Once our RDS instance has been created, we will set up WordPress on our EC2 instance.

For this tutorial, we'll be using an Ubuntu 16.04 instance. Go ahead, and spin up an Ubuntu EC2 instance. In the inbound rules settings, ensure that you allow traffic to port 80 and 443 (HTTP and HTTPS):

1. SSH into the Ubuntu instance. We'll now set up the instance to be able to host the WordPress website. Before proceeding, run apt update and apt upgrade.
2. Install Apache server on your EC2 machine:

sudo apt-get install apache2 apache2-utils

3. To start the Apache service, you can run the following command:

sudo systemctl start apache2

To see whether the instance is working, you can visit http://<<EC2 IP Address>>, and you should get the default page of Apache.

4. We will now install PHP and a few modules for it to work with the web and database servers, using the following command:

sudo apt-get install php7.0 php7.0-mysql libapache2-mod-php7.0 php7.0-cli php7.0-cgi php7.0-gd  

5. To test whether PHP is working with the web server, we need to create the info.php file inside /var/www/html:

sudo nano /var/www/html/info.php

6. Copy and paste the following code into the file, save it, and exit:

<?php phpinfo(); ?>

When that is done, open your web browser and type in this address: http://<<EC2 IP Address>>/info.php. You should be able to view the following PHP information page as confirmation:

7. Next, we will download the latest WordPress website on our EC2 machine:

wget -c http://wordpress.org/latest.tar.gz
tar -xzvf latest.tar.gz

8. We need to move all the WordPress files from the extracted folder into the Apache default directory:

sudo rsync -av wordpress/* /var/www/html/

9. Next, we need to configure the permissions of the website directory, as well as assign ownership of the WordPress files to the web server:

sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/

Now we will connect our WordPress website to our RDS instance.

10. Go to the /var/www/html/ folder and rename wp-config-sample.php to wp-config.php as follows:

sudo mv wp-config-sample.php wp-config.php

11. Next, update the MySQL settings section with the details of the RDS instance. We named our database newblog in the previous section; so, we will use the same name here:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', <<database_name_here>>); /** MySQL database username */ define('DB_USER', <<username_here>>); /** MySQL database password */ define('DB_PASSWORD', <<password_here>>); /** MySQL hostname */ define('DB_HOST', <<RDS IP Address>>); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', '');

12. Save the file and then restart the Apache server:

sudo systemctl restart apache2.service

13. Open your web browser and then enter the http://<<EC2 IP Address>>/index.php server address to get the welcome page:

14. Select the language of your choice, and then click on Continue. Finally, click on Let's go!
15. Fill in all the requested information, and then set your username and password. Finally, click on Install WordPress.
16. Once this is complete, you can log in to the WordPress installation using the username and password:

Our WordPress target has been set up. However, we have left the RDS instance accessible to the entire internet. This is a vulnerable configuration.

In the next section, we will see how we can discover such vulnerable RDS instances.