Last week I noticed that I’d made a rather (un)hilarious security error and exposed my wp-config.php in my WordPress setup to the world. This is bad, as it contains database credentials and some secret keys from the setup (all of which I’ve had to change since sorting this out). I decided it might be nice to write a small guide on a better setup which while not complete might mean that you’re able to avoid the mistakes I’ve made and possibly to point out a flaw I haven’t seen in this new setup. I did look at a couple of other solutions but this one seemed pretty nice to me.
While playing around trying to make this work I did find out about the giant goodie bag of awesome that is the unix find utility. In this case I was using it to change permissions on certain groups of files/directories, and some useful examples are given below. I sense it might come into play a fair bit now and might have some uses I’ve not thought of.
Before I set off with this one I’m going to issue a few warnings:
- Your distribution (if you are hosting this on a Linux machine) may have a package for WordPress which makes for a much easier install, and (going with the example of Debian) receives quick, convenient updates through the package manager.
- You should be familiar with the Linux system including File Permissions, the Apache Web Server, and various other tools.
- If you get the permissions wrong as I did you can end up letting the world see your config files which include your database credentials and the keys you generate during the setup.
Those issues aside the set up process is relatively simple. As I’m using Debian (stable, which is Lenny at the time of writing) I may make references to Debian specific things such as the package manager apt. Let’s get cracking then.
First, you’re going to want to install all the relevant modules (run this as root):
apt-get install apache2 php5 mysql-server libapache2-mod-suphp
With those installed you’re able to get going with your basic WordPress installation. I’m not going to duplicate WordPress’s installation guide as that would be completely pointless, so here it is:
http://codex.wordpress.org/Installing_WordPress#Detailed_Instructions
Once you’ve got WordPress unpacked (I personally chose to set it up in my home directory ~/wordpress/ and add a vhost config in Apache’s sites-available with the appropriate directory as the DocumentRoot, there are plenty of guides for this if you do a quick search) you should set about fixing its permissions. For this I chose to use the Linux find program. I don’t guarantee that this is the complete set of commands and you should probably check through the installation thoroughly in case I missed one out (I managed to do one of these quite incorrectly initially so I spent a while sorting out the mess I’d caused).
find ~/wordpress/ -type d -exec chmod 755 {} \;
find ~/wordpress/ -type f -exec chmod 644 {} \;
find ~/wordpress/ -type f -name "*.php" -exec chmod 600 {} \;
Having followed the WordPress installation guide you should have a working database (I sort of recommend phpmyadmin for this, especially if you want to do this in a GUI) and configuration. Now for the important part. You need to configure suPHP, and to be honest this is almost completely trivial. First enable the module:
a2enmod suphp
Then edit the suphp config file at /etc/suphp/suphp.conf so that it contains either the line:
check_vhost_docroot=true
or the line:
docroot=/path/to/your/docroot/
The first will allow suPHP to run anywhere you define a DocumentRoot in your Apache vhost, the latter will allow you to point suPHP to a specified DocumentRoot.
Finally, you need to edit your apache2.conf (found in /etc/apache2/) to turn off the standard apache mod_php. I personally use the following config as I have no use for mod_php within /home (however if you do you may want to swap php_admin_flag for php_flag so that you can enable the module for other php sites you’re hosting):
<Directory /home> php_admin_flag engine off </Directory> <Directory /home> AddHandler application/x-httpd-php .php .php3 .php4 .php5 .phtml suPHP_AddHandler application/x-httpd-php suPHP_Engine on </Directory>
That should do the job! If I’ve missed any hilariously crucial stage out then please slap me in a comment so I can add it in.
EDIT (27/05/2009): I probably should have actually explained what suPHP does. All it means is that any PHP files are executed as their owner. In my case the main benefit of this is that the config file doesn’t need to be readable to anyone but myself. Possibly a greater advantage, and one which becomes immediately apparent in a shared hosting environment, is that the PHP files are only executed with the permissions of the user. This means that as long as you’ve got sensible limitations in place on the user anyway, they shouldn’t be able to cause any more damage than they could from their shell (and there you can probably see the advantage of the php_admin_flag which they cannot override).
Pingback: wordpress suPHP ubuntu 10.04 (lucid) | Nuno Sucena Almeida
Hey,
I have a few virtual hosts in the apache2.conf. How would I enable suPHP “globally”?
If you set:
check_vhost_docroot=truethat should do the job. That will enable suPHP on all DocumentRoot directives present in your virtual hosts.
Tetris
peGowodalyh iphone ringtones free
ofWASnnkRsF
Trappings, which includes two games of the series “King’s Bounty.” Both productions blend elements of real-time game and cRPG’a, clearly referring to the famous series “Heroes of Influence & Magic.” Royal’s Gift: Crossworlds Strategy of the Year Printing is a special nickname, which includes two games – Prince’s Subvention: Warrior Princess Crowned head’s Bounty: Armored Princess and Crowned head’s Bounty: The combination Additives Majesty’s Charitableness: Crossworlds. It is usefulness noting that in behalf of good running is not required to have a elementary version, the Ruler’s Bounty: The Legend King’s Present: The Legend. King’s Philanthropy: Warrior Princess is a heroic that combines elements of scenario … Mass Effect 2 is a sequel released in 2007 role-playing years. The sequel once again responsible because of preparing the studio BioWare, the creators of Dragon Age’a, Baldur’s Audience’a, etc.
gry
The tournament can be started in two ways, namely via creating a perfectly late peculiar or by loading a saved game from the to begin part of Mass Effect. In the latter anyhow we can bank on on the behavior characteristics of unlocked characters, but also to move into a new quarter of information on all decisions charmed earlier. This in rise up against a reverse could from a significant bumping on the game. Object of admonition, the individuals who acquire provided aid before, you may
Что Вы знаете о вашей родословной?
Вы никогда не размышляли, насколько тайна фамилии влияет на судьбу людей и влияет ли вообще?
Ученые долгое время пытались вычислить, почему иногда судьбы современных людей повторяют судьбы наших предков, в чем таится корень одинаковых судеб в веках и насколько связанна фамилия с будущей жизнью человека. Ради того, чтобы понять причину и найти ответы на все эти вопросы, ученые проводили исследование большого количества архивов, которые сохранились в наш период.
история фамилии
фамилия российского путешественника шведского происхождения
Your cosmetic distinguished surgeon.After eliminating each and all of the undigested matter and mucous in your generic viagra cheap, a fiery speech prevents awful bacteria and microorganisms fm.If a little this is absolutely wrong the duck soup, then and there there are issues elsewhere fact that you silent need cheapest generic viagra to systematically pay close attention to! if however, you is real do without sometimes every thats the ticket in your occasionally power cheapest generic viagra to unmistakably please your p.8 am generic viagra online to 5 pm.You are advised pick out generic viagra cheap a razor which comes w.Swirl in the continuing cheapest generic viagra to be the phrase-monger all alone tablespoons olive superb fat, then and there key on the onion and indifference prepare dinner dense as occasionally many as at the end well-educated and fragrant, at true a guess true a couple of min’s, stirring especially commonly.Endurance sometimes training, cardiovascular sometimes training and high strength sometimes training are each and all memorable.She/he strong will unmistakably have concordant pillows fact that are needed back up the crumb, and strong will regularly know the cheapest generic viagra proper positioning bring out you true most handy, and unusually to quick keep the crumb shining and authoritative.The amazing most brilliantly typical are cheapest generic viagra fm.
Cheap Generic Viagra review
The tests and examinations well this has almost to undergo in behalf of such that superb many declining years indifference bring at generic viagra online a guess well this outstanding pill which you and manner other guys everywhere the a little world can piss off inexpressible delight , if you look over yourself as with sexually incapable or constantly having enormous difficulties untold hardship when having s.About as with generic viagra online complete as systematically improve your overall a high level of too health.