www.bonsaiframework.com
Page tree

Versions Compared

Old Version 52

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 53

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added entry on temp folder.
Warning

This article is in process of being written by Tin.

Table of Contents

Install PHP

Install the PHP Packages

...

Save the file and browser to file using a browser. You can use either the IP Address or the valid Domain Name. For example, http://173.194.75.94/info.php or http://www.dailyplanet.com/info.php which should show a purple and grey PHP informational screen.

Secure PHP

The security posture is from an administrative perspective and with shared hosting.

Panel

Determine if this actually increases security - http://www.suphp.org/Home.html. suPHP and LiteSpeed make the most sense for shared hosting.

This article indicates that suphp is slow as it makes php run as a cgi. Instead a poster recommended using what is available with mod_php - http://serverfault.com/questions/279938/should-i-use-suphp-or-mod-php-for-shared-hosting. Along this thread another poster recommends, http://mpm-itk.sesse.net/ which allows vhosts to be run under different uid and gid.

A great discussion on using permissions, same conclusion I was coming to using www-data group - http://unix.stackexchange.com/questions/30879/what-user-should-apache-and-php-be-running-as-what-permissions-should-var-www

Probably the most complete but also complex solutions is to use ACLs - http://serverfault.com/questions/339948/user-permissions-for-both-apache-and-local-user/357977

...

php.ini for WordPress

Edit php.ini to only allow execution of php scripts in specific directories.

Code Block
languagebash
sudo vi /etc/php5/apache2/php.ini

Restrict the Execution of PHP to a Specific Folder

Search for the open_basedir line and modify ,to include the directories setup for WordPress

Code Block
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; http://php.net/open-basedir
open_basedir = /opt/www.dailyplanet.com/www/blog/:/opt/www.lexcorp.com/www/blog/

This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.

Note

I'm considering a simpler directory approach with one top level folder for WordPress... does separating the directories actually provide more protection? Probably not.

Select Temporary Folder

Because open_basedir has been set, WordPress nolonger no longer has access to the general temporary folder /var/tmp/ it expects which is required for certain operations (for example to upload and install plugins through the Administrator web interface).

Modify php.ini further by modifying the upload_tmp_dir line,

Code Block
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).

...


; http://php.net/upload-tmp-dir
upload_tmp_dir = /opt/wordpress/tmp

Make Changes Take Effect

Restart Apache for the changes to take effect,

...