Install PHP
Install the PHP Packages
sudo apt-get install php5
As of Ubuntu 12 (an maybe even earlier), the installer will automatically restart Apache2 for you.
Verify
Quickly verify that everything works by creating a php info file with your favourite editor,
sudo vi /var/www/info.php # On public site do not use such an obvious file name
Put in the following contents,
<?php phpinfo(); ?>
Save the file and browser to file using a browser. You can use either the IP Address or the valid Domain Name. For example, http://173.194.75.94/info.php or http://www.krypton.com/info.php which should show a purple and grey PHP informational screen.
Secure the PHP
The security posture is from an administrative perspective and with shared hosting.
Determine if this actually increases security - http://www.suphp.org/Home.html. suPHP and LiteSpeed make the most sense for shared hosting.
This article indicates that suphp is slow as it makes php run as a cgi. Instead a poster recommended using what is available with mod_php - http://serverfault.com/questions/279938/should-i-use-suphp-or-mod-php-for-shared-hosting. Along this thread another poster recommends, http://mpm-itk.sesse.net/ which allows vhosts to be run under different uid and gid.
A great discussion on using permissions, same conclusion I was coming to using www-data group - http://unix.stackexchange.com/questions/30879/what-user-should-apache-and-php-be-running-as-what-permissions-should-var-www
Probably the most complete but also complex solutions is to use ACLs - http://serverfault.com/questions/339948/user-permissions-for-both-apache-and-local-user/357977
Restrict the Execution of PHP to a Specific Folder
Using sudo, edit, vi /etc/php5/apache2/php.ini to only allow execution of php scripts in specific directories.
; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory ; or per-virtualhost web server configuration file. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. ; http://php.net/open-basedir open_basedir = /opt/www.krypton.com/www/blog/:/opt/www.earth.com/www/blog/
This helps minimizes the amount of damage that can be done in the event that the system is compromised to the specified directory.
Restart Apache for the changes to take effect,
sudo service apache2 restart
You will now find that php scripts will only run in the designated directories specified in php.ini.
Install MySQL
sudo apt-get install mysql-server
For the root administration database password, use the standard password algorithm based on the server name.
Secure MySQL
Still working this out - http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html
Connect PHP to MySQL
Install the necessary libraries so that PHP will be able to connect to MySQL.
sudo apt-get install php5-mysql
Create the Accounts in MySQL
Connect into MySQL,
mysql -u root -p
Enter the following MySQL commands,
CREATE DATABASE wpkryptondb; GRANT ALL PRIVILEGES ON wpkryptondb.* TO 'wpkryptonuser'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES; EXIT
Adjust the variables for your application.
wpkryptondb - Name of the database for the WordPress application instance. We use the domain name of the website.
wpkryptonuser - User account for accessing the database.
localhost - Address of the database server. In this example, the database is on the same server so use localhost.
password - Change to password using algorithm based on name of the website domain, in this case krypton.
Database Admins will not like granting all privileges. After the initial setup is done we will restrict to more minimal privileges.
Setup WordPress
Install WordPress
Using the target application account, in our case we will use serveradmin, download and install WordPress,
su - serveradmin cd ~ wget http://wordpress.org/latest.tar.gz tar -xvpf latest.tar.gz mv wordpress blog # We do not need to make the technology obvious. mv blog /home/www.krypton.com/www/
Setup File Permissions
Following along the lines of allow a specific user, in this case only serveradmin with help from a root enabled user can manage WordPress.
cd /opt/www.krypton.com/www/ sudo chown -R serveradmin:www-data ./cms/ # Only svradm can manage this site and we ensure the Apache www-data user can access the site sudo chmod -R o-rwx ./cms/ # No users except nobody and those belong to the group wgkrypton will be granted access.
...I may need to setup masking to maintain these permissions...
Configure WordPress
- Create config file for database access
- Set URL
- ...
Lock Down WordPress
WordPress and PHP simply due to the model is inherently insecure when compared to more Enterprise solutions.
As such the Bonsai Framework takes an administrator approach to managing and securing WordPress. It is strongly recommended to not use a co-hosting model for multiple clients that require privacy. This is especially problematic if clients are granted shell access. It becomes very complex to protect one client from gaining access to another client's WordPress data.
WordPress updates through the built in admin interface will fail unless the restrictions are relaxed. With this security approach, privileges must be temporarily be granted as part of the upgrade process.
Restrict WordPress Database Account
As part of good application security, the WordPress database account should only be granted minimal privileges.
Connect into MySQL,
mysql -u root -p
Enter the following MySQL commands,
REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'wpkryptonuser'@'localhost'; GRANT SELECT, INSERT, UPDATE ON wpkryptondb.* TO 'wpkryptonuser'@'localhost' IDENTIFIED BY 'password'; FLUSH PRIVILEGES; EXIT
Adjust the variables for your application.
wpkryptondb - Name of the database for the WordPress application instance. We use the domain name of the website.
wpkryptonuser - User account for accessing the database.
localhost - Address of the database server. In this example, the database is on the same server so use localhost.
password - Change to password using algorithm based on name of the website domain, in this case krypton.
Verify the changes took effect,
SHOW GRANTS FOR 'wpkryptonuser'@'localhost';
File Permissions
Adapted from the WordPress article Hardening WordPress we take the approach of creating accounts for select developers or release managers.
wp-config.php - holds the database password and should be locked down.
Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and sub-folders must be owned by www-data with write access. I'm not sure we will take this approach. I think I'd rather update manually.
Repeat for the second instance.
FAQ
Why do some of the php5 installations say to use install libapache2-mod-php5?
No need, it is included with the php5 package.
What is the difference between the php5 and libapache2-mod-php5 packages?
Nothing I can see. It just looks like php5 is an overarching package name.
References
Setup
Ubuntu Server Documentation - https://help.ubuntu.com/12.04/serverguide/php5.html
Security
Has some ok details around suPHP - https://help.ubuntu.com/community/ApacheMySQLPHP#Installing_MYSQL_with_PHP_5
Some good notes on securing PHP from Symantec - http://www.symantec.com/connect/articles/securing-php-step-step
Start some good security practices for WordPress - http://www.howtospoter.com/web-20/wordpress/triple-p-of-total-wordpress-security
Wordpress discussion on permissions, based their recomendations for suPHP the community does not really understand permissions - http://codex.wordpress.org/Changing_File_Permissions
This restricts the php process to specific directories - http://help.godaddy.com/article/1616
At least by looks this looks like it may be a good guide to securing wordpress - http://wpsecure.net/basics/