Though ServerPilot focuses more on ongoing server management (e.g. updates, control panel, monitoring, support) for DigitalOcean servers rather than one-click installers, there is now a one-click WordPress installer.
I like Bitnami and I am a big fan. However, when deploying Jboss, Glassfish and Tomcat application servers from Bitnami onto AWS, I have found that you need to configure the application server specs based on the specs of your host EC2 -- I ended up creating custom images for each type of EC2 in my inventory for these application servers.
Our images do change some configuration options based on the type of instance that we detect on boot. It would be great if you could get in touch with us at hello@bitnami.com and let us know the details of what you had to configure manually, so that we can improve this.
Slightly OT but I'm curious: do you like jboss and glassfish? I've used both pretty extensively, and am not a big fan of either one. Could have been user error though, not application error.
Like may be too strong a word to use. But if you are doing EJB and MDBs, then they both are the only options , unless you go the weblogic/websphere route. I would not touch either with a 20 foot pole for a non-ejb application with no session replication requirements.
https://www.vultr.com/ is like DO except it allows arbitrary ISO and iPXE. No need to wait on DigitalOcean for them to provide your OS. They also have IPv6, private IPs and more locations. And it's a bit cheaper.
The Bitnami images for GitLab are impossible to upgrade automatically and are a worse experience than our Omnibus packages. I hope Bitnami addresses this soon.
A few months ago I noticed there was not a novice user step-by-step guide for installing WordPress on AWS, so I threw together https://howtoinstallonaws.com. Bitnami really makes it quite painless.
> DigitalOcean users get two free months of Bitnami access.
Uh, I don't really understand what "Bitnami access" constitutes. Once I've done the install, I don't really need Bitnami for anything more, right? right? Does that mean everyone who wants to do a Bitnami-powered install should hurry up and do it now, before they have to pay to get access to the Bitnami installer?
Flockport provides something similar but with containers https://www.flockport.com/store We have a fledgling app store with over 30 apps that can be deployed on any Linux server in minutes. It's completely free.
The advantage with using containers as opposed to VMs is containers are portable so you are not stuck to any server or cloud provider. Your apps are portable, and cloning, snapshots and backups become simpler.
The advantage of using LXC is the entire stack can be in one container and the environment is more like an OS that users are familiar with. Users can use the flockport utility to pull the app and then directly get to the App dashboard, without all the installation and configuration hassles of a typical stack. And Flockport apps should work with nspawn and other container managers.
Bitnami runs a monthly contest[0] where you can vote for your favourite application to be packaged. I couldn't find an entry for Dada Mail, but you can go ahead and submit it for review[1] and we can add it to the contest.
I'm not really interested in a somewhat gamification for the inclusion of the app into the lineup.
The winners are first the users, who have an easier way to install the app (it's already given away for free) and you, which are given another solid app to offer.
I don't really get anything by entering the app in a contest. I'm not really interested in contesting the app at all. But, to give your users more choice on what to use? Again a total win for you.
We have literally hundreds of open source projects that want to be part of Bitnami and limited resources. The contest is the best way we could come up with to help us prioritize
full configs are available on github (and more updated).
There are also a lot of other companies/packages to help you setup faster stacks that are more maintained than what I did. easyEngine or ServerPilot being two examples.
How many hits are you getting per day that isn't great performance? I'm running two WP blogs each on their own $5/mo plan and it's been working great with one notable exception: I would constantly run out of memory on my highest-trafficked site (20 uniques per day) with WP Super Cache turned on. When I uninstalled it, the speed went way up and the out of memory errors disappeared.
https://github.com/kevinohashi/WordPressVPS you can take a look at the loadtest_results folder to see. I tested a lot of different configurations and plugins. The default LAMP stack which DO provides starts to struggle at 10 users. While some configs were doing fine over 1000.
I host 4 Wordpress sites on the $5 plan without a problem. Admittedly they are pretty low traffic, but you did specify starter site. If any of the sites ever start seeing significant traffic I'll probably bump up to a 2 cpu plan and move the database to a separate instance.
None of them are mission critical or have any impact on my income, so I used my server setup as a chance to teach myself how to setup nginx.
The sites were using the bitnami image on the free AWS tier before that. No issues there either.
I am running Wordpress on a $5 plan for my personal website. Also paying $1 extra per month for backups. While requesting for an OS image to install, you can choose to install Wordpress on it from their menu. It is a no-frills simple setup if you want to go the self-hosting route.
I used to run WP on $5 plan but the memory soon runs out (with the recommended swap config). The next tier seems to be working fine for the past few months.
You definitely need to be careful how to configure things, but enabling caching, event MPM + php-fpm, mod_pagespeed, etc. like we do in our Bitnami images helps a lot. The good thing is that it is relatively painless to resize if you need to.
RunAbove 'Sandbox' instances overcommit RAM and provide no SLA. Sure, you can't beat the price, but if I wasn't interested in a SLA then I'd rather pay $10 and get a Kimsufi.
On the other hand, I never had an issue with my OVH 2$ (now 5$) server, and I run an Apache with worpress, an IRC bouncer for a handful of users, a mumble, a teamspeak and a minecraft server on it. Less than 100% CPU and RAM utilization.
OVH isn’t cheap because they don’t deliver the performance you ask for, OVH is cheap because they really don’t provide anything else in the free tier, no backups, no additional IPs, no guarantueed uptime.
I agree, I think if you're going to deploy an application that's facing the internet, it makes sense to take the time to roll the deployment scripts (Salt, Ansible, etc.) and understand at some level what is getting installed, as well as how it's configured and how what needs to be setup for security, rather than just trusting the image.
Wordpress is awful on DO and many things can and do break. Trust me, I've been developing with Wordpress for over a decade, and WP on a VPS is a whole different kettle of fish. Whether it's hardening the VPS to avoid a DDOS, or auto-patching Ubuntu when OpenSSL gets another vulnerability. It's quite mightmarish. DO is good for things like Gitlab and VPNs and things like that, but good luck trying to get something bulletproof and high availability. It's a devops nightmare. It can be achieved, but it takes some time...
Why is Wordpress on a VPS a nightmare? You install nginx, php-fpm, mysql, enable unattended upgrades in Ubuntu, create a new user for Wordpress, run it, enable automatic updates, done.
It's a blog. It doesn't need to be bulletproof or run on a cluster.
I say this because so many peeps think using these pre-installed WP bundles is all kittens and unicorns; it is not. I am not singling out DO specifically, but any VPS provider that has pre-installed soft that does not respond to threat landscapes and it not hardened correctly. Users install without a care in the world for having their VPS naked and like a sitting duck. (Yes I monitor inbound traffic on VPSes and there are people who are interested in flooding if you don't practice throttling and load balancing, or PTR records which resolve the raw IP to other domains).
The performance of the out-of-the-box WordPress stack is terrible too. I maintain benchmarks for WordPress running on different company's platforms (http://reviewsignal.com/blog/2015/07/28/wordpress-hosting-pe...) and had to stop including Digital Ocean because it's just not in the same league. I get asked everytime why they aren't there though and have to explain, that's not really what Digital Ocean does. If you want high performance WordPress, lots of companies have built on top of DO's infrastructure to give you that. But DO doesn't give you that out of the box.
You are right it is difficult to keep self-managed installations secure vs. just using a SaaS provider, especially when some of the users only have basic admin skills. Having said that, we do our best to have secure settings by default, respond promptly to security issues (typically we release new images within hours of a new version being announced) and in particular in the case of WordPress we pre-configure everything out so automatic updates are enabled out of the box (which the user can also manage from the admin panel without touching the command line).
> there are people who are interested in flooding if you don't practice throttling and load balancing
perhaps someone is out to get you. never experienced this in my life. been running dedicated server with over a hundred installs for 2 years. sure you have script kiddies that might send a bot to try to brute force passwords. But Nginx can easily handle that load.
Spammers, phishers and other criminals are _always_ out to get _everyone_. It's typically done by robots - if your VPS is insecure, it's a matter of when, not if, and when is usually sooner than you think.
I meant DDOS, nobody cares enough to deny access to your little site unless there is something else which is going on. Other stuff, nothing much to worry about. Just follow best practices: use a password keeper, keep your site updated, disable comments, etc.
The way that typically goes is first your VPS gets exploited somehow and used to serve illegal content, send spam or scan other hosts. Then it gets DDOS-ed by someone who doesn't like the content or attacks initiated from the VPS.
Yeah the list goes on. Even for the pros, there are an insane amount of steps to get the install perfect. And it has to be perfect, as one overlooked thing can mean the box can be taken offline by net-hooligans. Things like Commando are handy for this and I frequently use recipes when I spin up a new server: https://commando.io/
I think the actual meaning being lost in translation here is "self-managing things is awful"—which it is, if you are a dev and don't want to be burdened with ops.
Indeed. First thing that blew my mind is that it checks to see if its files are owned by the uid of the php process. Why? Why can't we just +w on uploads, themes, plugins etc using group permissions?
This is why I'm ditching it and going back to static HTML for my corporate site. As a small consulting shop, we just don't have the time or resources to worry about "WTF is wrong now?"
Static site generators are definitely making a comeback... With the number of vulnerabilities and automated attacks on older versions of WP, and other frameworks, it's not an entirely bad idea...
Generate the site, push to S3 or Azure, then put CloudFlare (or another CDN/Cache) in front of it... Easy peasy.
I think WordPress is great on DigitalOcean. With EasyEngine you can be up and running - cached - and seconds with a handful of CLI commands. I've had great luck with running WP on DO.
I'm curious why you think it's awful? I used the one-click Wordpress install on DO and put up a custom-coded theme. The site gets around .5m visits a month and I've never run into any problems.
WP was not designed for modern deployment for a number or reasons. Wordpress is definitely not a 12 factor app. And there is nothing that can be really fixed by plugins. to fix this, one has to break WP core apis. WP is "a deploy once with ftp/sftp" cms.
I think a lot of developers--myself included, for a long time--don't really appreciate why this is the reason WordPress is as popular as it is. The vast majority of the criticisms people make of WP are valid, but good luck finding something else as easy for a non-developer to not just install and configure, but to actually maintain in a relatively secure fashion. (I also don't think developers appreciate how good modern WordPress is as this -- not to say that it's perfect, by any stretch, but once it's set up correctly the damn thing is self-updating. As long as you stick to popular, actively-developed plugins and put effort into keeping them updated -- which is frankly a pretty low bar, since it's about three clicks on the dashboard -- WordPress isn't likely to be a serious security concern.
I don't see how WordPress's general audience would be in the least concerned about its failure to be a "twelve-factor app," do you?
You have to run your own install script. It is more involved than deploying other things. I usually run a script to prepare the server first (for a generic secure setup, including LAMP) and then run the WP installing script (which is mostly Python working through sftp). It has taken a bit of time to figure this one out, because the generic secure setup requires constant upkeep. Its not something that you set and forget.
aptitude update sure is part of maintaining things up to date. One cannot rely on it exclusively due to how those updates sometimes require other changes. Plus it doesn't cover all packages. Using docker just adds another layer of complexity and possible vector of attack. For standalone wordpress installs docker is not required. Wordpress security is more of a continuous process rather than a set and forget thing due to how it's a constant target.
I actually run a few wordpress blogs on Cloudways - which sets up a managed host on top of DO or AWS. It's pretty good - I think there is value for managed "applications" on top of VPS.
Think of it as Cloudformation for the rest of the world !
https://serverpilot.io/blog/2015/07/22/one-click-wordpress-a...