themes - hardened wordpress linux install

admin管理员组

文章数量:1307752

Are there any best practices for wordpress hardened install on Linux? I have recently had a WAMP server get malware attacked via word press so I want to harden the server up using read only apache permissions and move them and all future wordpress sites to Linux only

the plan:

1. chown everything root:root -R so that apache can't write to anything
2. chmod so that only owner can write
3. chown only the uploads / updated files/ themes/ dirs of wordpress to apache: root

this last bit is the bit I need help on, can you tell me which bits of auto-updatedness wordpress is likely to need? I have looked online and no-one is talking about this.

Are there any best practices for wordpress hardened install on Linux? I have recently had a WAMP server get malware attacked via word press so I want to harden the server up using read only apache permissions and move them and all future wordpress sites to Linux only

the plan:

1. chown everything root:root -R so that apache can't write to anything
2. chmod so that only owner can write
3. chown only the uploads / updated files/ themes/ dirs of wordpress to apache: root

this last bit is the bit I need help on, can you tell me which bits of auto-updatedness wordpress is likely to need? I have looked online and no-one is talking about this.

• themes
• security
• installation
• configuration

Share Improve this question edited Aug 21, 2013 at 16:25 fuxia♦ 107k3838 gold badges255255 silver badges459459 bronze badges asked Aug 21, 2013 at 10:22 connersconners 12722 bronze badges 4

• downgrade? are you serious? WordPress is a liability 3rd party application and you downgrade me trying to mitigate it? It's either this or I have to ban word press from my servers – conners Commented Aug 21, 2013 at 10:55
• This belongs on serverfault or stackoverflow. – Wyck Commented Aug 21, 2013 at 14:15
• 1 It is very broad but is a "server configuration for WordPress" question. I think it is on topic. – s_ha_dum Commented Aug 21, 2013 at 14:19
• 1 @Whyk why? - it's not a server installation question nor a programming question – conners Commented Aug 21, 2013 at 14:27

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 2

Heavily edited from the above link

How to Harden your Word Press if you're a server admin

Bear in mind I am not an expert on Word Press nor even a user of it: you will probably not be able to automatically self update word press (which is by default a massive security issue since vulnerabilities today are published in the future by the open source community and easily viewable/used in the future) by using this method and your may or may not be able to install/update plugins and you will not be able to do this at all on Windows Servers.

/ 
The root WordPress directory: 

all files should be writeable only by your user account (*not Apache*), except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/ 
The WordPress administration area: 

all files should be writeable only by your user account (*not Apache*).

/wp-includes/ 
The bulk of WordPress application logic: 

all files should be writeable only by your user account (*not Apache*).

/wp-content/ 
User-supplied content: 

intended to be writeable by your user account AND Apache.

Within /wp-content/ you will find:

/wp-content/themes/ 
Theme files. 

If you want to use the built-in theme editor, all files need to be writeable by the web server process (Apache). If you do not want to use the built-in theme editor, all files can be writeable only by your user account (*not Apache*).

/wp-content/plugins/ 
Plugin files: 

all files should be writeable only by your user account (*Not Apache*).

so the ACTUAL answer on CENTOS is:

do the following substituting mywordpressplace for your word press installation directory, do the commands as root and use root too if you like it won't matter, the books say you should do the following shell commands in root and then use a 3rd party user as the user in the command line entries below but I think that if you have multiple servers (I have around 40 that I run) and if you have hardened infrastructure it's probably satisfactory to merely use root for both - so long as you have ssh correctly configured etc etc

# chown -R root:root /var/www/html/mywordpressplace/
# chmod -R 744  /var/www/html/mywordpressplace/
# chown -R apache:root /var/www/html/mywordpressplace/.htaccess
# chown apache:root /var/www/html/mywordpressplace/wp-content/ 
# chown -R apache:root /var/www/html/mywordpressplace/wp-content/themes/
# chown -R apache:root /var/www/html/mywordpressplace/wp-content/plugins/

one last gotcha

the last bit is important - since the wordpress malware that can and does exist often uses php to read/write/traverse your directory to insert code and since apache must be able to read the /var/www/html/ dir you also need to ensure that anything ELSE on that server in /var/www/html/ must ALSO be

# chown -R root:root /var/www/html/*

What happens is that WordPress malware will traverse the web root dir and inject code (curl() commands usually) into any index.php/default.php files from OTHER sites that are NON word press at all. Wordpress can often be the vector for other sites on the vhost

... can you tell me which bits of auto-updatedness wordpress is likely to need?

WordPress doesn't need any "auto-updatedness". Auto-updating is just a convenience. In fact, the built-in updater is a relatively new thing, though I don't remember at what version it appeared. You can always update manually via (s)FTP and I pretty much always do.

I have looked online and no-one is talking about this

No one is talking about what?

https://wordpress/support/article/hardening-wordpress/

本文标签： themeshardened wordpress linux install