Safe and productive ownership settings for a Wordpress installation

So, I have been reading about this for a long time and there's never a conclusive answer to be found anywhere.

I have a Centos 6 LAMP web server which mostly hosts websites created by yours truly and the occasional website created by someone else.

Which is the most secure way to configure Wordpress folders ownership AND keep all the automatic features (updating, uploading and so on) without the need to insert ftp or sftp credentials each time?

Aside from permissions (which I always set to 755 for folder, 644 for files and 600 for special files, as suggested everywhere), there's a lot of different ideas about ownership.

Somebody says apache should be the owner of the whole folder. Somebody says that the owner should be your server user (root for instance, or a dedicated user) and never apache.

But if the owner is not apache, you have to use your ftp credentials to upload, update and so on.

So is there a way to actually have it all? What's the safest and smartest way to configure ownership for Wordpress?

Thanks guys.
Daniele BrunengoIT Consultant, Web DesignerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
1) Correct: 755 on directories.

2) Correct: 644 on files.

3) Correct: Ownership of all files + directories must be user/group matching your Apache instance. This might be httpd, or apache, or www-data, or nobody.

Do a ps to figure out what runtime user/group of your Apache instance.

4) What you'll have at this point...

Aside: Likely best to switch to running Ubuntu Bionic (5 years updates), if you have problems getting the following working.

Steps 1-3 are required so your Apache instance can serve files. Do yourself a favor + leave this as-is with no funny ownership/perms tricks.

Here's an example directory hierarchy of the form /sites/davidfavor/fs.davidfavor.com will be up to this point.

# ll /sites
total 4.0K
drwxr-xr-x 5 root root 4.0K Jan 19 10:37 david-favor/

# ll /sites/david-favor
total 12K
drwxr-xr-x 4 root root 4.0K Jan 19 18:21 fs.davidfavor.com/

# ll /sites/david-favor/fs.davidfavor.com
total 8.0K
drwxr-xr-x 2 www-data www-data 4.0K Jan 21 06:25 logs/
drwxr-xr-x 5 www-data www-data 4.0K Jan 19 18:42 wordpress/

Open in new window


Do yourself a favor + place your logs directory (for WordPress debug log) outside your WordPress install for security + to reduce backup size.

5) Now for the tricky part. To setup any number of SFTP users to...

a) Access your Apache (existing) owned files/directories.

b) Ensure any SFTP newly created files/directories are accessible by both Apache + all SFTP users.

Note: This scenario imagines all SFTP users have access to entire WordPress file hierarchy. This is a bad idea. In real life, you should block anyone mucking about with any WordPress core/theme/plugin files via SFTP. To keep this example simple. All files are accessible.

Rest of steps relate to getting SFTP users setup correctly.

6) ACLs must be working correctly for your system. This means...

a) Your Kernel is recent + built correctly (ACL support enabled).

b) Your Filesystem (stick with ext4) in use is recent + built correctly (ACL support enabled) + mount options are correct (default or manual).

c) You must install the ACL tools - setfacl + getfacl.

Note: All items related to #6 are handled automatically in Ubuntu + have been for years. For CentOS, likely part or all of this is broken. To complete this step in CentOS (depending on many factors) may require a massive amount of time to get working.

7) You must have a sensible SFTP server running.

The only sensible SFTP server I've found (I've been hosting client sites since 1994) is MySecureShell.

This SFTP server is a zero config server (at least on Ubuntu).

a) Install the package.

b) run sftp-verif + answer yes to any suggested repairs.

8) Now setup a default ACL for the Apache user/group, so any new files will be accessible by Apache.

Ubuntu uses www-root + CentOS use many different variations, so you'll have to figure out the correct command line conjuration for your Apache instance.

# Ensure Apache can access any newly created directories/files.
setfacl -Rm d:u:www-data:rwX,u:www-data:rwX /sites/*/*/{wordpress,htdocs}

Open in new window


9) Now create a user to access the fs.davidfavor.com site using the above file hierarchy...

# Create a normal user, with home pointing to the WordPress root install
useradd --user-group -G www-data --shell=/usr/bin/mysecureshell --home=/sites/david-favor/fs.davidfavor.com/wordpress david

# Set a random/strong password
echo david:yF8auTQQ5OpK2DlsYIprVCE79ZK8eP23 | chpasswd

# Now add an ACL for the new david user...
# Which allows access to all existing directories/files.
# Automagically adds the david ACL to any files created by Apache or any other SFTP user.
setfacl -Rm d:u:david:rwX,u:david:rwX /sites/david-favor/fs.davidfavor.com/wordpress

Open in new window


10) At this point, you can create any other new user + all their ACLs will allow file sharing between Apache + all SFTP users.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Thanks a lot.

Believe it or not, that is almost exactly what I've been doing up until now.

I have been using setfacl to allow users to write to apache owned directories, and it works great.

I have a whole bunch of websites on this server, most built and managed only by me, and maybe 3 built and managed by other people.

One of said people has been a pain, so I started verifying if I was doing things right or not, permission and ownership wise.

While researching, I stumbled upon some discussion which seemed to underline how wrong my ownership settings were, most of all this one:

https://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress

Then I read Wordpress' own page on the matter, and that added to the confusion:

Typically, all files should be owned by your user (ftp) account on your web server, and should be writable by that account. On shared hosts, files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody user).

https://codex.wordpress.org/Changing_File_Permissions

That's the whole reason I started this thread.
Prabhin MPDevOps EngineerCommented:
The default permission scheme should be:

Folders - 750
Files - 640


Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;
For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;



Check this link to learn more about wordpress security
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Owen RubinConsultantCommented:
Nicely done David. I’m copying that down as a template next time I need to set up a system like this.

Prabhin, why do you specify 750 instead of 755, and 640 rather than 644? Curious to your reasoning, as I have always used the other.

Thankd
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
I think 755 and 644 are fine. I have a script running overnight which saves to text files all folders and files with wrong permissions. I only keep wp-config.php to 600 if I remember correctly. The script also checks that and fixes permissions for wp-config.php and renames all install.php to .bak.
Owen RubinConsultantCommented:
Thanks. That script is great idea BTW.
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Thanks for the help. I'm happy I was already using good settings. Still trying to understand why some people are so against giving ownership to Apache though.
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Oh if anyone wants to have a look at the WP scripts I run on the server, just ask.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.