Body
Database User
Wordpress uses a single database user for all operations. For most functions the user only requires SELECT, INSERT, UPDATE and DELETE. For the automatic update feature to work the user also requires CREATE and ALTER priviledges. There is a caveat that some plugins may require other permissions. Recommended database permissions for WordPress
wp-config.php
This is the main configuration file that stores database access credentials and salts used for user sessions and cookies. It should be protected. How that is to be done is often discussed and opinions vary.
Securing wp-config.php Some options are to move wp-config.php up a directory or at least out of the
DocumentRoot, configure Apache to not serve the file, and restrict permissions to the file and give appropriate ownership. File ownership, this is also of debate. There are opinions to not have the
WordPress files owned by the same user as runs the web server (Apache HTTPD or Nginx) and that you should use a separate user to own the files. This leads to some potential conflicts. For example, if Apache HTTPD and php-fpm run as apache.apache but the files are owned by the wpuser1 and wpgroup1 then in order for php-fpm to read the wp-config.php it needs to have it's file permissions changed to allow "other/public" read access. Alternatively, we can run HTTPD and php-fpm under the wpgroup1 group and maintain 640 permissions on wp-config.php but then we would have to have all wp-config.php files and protentially all of the
WordPress installs using the same group.
What are we trying to protect against or secure?
Some hardening measures conflict with one another so perhaps the question that needs to be answered specifically is what are we trying to protect against or secure? The following is a non-exhaustive list of possilities:
- If one site is compromised it should be isolated from others.
- Prevent exposure of passwords and salts to the public ( e.g. - contents of wp-config.php ).
- Could happen due to a bug or administrator misconfiguration
- Users on the system should not have access to others sites unless specifically authorized.
- Bugs, Security vulnerabilities, Errata that could expose sensitive data ( keep software patched and as upto date as possible ).
- Secure user login credentials and administrative functions. ( e.g. - wp-admin, wp-login )
WordPress Updates
WordPress includes a mechanism to auto-update and/or update through the administrative interface.
-
WordPress installation is owned by the same user or group (with write permissions).
-
WordPRess installation is owned by a separate user and group that is different from the user running Apache HTTPD and php-fpm.
- FTP or SFTP credentials or keys are then required.
php-fpm
Note: Regarding use of Unix Socket or Network Socket https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0185. Unix Socket may have insecure default permissions but Red Hat users Network Socket for it's default configuration.
Uploads
In order for Wordpress to upload content in to the upload directory, that directory needs to be writable by the user running php-fpm. The upload directory can be moved outside of the wp-content directory with the following directive in wp-config.php.
Note that the uploads directory path cannot be absolute and is relative to the Wordpress root. Reference: http://codex.wordpress.org/Editing_wp-config.php#Moving_uploads_folder.
Reference
Automatic WordPress Updates Using FTP/FTPS or SSH