2

My current setup includes nginx and php5-fpm. This question is about a host which contains a Wordpress site. The host has its own fpm pool with user:group, let's call it wordpress:wordpress. Nginx runs using the default www-data:www-data.

This means that: PHP files are executed by wordpress:wordpress, static files are served by www-data:www-data. Therefore, all files need to be readable by both of those users. The files wordpress writes to should also be writable by wordpress:wordpress.

But here comes the problem: I want to allow modifying all the files via SFTP. Currently this is done using the wordpress:wordpress user, which means this user needs full access to all the files.

Therefore, a malicious PHP script uploaded to the server can modify all files of this Wordpress installation and serve malware etc to the end users. I want to reduce this risk by making only the files Wordpress needs to write to writable by PHP.

I thought about setting up another user account, say wordpress-sftp:wordpress solely for SFTP. This user's home folder would be the root of the wordpress host, just as wordpress:wordpress's. wordpress-sftp:wordpress would have full access to the files of this host. The files of the wordpress installation I would make readable by the wordpress group. The files which need to be writable by wordpress I would make writable by the wordpress group. Additionally I would add the www-data user to the wordpress group so that it can read the static files.

So all files could get permissions 644 or 640, the files which need to be writable by Wordpress would get permissions 664 or 660.

Does this setup sound reasonable and secure? Or how would you solve the problem?

sumbodyyy
  • 21
  • 2
  • 1
    I think you're missing a backtick or two in the second half of your question. Also, if you set the permissions of the files that wordpress needs write access to to `640`, you'll find that nginx won't be able to read them unless you add the `wordpress` group to the `www-data` account (`sudo usermod -a -G wordpress www-data`). – starbeamrainbowlabs Sep 23 '15 at 11:48
  • 1
    Thanks, fixed. I wrote in the question: > Additionally I would add the `www-data` user to the `wordpress` group so that it can read the static files. Besides that, do you think my approach is right? – sumbodyyy Sep 23 '15 at 12:11
  • If you add the `www-data` user to the `wordpress` group, then you should set the permissions to `640`. Other than that, yes I do think that approach is OK. Note though that I'm mostly self-taught atm, so you should definitely get a second opinion here. – starbeamrainbowlabs Sep 24 '15 at 05:41

1 Answers1

0

This setup is secure only for files on your wordpress site folder, but don't prevent an attacker to break into your system and access/read/write other files in your server.

As you are using php5-fpm i suggest you setting open_basedir to limit php5 user to the php5 pool directory, like this:

php_admin_value[open_basedir] = /home/www/wordpress/httpdocs:/home/www/wordpress/tmp

Change tmp directory for the site, to avoid access in the shared tmp folder.

Disable all php functions not used by your CMS to prevent the use of dangerous functions to a malicious user i.e:

php_admin_value[disable_functions] = apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, xmlrpc_entity_decode

Limit the memory (if you can calculate the max amount of RAM needed by your wordpress installation), in this way malicious script cannot exaust your server resources. 

php_admin_value[memory_limit] = 124M

Limit upload_max_file size and post_max_size to prevent uploading big software (if you dont need)

php_admin_value[upload_max_filesize] = 12M
php_admin_value[post_max_size] = 12M
Ziomizar
  • 1