Let me paint a picture.
You’re sipping your morning cold brew, dreaming of a WordPress site served fresh from Kubernetes. “Click-to-Deploy,” you say smugly. “How hard could it be?”
Fast forward 2 hours later – you’re SSH’d into a container, your site is displaying the WordPress default, and your beautiful backend is wide open like it’s 2007.
Welcome to the real journey of deploying WordPress on GKE with security and sanity in mind. Buckle up.
🚀 Step 1: Click-to-Deploy – It Actually Works (Sorta)
Google Cloud’s Click-to-Deploy makes it deceptively simple to launch a WordPress site on GKE. You choose your region, your cluster, and Google sets up:
- A GKE deployment with pods running WordPress and MariaDB
- A LoadBalancer service for external access
- Persistent Disks for data durability
- An Ingress controller for routing
- A managed SSL certificate for your domain (automatic renewal FTW 🙌)
But that’s where the real work starts.
🔐 Step 2: Locking Down /wp-admin Like It’s Area 51
By default, /wp-admin is public-facing. This is fine if you enjoy brute force attempts from random IPs in places you can’t pronounce.
Here’s how I fixed that using Cloud Armor:
# cloud-armor-policy.yaml
- action: "deny(403)"
description: "Block access to /wp-admin from non-approved IPs"
match:
expr:
expression: 'request.path.startsWith("/wp-admin") && ip != "YOUR_IP"'
🔧 This policy was applied to the backend service behind the Ingress. Now only my IP gets in. Everyone else? 👋 Denied.
And if you’re wondering why it wasn’t working the first time? Google Cloud Armor policies must be explicitly attached to the backend service and precedence matters.
🛡️ Step 3: Multi-Factor Like a Boss – DUO MFA Plugin
I wasn’t about to trust my WordPress login to a simple password, so I added DUO Security using their official WordPress plugin.
Steps:
- Created a new application in the DUO admin panel.
- Installed the DUO WordPress plugin via
wp-admin. - Configured the plugin with my DUO integration key, secret key, and API hostname.
👨💻 This plugin integrates natively with WordPress login, prompting for second-factor auth directly. It works beautifully and adds minimal delay.
Bonus: It doesn’t interfere with wp-cli or other automation – unless you want it to.
🧪 Step 4: Debugging – The Unexpected “Default” WordPress Reset
At one point, I thought my GKE cluster had lost its mind. My site reverted to default – vanilla WordPress, theme and all. Turns out…
Cause:
GKE’s rolling updates during auto-upgrade recycled the pods, but PVC mounts weren’t persistent in the way I assumed. Classic.
Fix:
I moved my important data to a separate PersistentVolumeClaim, mounted explicitly via volumeMounts in the deployment manifest:
volumeMounts:
- mountPath: /home/u994648506/domains/varchitected.com/public_html/wp-content
name: wp-content-pvc
And yes, I now back up the database regularly. Lesson learned.
🌐 Step 5: SSL Certificates – The Lazy Man’s Flex
Google Cloud’s Managed Certificates are magic. Just apply them to your Ingress and they’ll:
- Auto-validate your domain
- Handle renewal
- Apply the cert to your Load Balancer automagically
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: varchitected-cert
spec:
domains:
- www.varchitected.com
Tie it to your ingress with an annotation:
metadata:
annotations:
networking.gke.io/managed-certificates: "varchitected-cert"
Voila – HTTPS without breaking a sweat.
💡 Final Tips: What I’d Do Differently
- Store MariaDB externally – GKE restarts can get dicey. Cloud SQL or AlloyDB might save you from a panic attack.
- Add
readinessProbesto your pods – it avoids weird 502s during rolling updates. - Get serious with backups – automate snapshots and export your database regularly.
- Use a staging environment – Kubernetes is predictable… until it isn’t.
🎤 Final Thoughts
Running WordPress on GKE is a flex, but like any good lab project, it’ll humble you. When done right, though? You get a secure, auto-scaling, SSL-enabled, MFA-protected WordPress site – with the full power of Kubernetes at your fingertips.
And more importantly, you earn the right to say:
“Yeah, I run my blog on GKE. No big deal.”
What’s next in GKE? Backups, PVC Snapshots, etc.
Leave a Reply