Wordpress installation problem: Please provide a valid username.

7 February 2018, 15:36
I installed Hiawatha on my CHIP, running debian stretch, MariaDB from debian repos + PHP7 and then wordpress. Basicly i followed this guide:

except for webserver I chose to use Hiawatha. Everything seems to work fine but when I enter my server to complete Wordpress installation I'm stuck immediately at "the famous 5min installation process". Basicly I get the welcome screen and select language and after that I can set title, username, password, email... But when trying to go forward to next step I always get message:

Please provide a valid username.

Is this because of some server settings, permission settings or wordpress problem? I have found similar issues by search but no solution yet. Can you help me forward?
7 February 2018, 15:56
And here's my hiawatha.conf file (note this is my first time ever server setup, soatm I just leaved lot commented out, don't know yet what will be final setup. Also this is intentionally LAN usage atm, no available at internet yet). Folder permissions are setted as the guide linked at first post.
# Hiawatha main configuration file

# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options.
# The variables are case-sensitive and cannot be redeclared.

ServerId = www-data
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ExploitLogfile = /var/log/hiawatha/exloit.log
ThreadKillRate = 3

# A binding is where a client can connect to.
Binding {
Port = 80
Binding {
Port = 203
BindingID = port_203

#Binding {
# TLScertFile = tls/hiawatha.pem
# Interface =
# MaxRequestSize = 2048
# TimeForRequest = 30

# Deny service to clients who misbehave.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

# These settings can be used to run CGI applications.
#CGIhandler = /usr/bin/perl:pl
CGIhandler = /usr/bin/php-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
#CGIextension = cgi
FastCGIserver {
FastCGIid = PHP7
ConnectTo = /run/php/php7.0-fpm.sock
Extension = php

# This URL toolkit rule was made for the Banshee PHP framework,
# which can be downloaded from
UrlToolkit {
ToolkitID = wordpress
RequestURI exists Return
Match ^/(css|files|fonts|images|js)($|/) Return
Match ^/(favicon.ico|robots.txt)$ Return
Match [^?]*(\?.*)? Rewrite /index.php$1

# You can specify some settings per directory.

Directory {
DirectoryID = assets
Path = /
Extensions = css, js, png, webp, jpg, pdf, woff, woff2
ExpirePeriod = 2 weeks, public

# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
Hostname =
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

# Use a VirtualHost section for each website you want to host.
VirtualHost {
Hostname =
WebsiteRoot = /var/www/wordpress
RequiredBinding = port_203
StartFile = index.php
AccessLogfile = /var/www/wordpress/logs/access.log
ErrorLogfile = /var/www/wordpress/logs/error.log
TimeForCGI = 5
UseFastCGI = PHP7
UseToolkit = wordpress
UseDirectory = assets
ShowIndex = no
TimeForCGI = 10
UseFastCGI = PHP7
CustomHeader = Vary: Accept-Encoding
CustomHeader = X-Frame-Options: sameorigin
PreventXSS = yes
PreventCSRF = yes
PreventSQLi = yes
Hugo Leisink
7 February 2018, 20:01
Try the installation without the PreventXSS, -CSRF and -SQLi options.
7 February 2018, 21:47

That did the trick, but seems that in order to customize wordpress I needed to turn those off again. Also can't upload header image via GUI, I got HTTP error even when protection is turned off. Also soon after that problem that wordpress site cannot be reached. Hiawatha on the other hand is still running and serves defaul page normally. Wordpress site after reboot. Also haven't yet managed to install healthy check plugin.
Hugo Leisink
7 February 2018, 22:35
As stated in the manual, only use those options to mitigate an attack. Don't use it as your first line of defense. About the upload of images, look at the MaxRequestSize setting.
7 February 2018, 23:23
Thanks! I think I can sort it out now. Sorry for asking these basic things but since this is the first server setup.... Well at least I've already learned something.
Hugo Leisink
10 February 2018, 14:35
No problem!
This topic has been closed.