0

We are self hosting Wordpress on IIS 7, 2008 Server.

To allow for automatic updates to the Wordpress code base, I had to set the following permissions on my Wordpress root installation folder:

  • IUSR - Modify
  • My App Pool - Full Control

Is this a secure configuration?

Thanks in advance, Chris

Christopher Crisis
  • 185
  • 14

1 Answers1

0

No,

First -

You should remove all inheritance at wwwroot and then add back System (full control) and Administrators (full control)

Second -

Create an Administrator Account for the Application Path for the website and use it instead of the basic pass through authentication (Basic Settings)

Third -

Change your App Pool to use ApplicationPoolIdentity and then add permissions for IIS AppPool\My App Pool to the root of the website and give it read only permission.

Steve
  • 1
  • Thanks Steve. Do you have any links to documentation around this? – Christopher Crisis Aug 19 '14 at 13:51
  • Also, your second step "Create an Administrator Account for the Application Path for the website and use it instead of the basic pass through authentication (Basic Settings)Create an Administrator Account for the Application Path for the website and use it instead of the basic pass through authentication (Basic Settings)" - Is this in the IIS Authentication settings? – Christopher Crisis Aug 19 '14 at 14:01
  • This did not work. Getting 500 Internal Server error with this configuration: – Christopher Crisis Aug 19 '14 at 16:56
  • Ok, I was able to get this working. Why is the second step necessary? Isn't IUSR or application pool identity good for this? – Christopher Crisis Aug 19 '14 at 19:18