1

I've a peculiar situation. I've VPS that I use for my own projects. A friend of mine asked me to host his wordpress blog.

Now I've setup my VPS very straightforward, all projects are under /www and apache has write access to these folders (www-data), I'm on ubuntu server 12.04.

Mysql side there is no problem, this wp installation has its own DB/username-pass that has access to only this DB.

But I'm worried that if his wp-admin password gets compromised, security of my VPS can be compromised too.

I'm thinking to chown /www/projectX to me:me. And give write permission only to plugins and image upload directories. But if everything runs under same apache user, potentially hacker may upload malicious script to those directories and thus get access to my other projects on the server.

Is there anything I can do to safeguard myself? at least partially?

I don't want to secure this particular installation of WP, I want to secure my other projects from this wp installation.

Red Balloon
  • 35
  • 8
  • 1
    If you are really paranoid, then you shouldn't be sharing a VPS, have your friend get their own VPS. – Zoredache Feb 19 '14 at 18:40
  • Personally, on production servers, I keep files/directories owned by root:www-data (on Debian/Ubuntu servers) with directories permissions of 550 and files 440 as much as possible. Wordpress *might* need rw access to a subset of files/directories (uploads or cache), and if so I keep those to a minimum (570 or 460). Root can of course always override those permissions. I also harden php. – Panther Feb 19 '14 at 19:57

1 Answers1

1

These two steps will get you 90%+ of the way to a secure hosting system (from the point of view of preventing cross-site escalation attacks):

Step 1: don't run everything as www-data

Use a system like php-fpm to run each site in its own user. That way, a compromise on one account can't automatically read the contents of every other site, such as database passwords and other secret keys.

Step 2: restrict permissions

Make sure the permissions on each site don't allow the other site users to read anything. A cute trick to do this is to set the group of each site's base directory to some common group that all website users are a part of (maybe even call it websites), then set the perms on that directory to 0701, so that users in the group can't get into the directory.

womble
  • 96,255
  • 29
  • 175
  • 230
  • Assuming the OP is asking about shared hosting and not just a single site, another very important note is to make sure to implement a form of symlink attack prevention. – sa289 Aug 12 '15 at 23:34