较为安全的WordPress目录权限设置

本文最后更新于2015年6月13日,已超过 1 年没有更新,如果文章内容失效,还请反馈给我,谢谢!

搜索关键字:

  • wordpress directory permission setting
  • wordpress directory permission setting site:stackoverflow.com

参考链接:

参考解答:

添加一个专门的用户用于WordPress的设置(一般情况下是和Web容器Apache/Nginx相同的用户,比如 www);

This is how I do it (change the stuff within brackets to your environment:)

==

Here is the correct file permissions for WordPress:

To set correct permissions you need to use these commands:

Depending on your server configuration you may put your wp-content on 775. This permission will allow your group to write in this folder. Why add group permissions? Because in wordpress, you can have two users working on files, the www-data user (who executes the website) and the ftp user (who downloads plugins and updates from the webplatform wordpress). You can put your wp-content on 755 but you have to make www-data the owner of this folder and do your updates manually via FTP.

EDIT with ManuelSchneid3r’s answer

Source: http://www.electronicworkplace.com/latest-updates/wordpress-correct-permissions-for-files-and-folders

You may be interested in this one too : http://codex.wordpress.org/Hardening_WordPress

==

LNMP架构下WordPress目录/进程的属主权限设置

搜索关键字:

  • lnmp wordpress start user
  • lnmp wordpress start user permission

参考链接:

参考回答:

Apache/Nginx等Web服务器应该以低权限启动(比如:www);

但像 “/var/www” 这样的Web根目录的属主应该为root,只有对于那些特殊的需要进行修改的文件/目录(比如主题、插件……等目录)可以将属主修改为www(644)。

还有一种方式就是:

Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.(新建一个组group_name,将”/var/www”的属主设置为root:group_name,给所有需要进行发布的用户添加到这个组里面来;同时你需要设置一下文件夹的setgid位允许该组中的成员具有写权限)

==

So, should www-data user be the owner of /var/www

Why is the apache process run by www-data, but the /var/www owned by root? Is there some risk to making www-data own the folder and run the process?

Your web server is running as www-data. If apache has the ability to write to /var/www and you have configured something incorrectly, or your running a buggy web application, or apache itself has an exploitable bug, then an evil person on the Internet would be able to write things to /var/www. Whenever possible you should always give service accounts the least privileges they need to operate.

is there something even better than the two solutions I’ve seen?

Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.

==

For 99.9% of situations the web pages should absolutely not be writable by the www daemon. This includes the www daemon owning the files or directories. I’ve found it to be very common for root to own the files/directories, 644/755.

If there’s an exploit of any kind, it’ll be more likely that your website can be modified, defaced, infected with malware, or any one of a hundred other scenarios when owned/writable by the daemon.

==

更多搜索关键字:
  • wordpress plugin dir
  • nginx: master process www or root
  • php-fpm: master process www or root
  • modify nginx start user
参考链接:

==

总结:
  1. Apache/Nginx这些Web容器应该以低权限(或特定权限)启动,常见的做法就是新建一个专门的用户www用于启动/管理Web容器;
  2. Web目录只读,一般是将Web目录的属主设置为root,权限设置为755;
  3. 对于确定需要写入功能的Web目录,其属主需要和启动Web容器的用户一致,权限设置为755,同时设置目录禁止执行动态脚本(PHP/JSP)。

==

最近才听说FreeBuf论坛被拖库了o(╯□╰)o

想起之前看到过的lake2牛的文章——捻乱止于河防,虽说他讲的是企业安全,但是对于个人信息安全来说也有很好的借鉴意义:

1.如何防止某个网站被拖库之后你其它网站的账户安全?

为了防止某些不关心安全的“无良”商家将我们的账户密码“主动”提供给黑客同学而导致我们其他网站的账户受到影响,一个比较好的方法就是——不同的网站设置不同的密码,重要性不同的网站设置强度不同的密码(这主要是在保证安全的同时提供一些方便),千万不要所有网站设置相同的密码,否则真的就有可能发生“千里之堤毁于蚁穴”的悲剧。

2.如果网站被上传webshell了,如何将该危害降至最低,防止被进一步的提权?

最小化Web容器的权限 && 严格限定Web目录的权限(不可写 or 可写不可执行)。

声明: 除非注明,ixyzero.com文章均为原创,转载请以链接形式标明本文地址,谢谢!
https://ixyzero.com/blog/archives/2190.html

《较为安全的WordPress目录权限设置》上有8条评论

  1. 【预警通告】WordPress 存储型XSS漏洞 威胁预警通告
    http://blog.nsfocus.net/wordpress-xss-vulnerability/
    https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html

    满足以下条件时,WordPress的安装会受到影响:
    1、该漏洞需要使用具有评论或留言功能;
    2、使用带有bbPress插件的WordPress安装中的任何帐户,只要它具有发布功能(如果允许匿名发布,则不需要帐户)。

    当满足这些条件时,所有WordPress的安装都处于危险之中。目前WordPress官方已经发布4.8.2版本修复了该漏洞。

hi进行回复 取消回复

电子邮件地址不会被公开。 必填项已用*标注