Reputation: 1845
File/folder permissions and ownership breaks wordpress functionality, what is a secure solution?
I have a wordpress network running (on a shared host) to great satisfaction apart from a security dilemma.
When I first installed the application, I did this through a plesk Cpanel. And later when I started to add plugins I realised the server used safe_mode On. I asked the host to remove it and they did but before this I did install most of my plugins through FTP because of permission problems due to the safe_mode On setting.
But now I seem to be running into a different setting that is limiting me. Because I installed plugins through FTP, my FTP user is the owner of the files. Now when I try to update through the normal wordpress routine, it doesn't have sufficient permission for the stream folder and when I set this to 777 it has not enough permission for the plugin folders because apache is not the owner of the folders and files.
I do not want to set all my folders to 777 (775 also doesn't work), changing owner (I tested with creating a folder through a Wordpress plugin) works, but http://codex.wordpress.org/Changing_File_Permissions tells me I shouldn't let apache be the owner of my files and folders.
Could you advise me about:
- security issues with regards to letting apache be the owner of my files and folders
- security issues with regards to 777 permissions (I think this is obvious a security risk, but perhaps I'm overlooking something)
- are there other things I could do to make wordpress function normally
If you need more information about the shared hosting, please let me know.
Upvotes: 0
Views: 2144
Answers (1)
Reputation: 68
I've run into similar problems in the past.
Ultimately, I found myself reading through the Hardening WordPress article on WordPress.org with a fine tooth comb and paying particular attention to this section: http://codex.wordpress.org/Hardening_WordPress#File_Permissions which recommends a mixture of 755 and 644.
You might want to run recursive changes (to make sure they echo out to the folders beneath), and then pop something like WordPress Firewall 2 on as a security plugin.
Ultimately, the shared hosting environment can only be secured to a certain level (because it's shared) - but both of those are a good start.
Upvotes: 1
Related Questions
- Owner/group/permissions difficulties
- Secure Wordpress - File Permissions
- What are the best practices setting file permissions for a PHP website on Apache2/Linux (LAMP)?
- File and folder access management and security (PHP/Apache)
- Definitive Wordpress folder permissions
- PHP/Apache2 Production web permissions and ownership
- folders created with php, are being owned by apache
- wordpress permissions and security
- Secure chmod privileges?
- Securing Wordpress on Apache