0

We plan to host WordPress Blog and an Ecommerce store on the same domain, so the URL's will look like this:

example.com <--- Magento Store
example.com/blog/ <--- WordPress Blog

Our main concern is the security of the e-commerce store. We don't feel safe hosting both CMS in the same document root.

Are there some best practices for how to securely host multiple CMS on the same domain? We have thought about

  • moving part of the code outside of the doc root or
  • setting different owners (or write) permissions for each CMS folder

So if someone hacks the WordPress blog, they won't be able to access other parts of the website. Thank you

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Kelvin
  • 173
  • 1
  • 1
  • 6

2 Answers2

2

You can set up multiple PHP-FPM process pools in different chroot environments.

Then, all requests except example.com/blog/ would be redirected to the PHP-FPM store pool and /blog/ requests would be passed to blog pool.

Running the pools in different chroot environments ensures that one pool cannot access files for another environment.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • Thanks, @TeroKilkanen! This is definitely new to me. I just googled "php-fpm chroot" tried to find out more about this approach. Do you think its enough to do chroot for one subfolder "blog", or should I physically separate files, e.g.: "/var/www/shop/public_html" and "/var/www/blog/public_html" and use aliases to create URLs like example.com/blog/. I found this manual - [link](https://serversforhackers.com/c/nginx-php-in-subdirectory). Do you know easier example for my needs? – Kelvin Apr 02 '21 at 14:39
  • 1
    The article in your link does not actually talk about chroot solution. It merely separates files to different directories. It still uses common PHP-FPM pool for both locations, and there is no OS level isolation between the pools. Actually a more modern setup would be to set up different PHP-FPM pools in separate Docker containers, and then use different directories in each. Google for `php-fpm docker` and you should see several approaches for this. – Tero Kilkanen Apr 02 '21 at 14:59
0

Just wanted to post an update and share how we end up resolving this project on our server.

  1. We have created a separate virtual host for the blog (e.g. blog.example.com). This virtual host is hosted on the local IP with a specific internal port and is not visible outside.
  2. The web folder of the blog had a separate restricted Unix user:group that has access only to the blog web folder
  3. We used separate MySQL user for the Blog with permissions for the Blog database only
  4. Lastly, we've created a proxy redirect on example.com that pointed to the separate virtual host (example.com/blog => blog.example.com)
  5. blog.example.com uses its own php-fpm pool to process PHP scripts.
Kelvin
  • 173
  • 1
  • 1
  • 6