Hello, was wondering about the file permissions Wordpress needs. I see in the documentation that it should be 755 for directories an 644 for files.
Here is my question:
If you plan to host multiple Wordpress sites on a machine, and each site has it’s own shell, ftp, mysql-db and user. I seem to have problems with the site permissions because if you set the permissions to what is recommended and set the owner to $user:www-data you can not modify themes/plugins and so on from the Wordpress site itself you get write permission error. You will need to do it manually through ftp. Changing the permissions to 775 will solve the problem, because then www-data group have write permissions.
Does anyone know the best practice to accomplish this? If you just use 755 and change the owner to www-data then the local user does not have permission to edit anything.
So to sum up:
Create account for each site: ssh/ftp/mysql User1 $home = /home/user1 (site root)
Set up site in sites-enabled (apache) this is not an issue.
Correct permissions to /home/user1 so that you can update and install plugins from Wordpress site?
First of all I would set the site root to another directory inside their home directory, e.g.
Setting the site root to their home directory could give HTTP access to some user settings and files that you wouldn’t want publicly accessible.
The owner should be www-data for WordPress, adding files, plugins, etc is all recommended to be done through the WordPress frontend so that should be fine.
Create ACLs that give user1 read/write/traverse permissions to /home/user1/public_html but leave ownership to www-data. This can be done with:
setfacl -m 'u:user1:rwx' /home/user1/public_html
Thanks for the reply. Off course it is beater to use public_html, the above was just an example directory. Sorry about that, hehe
Here is a picture of different options, i’ve never worked with ACL before. So do you have any comment on the way i’m doing things now?
If the way you’re doing it now works, you could keep doing that but adding each user to www-data can get messy with group permissions. In your second scenario yes, inherently with their group each user could access other users’ folders and files.
I think ACLs are your best bet, but I don’t know the exact nature of your deployment and how you’re trying to scale this. Are you essentially trying to give each user their own virtual private WordPress webserver, or are these users within an organization? Reason I ask is if it’s supposed to be virtual private space, you may want to set it up so that users can’t even see other users folders if they were to list directories. But if it’s within an organization it shouldn’t matter too much if the other users know who else has sites. You can achieve this with ACLs.
Viritual private wordpress accounts is what i am trying to achive. I guess i need to do some reading about ACL
Each account does not have anything to do with the other.
This could help you out as far as privacy between filesystem accounts goes.
Do you host WordPress in VPS or a shared environment?
If you have a VPS… securing Wordpress via file permission is easy.
On our server, we run php-fpm and we have a separate pool for each user.
Then we set directory 750 and file 640 to user:www-data. as far as ftp goes, we don’t have ftp server. We use sFTP instead.
This way, when the user sFTP, they can change all they want… the web server user has read-only access.
pubic_htmp must be set to 755 for this to work.
Hope this help.