Amazon S3 Quick Start Guide

This guide aims to help you start offloading your WordPress Media Library to an Amazon S3 bucket with WP Offload Media as quickly as possible.

We also have Quick Start Guides for other storage providers.

This article covers the following steps:

  1. Log in to the AWS Console
  2. Create an Amazon Web Services (AWS) User
  3. Saving the AWS User’s access details for WP Offload Media to use
  4. Activate Your WP Offload Media License
  5. Configure WP Offload Media to offload newly uploaded media to an Amazon S3 bucket
  6. Offload Your Existing Media Library
  7. Next steps for setting up WP Offload Media to use a CDN

Log in to the AWS Console

Already have an Amazon Web Services (AWS) account? Sign in here.

If you don’t have an AWS account yet, you will need to sign up here.

Create an IAM User

Once you have logged into the console, you will need to create a new IAM user:

Navigate to the IAM Users page in the AWS Console, click the Add user button.

Enter a name for the user in the User name field.

Names are case insensitive and must be unique within your AWS account. User names can be a combination of up to 64 letters, digits, and these characters: plus (+), equal (=), comma (,), period (.), at sign (@), and hyphen (-).

Under Access type select the checkbox for Programmatic access, then click the Next: Permissions button.

IAM Management Console - Add user - Set user details

To allow the new user to manage buckets and objects in the S3 service, you need to grant it specific permissions.

For this quick start guide we recommend giving the new IAM User full access to S3, and nothing else. Using the “AmazonS3FullAccess” policy helps avoid potential problems when first setting up WP Offload Media, but experienced users of AWS may wish to use a Custom IAM Policy. It’s always possible to later edit an IAM User’s policy to restrict access to only those resources required by WP Offload Media.

Click the “Attach existing policies directly” button, and then enter “s3” in the filter policies input box.

Select the “AmazonS3FullAccess” policy, then click the Next: Tags button at the bottom of the page.

IAM Management Console - Add user - Attach permissions

Adding tags is purely optional, if you’re a heavy user of AWS you may have a reason to add tags here to help with management tasks. Whether you add tags here or not, click the Next: Review button at the bottom of the page to continue.

IAM Management Console - Add user - Add tags

If everything looks good, click the Create user button.

IAM Management Console - Add user - Review

You will be shown the security credentials for the user, which consists of an Access Key ID and a Secret Access Key. Amazon will not show these again so please download them as a .csv and also copy them somewhere safe. If you lose them, you can always create a new set of keys from the console but you cannot retrieve the secret key again later.

IAM Management Console - Add user - Download credentials

Clicking the Close button will return you to the IAM Users page.

Define Your Access Keys

Now that you have your AWS Access Keys, you need to add them to your site so that WP Offload Media can use them to work with the Amazon S3 service.

For better security, we recommend defining your access keys in your wp-config.php:

define( 'AS3CF_SETTINGS', serialize( array(
    'provider' => 'aws',
    'access-key-id' => '********************',
    'secret-access-key' => '**************************************',
) ) );

These should be placed before the following block of code in your wp-config.php:

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

Warning: If you define your access keys after this block of code, WP Offload Media will not be able to read them.

Alternatively, you can enter your access keys into the form on the Storage Provider page inside WP Offload Media, the first page shown when no keys are defined. This will save them to the database, which is less secure than defining them in your wp-config.php.

WP Offload Media Save Amazon S3 Keys In Database

IAM Roles

If you’re running your site on an Amazon EC2 instance, you might like to use an IAM Role instead. This is even more secure than defining your access keys in wp-config.php.

Configure WP Offload Media

To start offloading newly uploaded media to Amazon S3 you need to first tell WP Offload Media which bucket it should use. If you have not already created a bucket to use with WP Offload Media, it can be created for you from WP Offload Media’s Settings page.

Go to the “Media Library” tab of WP Offload Media’s Settings page in the WordPress admin dashboard. If you have followed the steps above then you should see something like the following.

WP Offload Media Enter Bucket - S3

If you have already created the bucket you want to offload your media to, then you can enter the bucket name in the above input and click the “Save Bucket Setting” button.

If you haven’t created the bucket yet, then you can click the “Create new bucket” link to get a form where you can specify the new bucket’s name and region.

WP Offload Media Create Bucket - S3

As long as you haven’t restricted your IAM User’s access to list buckets then you can also “Browse existing buckets.”

WP Offload Media Select Bucket - S3

Regardless of how you specify the bucket, once saved, WP Offload Media will be set up to offload newly-uploaded media to the bucket with some recommended default settings.

WP Offload Media Bucket Saved - S3

Block All Public Access to Your Amazon S3 Bucket

If you do not intend to use Amazon CloudFront as the Delivery Provider, but instead want to use raw S3 URLs or a Content Delivery Network (CDN) other than CloudFront, then WP Offload Media needs to be able to make objects in the bucket public readable (not editable). Otherwise, site visitors won’t be able to access the raw S3 URLs and the non-CloudFront CDN won’t be able to access the bucket to deliver the files. Making objects public is safe as it is on a per object basis and is different from making the bucket public. Even if you’re only going to use WP Offload Media to offload “private” objects for WooCommerce, Easy Digital Downloads or similar, WP Offload Media still needs to be able to change the permissions on individual objects in the bucket if not using Amazon CloudFront as the Delivery Provider.

If you created your bucket via WP Offload Media then it will have made sure that the bucket was set up correctly for serving media via raw S3 URLs. You should see “Block All Public Access Disabled” in the Bucket section of the settings.

WP Offload Media Block All Public Access Disabled in Settings

However, if you created the bucket via the AWS Console there’s a good chance that “Block All Public Access” will have been enabled as that is the default. If so, after entering the bucket name or selecting the bucket from the list, you may be presented with the following dialog.

WP Offload Media Block All Public Access Enabled Warning

If you intend to use Amazon CloudFront as the Delivery Provider for your media, then by all means click that “Continue” button and move on to setting up CloudFront. Otherwise we strongly recommend using the “Disable Block All Public Access” button to avoid any potential problems and make initial testing smoother. You can alway enable Block All Public Access at a later date once Amazon CloudFront has been configured.

IMPORTANT: There is also a Block public access (account settings) page that can be accessed from the Amazon S3 sidebar that can also be used to disable public access to objects in all existing and new buckets. If the AWS account is relatively new, or someone has visited this settings page and turned on the blocking of public access, you may need to visit the page, click “Edit”, clear the “Block all public access” checkbox, and then save the changes.

Amazon S3 Block Public Access Account Settings

If you have used WP Offload Media’s “Disable Block All Public Access” button but it does not seem to have worked, or you receive “Access Denied” error messages, please visit that Block public access (account settings) page in the AWS Console.

Activate Your WP Offload Media License

Now’s a good time to activate your WP Offload Media license so that (once configured) you can instantly take advantage of all its goodies.

Go to WP Offload Media’s settings page in the WordPress admin dashboard, found under the “Settings” menu.

Then click on the “License” tab, enter your license key in the input box, and click the “Activate License” button.

WP Offload Media Enter License

Make Sure Cron Is Set Up

We highly recommend that you configure a proper cron job on your server as WP Offload Media relies heavily on background processing. See our Cron Setup doc for details on how to accomplish this.

Offload Your Existing Media Library

Now that your site is configured to offload newly-uploaded media to Amazon S3, you might want to offload any existing media to the bucket too.

In the right-hand sidebar of WP Offload Media’s “Media Library” tab you should see what we call the “Offload Tool”, this can be used to offload existing media to the bucket.

If you have not offloaded anything yet, then you’ll see a “Your Media Library needs to be offloaded” message in the Offload Tool with an “Offload Now” button.

WP Offload Media Offload Now

If you have already offloaded a few items, then you might see a message like “66% of your Media Library has been offloaded” in the Offload Tool, with an “Offload Remaining Now” button.

WP Offload Media Offload Remaining

Either way, clicking the Offload Tool’s button will start an upload to the bucket of all existing media yet to be offloaded.

WP Offload Media background offload in progress

The media offload progresses in small batches in the background to keep things efficient. You can close the tab and just forget about it, when the tool finishes its job, you’ll get a notice in the WordPress dashboard, or you can monitor progress from WP Offload Media’s settings page.

Once complete, the Offload Tool displays a “100% of your Media Library has been offloaded, congratulations!” message and the “Download all files from bucket to server” and “Remove all files from bucket” tools are made available.

WP Offload Media Offload 100 Percent

Next Steps: Using a Content Delivery Network (CDN)

Now that your media is offloaded to Amazon S3, your next step if you’re concerned about performance (i.e. load time and SEO), is to configure a CDN.

By default WP Offload Media is configured to use raw Amazon S3 URLs when serving offloaded media. Your media URLs might look something like this:…

Not only is this an ugly URL, but this URL is also bad for SEO as Google likes to see your media on your own domain. Also, Amazon S3 is primarily a storage platform and is not optimized for high speed delivery of media. Faster media is obviously better for user experience but also better for SEO. For these reasons, we strongly recommend configuring Amazon CloudFront or another CDN for delivering your media. For more details about the benefits of CloudFront and other CDNs, please read our Why Use a CDN? doc.

We have a guide for setting up Amazon CloudFront as your CDN guide. It gets you up and running with CloudFront properly configured to use your Amazon S3 bucket as its origin, and shows how to update WP Offload Media’s settings to use it.

If you’re planning to set up the Assets Pull addon as well, you will most likely want to use the same domain name for both your media and assets with Amazon CloudFront. Check out our guide to accomplish that.

If you don’t want to use Amazon CloudFront for your CDN, you can also use any other CDN. We have a guide for setting up Cloudflare as well as StackPath.