较为安全的WordPress目录权限设置


搜索关键字:

  • wordpress directory permission setting
  • wordpress directory permission setting site:stackoverflow.com

参考链接:

参考解答:

添加一个专门的用户用于WordPress的设置(一般情况下是和Web容器Apache/Nginx相同的用户,比如 www);

This is how I do it (change the stuff within brackets to your environment:)

$ cd [wordpress_install_folder]
$ chown -R [webuser]:[mygroup] *
$ chmod -R g+w *
$ chown root:root wp-config.php
$ chmod 644 wp-config.php

==

Here is the correct file permissions for WordPress:

To set correct permissions you need to use these commands:

chown www-data:www-data -R *		# Let apache be owner
find . -type d -exec chmod 755 {} \;	# Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \;	# Change file permissions rw-r--r--

Depending on your server configuration you may put your wp-content on 775. This permission will allow your group to write in this folder. Why add group permissions? Because in wordpress, you can have two users working on files, the www-data user (who executes the website) and the ftp user (who downloads plugins and updates from the webplatform wordpress). You can put your wp-content on 755 but you have to make www-data the owner of this folder and do your updates manually via FTP.

EDIT with ManuelSchneid3r’s answer

Source: http://www.electronicworkplace.com/latest-updates/wordpress-correct-permissions-for-files-and-folders

You may be interested in this one too : http://codex.wordpress.org/Hardening_WordPress

==

LNMP架构下WordPress目录/进程的属主权限设置

搜索关键字:

  • lnmp wordpress start user
  • lnmp wordpress start user permission

参考链接:

参考回答:

Apache/Nginx等Web服务器应该以低权限启动(比如:www);

但像 “/var/www” 这样的Web根目录的属主应该为root,只有对于那些特殊的需要进行修改的文件/目录(比如主题、插件……等目录)可以将属主修改为www(644)。

还有一种方式就是:

Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.(新建一个组group_name,将”/var/www”的属主设置为root:group_name,给所有需要进行发布的用户添加到这个组里面来;同时你需要设置一下文件夹的setgid位允许该组中的成员具有写权限)

==

So, should www-data user be the owner of /var/www

Why is the apache process run by www-data, but the /var/www owned by root? Is there some risk to making www-data own the folder and run the process?

Your web server is running as www-data. If apache has the ability to write to /var/www and you have configured something incorrectly, or your running a buggy web application, or apache itself has an exploitable bug, then an evil person on the Internet would be able to write things to /var/www. Whenever possible you should always give service accounts the least privileges they need to operate.

is there something even better than the two solutions I’ve seen?

Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.

==

For 99.9% of situations the web pages should absolutely not be writable by the www daemon. This includes the www daemon owning the files or directories. I’ve found it to be very common for root to own the files/directories, 644/755.

If there’s an exploit of any kind, it’ll be more likely that your website can be modified, defaced, infected with malware, or any one of a hundred other scenarios when owned/writable by the daemon.

==

更多搜索关键字:
  • wordpress plugin dir
  • nginx: master process www or root
  • php-fpm: master process www or root
  • modify nginx start user
参考链接:

==

总结:
  1. Apache/Nginx这些Web容器应该以低权限(或特定权限)启动,常见的做法就是新建一个专门的用户www用于启动/管理Web容器;
  2. Web目录只读,一般是将Web目录的属主设置为root,权限设置为755;
  3. 对于确定需要写入功能的Web目录,其属主需要和启动Web容器的用户一致,权限设置为755,同时设置目录禁止执行动态脚本(PHP/JSP)。

==

最近才听说FreeBuf论坛被拖库了o(╯□╰)o

想起之前看到过的lake2牛的文章——捻乱止于河防,虽说他讲的是企业安全,但是对于个人信息安全来说也有很好的借鉴意义:

1.如何防止某个网站被拖库之后你其它网站的账户安全?

为了防止某些不关心安全的“无良”商家将我们的账户密码“主动”提供给黑客同学而导致我们其他网站的账户受到影响,一个比较好的方法就是——不同的网站设置不同的密码,重要性不同的网站设置强度不同的密码(这主要是在保证安全的同时提供一些方便),千万不要所有网站设置相同的密码,否则真的就有可能发生“千里之堤毁于蚁穴”的悲剧。

2.如果网站被上传webshell了,如何将该危害降至最低,防止被进一步的提权?

最小化Web容器的权限 && 严格限定Web目录的权限(不可写 or 可写不可执行)。


《“较为安全的WordPress目录权限设置”》 有 10 条评论

  1. 【预警通告】WordPress 存储型XSS漏洞 威胁预警通告
    http://blog.nsfocus.net/wordpress-xss-vulnerability/
    https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html
    `
    满足以下条件时,WordPress的安装会受到影响:
    1、该漏洞需要使用具有评论或留言功能;
    2、使用带有bbPress插件的WordPress安装中的任何帐户,只要它具有发布功能(如果允许匿名发布,则不需要帐户)。

    当满足这些条件时,所有WordPress的安装都处于危险之中。目前WordPress官方已经发布4.8.2版本修复了该漏洞。
    `

  2. WordPress安全防护 你可以做这些事情
    https://themeforwp.net/archives/wordpress-security/
    `
    * 一个强大的管理员密码
    * 登陆次数限制
    * 修改登录地址
    * 保持WordPress最新版本
    * 不安装来源不明的主题插件
    * 网站防火墙
    * 定期备份站点

    如果能够做到以上几点,你的WordPress就已经很难被攻击了,其实如果没有第三方插件的话,WordPress本身还是非常安全的,只要做好备份,平常使用时完全不用担心。
    `

    十条关于 WordPress 安全性的小贴士 操作
    https://mp.weixin.qq.com/s/HaPAKZLvrVzRUftumMDrmA
    `
    1. 切换到 HTTPS
    2. 限制 MySQL 连接地址
    3. 使用强大的数据库凭据
    4. 使用强大的管理员帐户凭据
    5. 移动或保护 wp-config.php 配置文件
    6. 尽可能授予用户最低权限角色
    7. 限制 IP 地址访问
    8. 隐藏 WordPress 版本号
    9. 理智选择第三方插件和主题
    10. 定期更新 WordPress 和插件
    `

  3. Hardening WordPress(WordPress官方给出的加固方法)
    https://wordpress.org/support/article/hardening-wordpress/
    `
    What is Security?
    Security Themes
    Vulnerabilities on Your Computer
    Vulnerabilities in WordPress
    * Updating WordPress
    * Reporting Security Issues
    Web Server Vulnerabilities
    Network Vulnerabilities
    Passwords
    FTP
    File Permissions
    * Changing file permissions
    * Regarding Automatic Updates
    Database Security
    * Restricting Database User Privileges
    Securing wp-admin
    Securing wp-includes
    Securing wp-config.php
    Disable File Editing
    Plugins
    * Firewall
    * Plugins that need write access
    * Code execution plugins
    Security through obscurity
    Data Backups
    Logging
    Monitoring
    * Monitoring your logs
    * Monitoring your files for changes
    ** Goals
    ** General approaches
    ** Specific tools
    ** Considerations
    * Monitoring your web server externally
    Resources
    See Also
    `

回复 hi 取消回复

您的电子邮箱地址不会被公开。 必填项已用*标注