent backups
while [ "$(ls -1t | wc -l)" -gt 3 ]; do
   rm "$(ls -t1r | head -n 1)"

Panel Configuration

  1. Go to you Dreamhost Web Panel
  2. Login
  3. Go to Main menu → Goodies → Cron Jobs
  4. Click "Add New Cron Job"
    • Select User backup_user
    • Title: backup
    • Email address if you want notification of the script running
    • Command to run: /home/backup_user/scripts/backup.sh
    • When to run: daily or weekly

Editing the WordPress Comment Form

I don’t collect email addresses or URLs for my comments, but never removed the default ‘Your email address will not be published.’ text from my comment form.

Removing the email address and URL fields was simple using the 'comment_form_default_fields' hook with the following code in my theme’s functions.php:

add_filter('comment_form_default_fields', 'remove_email_url');
function remove_email_url($fields) {
        if (isset($fields['url'])) {
        if (isset($fields['email'])) {
        return $fields;

I couldn’t find a simple tutorial for editing other aspects of the comments form and I didn’t want to dig into the theme and edit the /wp-content/themes/twentytwelve/comment.php file.
After poking around http://codex.wordpress.org/Function_Reference/comment_form and looking at the /wp-includes/comment-template.php, I realized the difference between the 'comment_form_default_fields' and 'comment_form_defaults' hooks.

'comment_form_default_fields' allows operation on the $fields of the comment_form.
'comment_form_defaults' allows modification on the $args of the comment_form.

Addition to my theme’s functions.php:

add_filter('comment_form_defaults', 'remove_publish_email');
function remove_publish_email($args) {
        $args['comment_notes_before'] = '

All comments are moderated.

'; return $args; }

Restricting WordPress Admin Access

Following up on Securing Administration of Shared Hosting, if you can restrict access to your administrative pages to a specific IP address or addresses.

This works best if you’re tunneling your traffic to your webserver though ssh, because your IP address may be changing, if you’re using hotspots or if your ISP changes your IP address. This is done though a simple update to the .htaccess file. Edit or create /wp-admin/.htaccess so it contains:
ErrorDocument 403 http://www.tidgubi.com/
Order Allow,Deny
Allow from 208.113.186.

The first line changes the “Unauthorized” behavior to simply redirect to my homepage. Otherwise the webserver seems to try to serve the error page from /wp-admin/ and ends up in a redirect loop.

The second line makes the allow/deny decision to default to deny unless there is a specific allow directive (https://httpd.apache.org/docs/2.0/mod/mod_access.html#order)

The last line specifies the IP address or partial IP address to allow. I assume Dreamhost uses load balancing and/or virtual servers, so I didn’t want to restrict access to a single IP address, but figured the IP range would be restrictive enough.