secure websites running on the same webserver

Question

I have two websites running on my own root server (ubuntu/nginx/php-fpm). Now I want to add one more website, a wordpress blog. As you know wordpress can be a security risk and that's why I'm asking myself how to "seperate" wordpress from the other websites. So when wordpress got hacked, I want the attacker to be trapped within wordpress. It would be fatal if he could "see more" than the wordpress blog. What is your strategy to protect websites from each other?

Answer 1

Ensuring that you set permissions will help however this will not necessarily ensure safety.

This should be used with a multitude of other fixes as well. The following are some of these:

1) Change the url for wp-admin

2) Investigate and install security plugins. There are some that will clean get and post prior to wordpress using them.

3) Change the default username for the admin user.

4) Disable features that allow the upload of files. Ensure that the folders files are uploaded too are not writeable.

5) You could also secure the wp-admin folder using htaccess.

Answer 2

I find it unfortunate that the general census on wordpress is "when it gets hacked". But then I guess there's no smoke without fire.

I think creating the right permissions, users / groups etc is a great way to go, but personally, if there is budget, I'd advise separating these applications onto different resources entirely.

Considering the history of exploits in WordPress I wouldn't risk putting anything of value onto the same box.

Answer 3

Setup permissions and create separate user/group for webserver to use when running wordress and use suexec to run wordpress using that user/group privileges. Note that your other websites should be not even readable for wordpress user.