Deploying a highly available WordPress site on Amazon Lightsail, Part 2: Using Amazon S3 with WordPress to securely deliver media files

This post is contributed by Mike Coleman | Developer Advocate for Lightsail | Twitter: @mikegcoleman

This is the second post in a series focusing on how to build a highly available WordPress site on Amazon Lightsail. The first post, Implementing a highly available Lightsail database, explained how to deploy a WordPress instance with a standalone MySQL database on Lightsail. The post also discussed how both the database and web server’s file system store WordPress data.

This post shows you how WordPress stores shared media files (such as pictures and videos) on Amazon S3. S3 is a managed storage service that provides an affordable, performant, and secure method for storing a variety of data. This post interfaces between WordPress and S3 with the WP Offload Media Lite plugin from Delicious Brains. The plugin takes any file uploaded to WordPress and copies it over to S3, where your other WordPress instances can access it.


This post requires that you have deployed your WordPress instance and configured it to work with a standalone MySQL database in Lightsail. For more information, see the first post in this series.

Because this post uses additional AWS services beyond Lightsail, you need an AWS account with sufficient privileges to the rest of AWS.

Solution overview

This solution includes the following steps:

  1. Create an AWS IAM user.
  2. Update the WordPress configuration file with those user credentials.
  3. Install and configure the actual plugin.
  4. Test the solution by uploading an image to WordPress.

Creating an IAM User

To relocate your media files to S3, WordPress needs credentials proving it has the correct permissions. You create those credentials by adding a new IAM user and assigning that user a role that includes the necessary S3 permissions. After creating the credentials, add them to your WordPress configuration file.

  1. Open the AWS Management Console.
  2. Navigate to the IAM Console.
  3. From the Dashboard, choose Users.

The following screenshot shows the Dashboard pane.

Users selection from the IM menu in WordPress



4. At the top of the page, choose Add user.

The following screenshot shows the Add user button.

Add User button highlighted





5. In Set user details, for User name, enter a name.

This post uses the name wp-s3-user.

6. For Access type, select Programmatic access.

The following screenshot shows the Set user details section.

Set user details

7. Choose Next: Permissions. 

8. Choose Attach existing policy directly.

9. In the Filter polices field, enter S3.

10. From the search results, select AmazonS3FullAccess.

11. From the search results, select AmazonS3FullAccess.

The following screenshot shows the Set permissions section.Set permissions.

  1. Choose Next: Tags.
  2. Choose Next: Review.
  3. Choose Create user.

The page displays the credentials you need to configure the WP Offload Media Lite plugin.

  1. Under Secret access key, select Show.
  2. Save the Access Key ID and Secret Access Key for reference.

To download a CSV file with the key information, choose the Download .csv file button.

If you navigate away from this screen, you can’t obtain the credentials again and need to create a new user. Be sure to either download the CSV or record both values in another document. Treat these credentials the same way you’d treat any sensitive username/password pair.

Connecting to your WordPress instance

Connect to your WordPress instance by using your SSH client or the web-based SSH client in the Lightsail console.

  1. In the terminal prompt for your WordPress instance, set two environment variables (ACCESS_KEY and SECRET_KEY) that contain the credentials for your IAM user.

To set the environment variables, substitute the values for your IAM user’s access key and secret key into the following lines and enter each command one at a time at the terminal prompt:



The next step is to update your WordPress configuration file (wp-config) with the credentials.

  1. Enter the following command:

cat <<EOT >> credfile.txt
define( 'AS3CF_SETTINGS', serialize( array (
  'provider' => 'aws',
  'access-key-id' => '$ACCESS_KEY',
  'secret-access-key' => '$SECRET_KEY',
) ) );

This command creates a file with the credentials to insert into the configuration file.

  1. Enter the following sed command:

sed -i "/define( 'WP_DEBUG', false );/r credfile.txt"

This command inserts the temporary file you created into the WordPress configuration file.

It changes the permissions on the WordPress configuration file.

  1. To reset the permissions, enter the following code:

sudo chown bitnami:daemon /home/bitnami/apps/wordpress/htdocs/wp-config.php

  1. Restart the services on the instance by entering the following command:

sudo /opt/bitnami/ restart

After the services restart, your WordPress instance is configured to use the IAM credentials and you are ready to configure the WP Offload Media Lite plugin.

Installing and configuring the plugin

Now that the configuration file holds your credentials, you can move on to installing and configuring the plugin.

The next step requires you to log in to the WordPress dashboard, and to do that you need the Bitnami application password for your WordPress site. It’s stored at /home/bitnami/bitnami_application_password.

  1. Enter the following cat command in the terminal to display the password value:

cat /home/bitnami/bitnami_application_password

  1. Log in to the administrator control panel of your WordPress site.

You can access the WordPress login screen at http://SiteIpAddress/wp-admin, where SiteIpAddress is the IP address of your WordPress instance, which you can find on the card for your instance in the Lightsail console.

The following screenshot shows the location of the IP address.

Site IP Address inside the Lightsail Console

For example, the instance in the preceding screenshot has the IP address; you can access the login screen using

  1. For login credentials, the default user name is user.
  2. For the password, use the Bitnami application password you recorded previously.

After signing in, install and configure the WP Offload Media Lite plugin by following these steps:

  1. Under Plugins, choose Add New.

The following screenshot shows the navigation pane.

Navigation pain in WordPress

  1. On the Add New pane, in the Keyword field, enter WP media offload.

The following screenshot shows the Keyword search bar.

Keyword Searchbar in WordPress

  1. The results display the WP Offload Media Lite plugin.
  2. Choose Install Now.

The following screenshot shows the selected plugin.

WP media offload plugin

After a few seconds, the Install Now button changes to Activate.

  1. Choose Activate.

The main WordPress plugins screen opens.

  1. Scroll down to WP Offload Media Lite.
  2. Choose Settings.

The following screenshot shows the selected plugin.

  1. From the Settings page, choose Create new bucket.

An S3 bucket is a unique container that stores all your WordPress files.

The following screenshot shows the Media Library options for your plugin.

Media Library options for your plugin

  1. For Region, select the Region that matches the Region of your WordPress instance.

This post uses the Region US West (Oregon). The following screenshot shows the selected Region.

AWS Region in S3

The following screenshot from the Lightsail console shows your displayed Region.

Region in Lightsail console

  1. Enter a name for your S3 bucket.
  2. Choose Create New Bucket.

Your WordPress website is now configured to upload files to the S3 bucket managed by the WP Offload Media Lite plugin.


If you received an error indicating that access to your S3 was denied, check the public permissions for S3 by following these steps:

  1. Open the S3 console.
  2. From the menu, choose Block public access (account settings).
  3. Choose Edit.
  4. Clear Block all public access.
  5. Choose Save.
  6. In the text box, enter confirm.
  7. Choose Confirm.

This setting ensures that none of your buckets are publicly accessible. If you clear the setting, make sure to verify that permissions are set correctly on your buckets.

  1. Return to the WordPress console, and refresh the Offload Media Lite page.

You should no longer see the error.

  1. Choose Save Changes.

Testing the plugin

To confirm that the plugin is working correctly, upload a new media file and verify it’s being served from the S3 bucket.

  1. From the WordPress console, choose Media, Add new.

The following screenshot shows the WordPress console menu.

  1. Upload a file by either dragging and dropping a file into the field, or choosing Select and selecting a file from your local machine.
  2. After the file uploads, choose Edit.

The following screenshot shows the Edit option on the plugin thumbnail.

In the Edit Media pane, the File URL should point to your S3 bucket. See the following screenshot.

WordPress console menu

  1. Copy that URL into a browser and confirm your file loads correctly.


In this post you learned how to install and configure the Media Offload Lite plug-in. Your media files are now centrally served out of S3. You are ready to finalize the look and feel of your site and scale out the front end. A subsequent post in this series explores that process.