{"id":2190,"date":"2015-06-13T21:55:08","date_gmt":"2015-06-13T13:55:08","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=2190"},"modified":"2015-06-13T21:55:08","modified_gmt":"2015-06-13T13:55:08","slug":"%e8%be%83%e4%b8%ba%e5%ae%89%e5%85%a8%e7%9a%84wordpress%e7%9b%ae%e5%bd%95%e6%9d%83%e9%99%90%e8%ae%be%e7%bd%ae","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/2190.html","title":{"rendered":"\u8f83\u4e3a\u5b89\u5168\u7684WordPress\u76ee\u5f55\u6743\u9650\u8bbe\u7f6e"},"content":{"rendered":"<p><strong>\u641c\u7d22\u5173\u952e\u5b57\uff1a<\/strong><\/p>\n<ul>\n<li>wordpress directory permission setting<\/li>\n<li>wordpress directory permission setting site:stackoverflow.com<\/li>\n<\/ul>\n<p><strong>\u53c2\u8003\u94fe\u63a5\uff1a<\/strong><\/p>\n<ul>\n<li><a href=\"http:\/\/stackoverflow.com\/questions\/19887366\/what-are-the-suitable-permissions-for-wordpress-on-a-vps\">http:\/\/stackoverflow.com\/questions\/19887366\/what-are-the-suitable-permissions-for-wordpress-on-a-vps <\/a>\u00a0#<span style=\"color: #ff0000;\"><strong>Nice<\/strong><\/span><\/li>\n<li><a href=\"http:\/\/stackoverflow.com\/questions\/17338381\/definitive-wordpress-folder-permissions\">http:\/\/stackoverflow.com\/questions\/17338381\/definitive-wordpress-folder-permissions<\/a><\/li>\n<li><a href=\"http:\/\/codex.wordpress.org\/Changing_File_Permissions\">http:\/\/codex.wordpress.org\/Changing_File_Permissions<\/a><\/li>\n<li><a href=\"http:\/\/www.devsaran.com\/blog\/setting-right-permissions-protect-your-wordpress-website\">http:\/\/www.devsaran.com\/blog\/setting-right-permissions-protect-your-wordpress-website<\/a><\/li>\n<li><a href=\"http:\/\/stackoverflow.com\/questions\/18352682\/correct-file-permissions-for-wordpress\">http:\/\/stackoverflow.com\/questions\/18352682\/correct-file-permissions-for-wordpress <\/a>\u00a0#<span style=\"color: #ff0000;\"><strong>Nice<\/strong><\/span><\/li>\n<li><a href=\"http:\/\/codex.wordpress.org\/Hardening_WordPress\">http:\/\/codex.wordpress.org\/Hardening_WordPress <\/a>\u00a0#<span style=\"color: #ff0000;\"><strong>Nice<\/strong><\/span><\/li>\n<li><a href=\"http:\/\/www.smashingmagazine.com\/2014\/05\/08\/proper-wordpress-filesystem-permissions-ownerships\/\">http:\/\/www.smashingmagazine.com\/2014\/05\/08\/proper-wordpress-filesystem-permissions-ownerships\/<\/a><\/li>\n<\/ul>\n<p><strong>\u53c2\u8003\u89e3\u7b54\uff1a<\/strong><\/p>\n<p>\u6dfb\u52a0\u4e00\u4e2a\u4e13\u95e8\u7684\u7528\u6237\u7528\u4e8eWordPress\u7684\u8bbe\u7f6e\uff08\u4e00\u822c\u60c5\u51b5\u4e0b\u662f\u548cWeb\u5bb9\u5668Apache\/Nginx\u76f8\u540c\u7684\u7528\u6237\uff0c\u6bd4\u5982 www\uff09\uff1b<\/p>\n<p>This is how I do it (change the stuff within brackets to your environment:)<\/p>\n<pre class=\"lang:default decode:true\">$ cd [wordpress_install_folder]\n$ chown -R [webuser]:[mygroup] *\n$ chmod -R g+w *\n$ chown root:root wp-config.php\n$ chmod 644 wp-config.php<\/pre>\n<p>==<\/p>\n<p>Here is the correct file permissions for WordPress:<\/p>\n<p>To set correct permissions you need to use these commands:<\/p>\n<pre class=\"lang:default decode:true \">chown www-data:www-data -R *\t\t# Let apache be owner\nfind . -type d -exec chmod 755 {} \\;\t# Change directory permissions rwxr-xr-x\nfind . -type f -exec chmod 644 {} \\;\t# Change file permissions rw-r--r--<\/pre>\n<p>Depending on your server configuration you may put your wp-content on 775. This permission will allow your group to write in this folder. Why add group permissions? Because in wordpress, you can have two users working on files, the\u00a0www-data\u00a0user (who executes the website) and the\u00a0ftp\u00a0user (who downloads plugins and updates from the webplatform wordpress). You can put your wp-content on 755 but you have to make www-data the owner of this folder and do your updates manually via FTP.<\/p>\n<p>EDIT with ManuelSchneid3r&#8217;s answer<\/p>\n<p>Source:\u00a0<a href=\"http:\/\/www.electronicworkplace.com\/latest-updates\/wordpress-correct-permissions-for-files-and-folders\">http:\/\/www.electronicworkplace.com\/latest-updates\/wordpress-correct-permissions-for-files-and-folders<\/a><\/p>\n<p>You may be interested in this one too :\u00a0<a href=\"http:\/\/codex.wordpress.org\/Hardening_WordPress\">http:\/\/codex.wordpress.org\/Hardening_WordPress<\/a><\/p>\n<p>==<\/p>\n<p><strong>LNMP<\/strong><strong>\u67b6\u6784\u4e0b<\/strong><strong>WordPress<\/strong><strong>\u76ee\u5f55<\/strong><strong>\/<\/strong><strong>\u8fdb\u7a0b\u7684\u5c5e\u4e3b\u6743\u9650\u8bbe\u7f6e<\/strong><\/p>\n<p><strong>\u641c\u7d22\u5173\u952e\u5b57\uff1a<\/strong><\/p>\n<ul>\n<li>lnmp wordpress start user<\/li>\n<li>lnmp wordpress start user permission<\/li>\n<\/ul>\n<p><strong>\u53c2\u8003\u94fe\u63a5\uff1a<\/strong><\/p>\n<ul>\n<li><a href=\"http:\/\/serverfault.com\/questions\/261144\/good-wordpress-directory-structure-permissions-lnmp\">http:\/\/serverfault.com\/questions\/261144\/good-wordpress-directory-structure-permissions-lnmp<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/206638\/running-nginx-should-wordpress-files-be-set-to-www-data-or-root-or\">http:\/\/serverfault.com\/questions\/206638\/running-nginx-should-wordpress-files-be-set-to-www-data-or-root-or<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/150903\/nginx-should-all-files-served-by-owned-by-www-data\">http:\/\/serverfault.com\/questions\/150903\/nginx-should-all-files-served-by-owned-by-www-data<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/362142\/who-should-own-the-web-root-of-my-server\">http:\/\/serverfault.com\/questions\/362142\/who-should-own-the-web-root-of-my-server<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/69685\/what-user-should-own-var-www-on-ubuntu-9-04-server\">http:\/\/serverfault.com\/questions\/69685\/what-user-should-own-var-www-on-ubuntu-9-04-server <\/a>\u00a0#Nice<\/li>\n<\/ul>\n<p><strong>\u53c2\u8003\u56de\u7b54\uff1a<\/strong><\/p>\n<p>Apache\/Nginx\u7b49<span style=\"color: #ff0000;\"><strong>Web\u670d\u52a1\u5668\u5e94\u8be5\u4ee5\u4f4e\u6743\u9650\u542f\u52a8<\/strong><\/span>\uff08\u6bd4\u5982\uff1awww\uff09\uff1b<\/p>\n<p>\u4f46\u50cf\u00a0&#8220;\/var\/www&#8221;\u00a0\u8fd9\u6837\u7684<span style=\"color: #0000ff;\"><strong>Web\u6839\u76ee\u5f55\u7684\u5c5e\u4e3b\u5e94\u8be5\u4e3aroot<\/strong><\/span>\uff0c\u53ea\u6709\u5bf9\u4e8e\u90a3\u4e9b\u7279\u6b8a\u7684\u9700\u8981\u8fdb\u884c\u4fee\u6539\u7684\u6587\u4ef6\/\u76ee\u5f55\uff08\u6bd4\u5982\u4e3b\u9898\u3001\u63d2\u4ef6\u2026\u2026\u7b49\u76ee\u5f55\uff09\u53ef\u4ee5\u5c06\u5c5e\u4e3b\u4fee\u6539\u4e3awww(644)\u3002<\/p>\n<p><strong>\u8fd8\u6709\u4e00\u79cd\u65b9\u5f0f\u5c31\u662f\uff1a<\/strong><\/p>\n<p>Create a new group, and change the ownership of the \/var\/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.\uff08\u65b0\u5efa\u4e00\u4e2a\u7ec4group_name\uff0c\u5c06\u201d\/var\/www\u201d\u7684\u5c5e\u4e3b\u8bbe\u7f6e\u4e3aroot:group_name\uff0c\u7ed9\u6240\u6709\u9700\u8981\u8fdb\u884c\u53d1\u5e03\u7684\u7528\u6237\u6dfb\u52a0\u5230\u8fd9\u4e2a\u7ec4\u91cc\u9762\u6765\uff1b\u540c\u65f6\u4f60\u9700\u8981\u8bbe\u7f6e\u4e00\u4e0b\u6587\u4ef6\u5939\u7684setgid\u4f4d\u5141\u8bb8\u8be5\u7ec4\u4e2d\u7684\u6210\u5458\u5177\u6709\u5199\u6743\u9650\uff09<\/p>\n<p>==<\/p>\n<p>So, should www-data user be the owner of \/var\/www<\/p>\n<p>Why is the apache process run by www-data, but the \/var\/www owned by root? Is there some risk to making www-data own the folder and run the process?<\/p>\n<p>Your web server is running as www-data. If apache has the ability to write to \/var\/www and you have configured something incorrectly, or your running a buggy web application, or apache itself has an exploitable bug, then an evil person on the Internet would be able to write things to \/var\/www. Whenever possible you should always give service accounts the least privileges they need to operate.<\/p>\n<p>is there something even better than the two solutions I&#8217;ve seen?<\/p>\n<p>Create a new group, and change the ownership of the \/var\/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.<\/p>\n<p>==<\/p>\n<p>For 99.9% of situations the web pages should absolutely not be writable by the www daemon. This includes the www daemon owning the files or directories. I&#8217;ve found it to be very common for root to own the files\/directories, 644\/755.<\/p>\n<p>If there&#8217;s an exploit of any kind, it&#8217;ll be more likely that your website can be modified, defaced, infected with malware, or any one of a hundred other scenarios when owned\/writable by the daemon.<\/p>\n<p>==<\/p>\n<h6>\u66f4\u591a\u641c\u7d22\u5173\u952e\u5b57\uff1a<\/h6>\n<ul>\n<li>wordpress plugin dir<\/li>\n<li>nginx: master process www or root<\/li>\n<li>php-fpm: master process www or root<\/li>\n<li>modify nginx start user<\/li>\n<\/ul>\n<h6>\u53c2\u8003\u94fe\u63a5\uff1a<\/h6>\n<ul>\n<li><a href=\"https:\/\/www.ibm.com\/developerworks\/community\/blogs\/TamanKeet\/entry\/tutorial_run_php_fpm_and_nginx_without_root_privileges_in_debian6\">https:\/\/www.ibm.com\/developerworks\/community\/blogs\/TamanKeet\/entry\/tutorial_run_php_fpm_and_nginx_without_root_privileges_in_debian6<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/263680\/php-fpm-runs-php-scripts-as-root\">http:\/\/serverfault.com\/questions\/263680\/php-fpm-runs-php-scripts-as-root<\/a><\/li>\n<li><a href=\"https:\/\/ma.ttias.be\/a-better-way-to-run-php-fpm\/\">https:\/\/ma.ttias.be\/a-better-way-to-run-php-fpm\/<\/a><\/li>\n<li>=<\/li>\n<li><a href=\"http:\/\/www.cyberciti.biz\/faq\/howto-unix-linux-gracefully-reload-restart-nginx-webserver\/\">http:\/\/www.cyberciti.biz\/faq\/howto-unix-linux-gracefully-reload-restart-nginx-webserver\/<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/381954\/running-nginx-as-non-root-user\">http:\/\/serverfault.com\/questions\/381954\/running-nginx-as-non-root-user<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/431529\/nginx-and-php-are-run-by-different-users-is-this-a-bad-idea\">http:\/\/serverfault.com\/questions\/431529\/nginx-and-php-are-run-by-different-users-is-this-a-bad-idea<\/a><\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/370337\/run-nginx-as-a-non-root-user\">http:\/\/serverfault.com\/questions\/370337\/run-nginx-as-a-non-root-user<\/a><\/li>\n<li><a href=\"http:\/\/unix.stackexchange.com\/questions\/134301\/why-does-nginx-starts-process-as-root\">http:\/\/unix.stackexchange.com\/questions\/134301\/why-does-nginx-starts-process-as-root<\/a><\/li>\n<li><a href=\"http:\/\/stackoverflow.com\/questions\/18004018\/changing-the-user-that-ngingx-worker-processes-run-under-ubuntu-12-04\">http:\/\/stackoverflow.com\/questions\/18004018\/changing-the-user-that-ngingx-worker-processes-run-under-ubuntu-12-04<\/a><\/li>\n<li>=<\/li>\n<li><a href=\"http:\/\/serverfault.com\/questions\/433265\/how-do-i-change-the-nginx-user\">http:\/\/serverfault.com\/questions\/433265\/how-do-i-change-the-nginx-user <\/a>\u00a0#Nice<\/li>\n<\/ul>\n<p>==<\/p>\n<h6>\u603b\u7ed3\uff1a<\/h6>\n<ol>\n<li>Apache\/Nginx\u8fd9\u4e9bWeb\u5bb9\u5668\u5e94\u8be5\u4ee5\u4f4e\u6743\u9650(\u6216\u7279\u5b9a\u6743\u9650)\u542f\u52a8\uff0c\u5e38\u89c1\u7684\u505a\u6cd5\u5c31\u662f\u65b0\u5efa\u4e00\u4e2a\u4e13\u95e8\u7684\u7528\u6237www\u7528\u4e8e\u542f\u52a8\/\u7ba1\u7406Web\u5bb9\u5668\uff1b<\/li>\n<li>Web\u76ee\u5f55\u53ea\u8bfb\uff0c\u4e00\u822c\u662f\u5c06Web\u76ee\u5f55\u7684\u5c5e\u4e3b\u8bbe\u7f6e\u4e3aroot\uff0c\u6743\u9650\u8bbe\u7f6e\u4e3a755\uff1b<\/li>\n<li>\u5bf9\u4e8e\u786e\u5b9a\u9700\u8981\u5199\u5165\u529f\u80fd\u7684Web\u76ee\u5f55\uff0c\u5176\u5c5e\u4e3b\u9700\u8981\u548c\u542f\u52a8Web\u5bb9\u5668\u7684\u7528\u6237\u4e00\u81f4\uff0c\u6743\u9650\u8bbe\u7f6e\u4e3a755\uff0c\u540c\u65f6\u8bbe\u7f6e\u76ee\u5f55\u7981\u6b62\u6267\u884c\u52a8\u6001\u811a\u672c(PHP\/JSP)\u3002<\/li>\n<\/ol>\n<p>==<\/p>\n<p>\u6700\u8fd1\u624d\u542c\u8bf4FreeBuf\u8bba\u575b\u88ab\u62d6\u5e93\u4e86o(\u256f\u25a1\u2570)o<\/p>\n<p>\u60f3\u8d77\u4e4b\u524d\u770b\u5230\u8fc7\u7684lake2\u725b\u7684\u6587\u7ae0\u2014\u2014<a href=\"http:\/\/security.tencent.com\/index.php\/blog\/msg\/68\" target=\"_blank\">\u637b\u4e71\u6b62\u4e8e\u6cb3\u9632<\/a>\uff0c\u867d\u8bf4\u4ed6\u8bb2\u7684\u662f\u4f01\u4e1a\u5b89\u5168\uff0c\u4f46\u662f\u5bf9\u4e8e\u4e2a\u4eba\u4fe1\u606f\u5b89\u5168\u6765\u8bf4\u4e5f\u6709\u5f88\u597d\u7684\u501f\u9274\u610f\u4e49\uff1a<\/p>\n<h6>1.\u5982\u4f55\u9632\u6b62\u67d0\u4e2a\u7f51\u7ad9\u88ab\u62d6\u5e93\u4e4b\u540e\u4f60\u5176\u5b83\u7f51\u7ad9\u7684\u8d26\u6237\u5b89\u5168\uff1f<\/h6>\n<p>\u4e3a\u4e86\u9632\u6b62\u67d0\u4e9b\u4e0d\u5173\u5fc3\u5b89\u5168\u7684\u201c\u65e0\u826f\u201d\u5546\u5bb6\u5c06\u6211\u4eec\u7684\u8d26\u6237\u5bc6\u7801\u201c\u4e3b\u52a8\u201d\u63d0\u4f9b\u7ed9\u9ed1\u5ba2\u540c\u5b66\u800c\u5bfc\u81f4\u6211\u4eec\u5176\u4ed6\u7f51\u7ad9\u7684\u8d26\u6237\u53d7\u5230\u5f71\u54cd\uff0c\u4e00\u4e2a\u6bd4\u8f83\u597d\u7684\u65b9\u6cd5\u5c31\u662f\u2014\u2014\u4e0d\u540c\u7684\u7f51\u7ad9\u8bbe\u7f6e\u4e0d\u540c\u7684\u5bc6\u7801\uff0c\u91cd\u8981\u6027\u4e0d\u540c\u7684\u7f51\u7ad9\u8bbe\u7f6e\u5f3a\u5ea6\u4e0d\u540c\u7684\u5bc6\u7801(\u8fd9\u4e3b\u8981\u662f\u5728\u4fdd\u8bc1\u5b89\u5168\u7684\u540c\u65f6\u63d0\u4f9b\u4e00\u4e9b\u65b9\u4fbf)\uff0c\u5343\u4e07\u4e0d\u8981\u6240\u6709\u7f51\u7ad9\u8bbe\u7f6e\u76f8\u540c\u7684\u5bc6\u7801\uff0c\u5426\u5219\u771f\u7684\u5c31\u6709\u53ef\u80fd\u53d1\u751f\u201c\u5343\u91cc\u4e4b\u5824\u6bc1\u4e8e\u8681\u7a74\u201d\u7684\u60b2\u5267\u3002<\/p>\n<h6>2.\u5982\u679c\u7f51\u7ad9\u88ab\u4e0a\u4f20webshell\u4e86\uff0c\u5982\u4f55\u5c06\u8be5\u5371\u5bb3\u964d\u81f3\u6700\u4f4e\uff0c\u9632\u6b62\u88ab\u8fdb\u4e00\u6b65\u7684\u63d0\u6743\uff1f<\/h6>\n<p>\u6700\u5c0f\u5316Web\u5bb9\u5668\u7684\u6743\u9650 &amp;&amp; \u4e25\u683c\u9650\u5b9aWeb\u76ee\u5f55\u7684\u6743\u9650\uff08\u4e0d\u53ef\u5199 or \u53ef\u5199\u4e0d\u53ef\u6267\u884c\uff09\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u641c\u7d22\u5173\u952e\u5b57\uff1a wordpress directory permission setting wordpress [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,11,25],"tags":[435,331,75,99],"class_list":["post-2190","post","type-post","status-publish","format-standard","hentry","category-knowledgebase-2","category-linux","category-security","tag-apache","tag-lnmp","tag-nginx","tag-wordpress"],"views":9682,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/2190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=2190"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/2190\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=2190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=2190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=2190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}