I am running an Ubuntu based Linux/Nginx/MariaDB/PHP (LEMP), server with my Wordpress installation in the root account at /var/www/example.com/. My Wordpress is running as the www-data user, and Nginx is also running as the www-data:www-data user/group.
In my initial setup of Wordpress, I first changed the ownership of the root Wordpress directory to the Nginx user (www-data) recursively (and arguably insecurely) with the following command:
sudo chown www-data:www-data /var/www/example.com/ -R
This effectively gives the Nginx user ownership of all of my Wordpress files and folders.
Next, (as recommended by the “hardening-wordpress” guide) I change (chmod) the permissions of all folders to 755, and all files to 644.
sudo find /var/www/example.com/ -type d -exec chmod 755 {} \;
sudo find /var/www/example.com -type f -exec chmod 644 {} \;
In the Wordpress “Changing File Permissions” article, it says that secured permissions for the wp-config.php file are 600. However, in the “hardening-Wordpress” guide, it says that secured permissions for wp-config.php files are 400 or 440 (i.e. it generally means a 400 or 440 permission). Which is it and does it depend on who owns wp-config.php and who owns the rest of the Wordpress files?
It doesn’t say if files ownership for wp-config.php should be www-data:www-data, root:root, root:www-data, or www-data:root. The hardening guide and change file permissions guide have no mention of proper ownership for the Wordpress files, and the wp-config.php/.htaccess files. They only discuss permissions, not ownership.
This leaves things confusing to me. To experiment with my specific configuration (everything owned by www-data:www-data so far), I have tried the following to secure my important Wordpress file such as wp-config.php:
EX:1
sudo chown root:root wp-config.php
sudo chmod 400 wp-config.php
This breaks my wordpress installation and give me a blank white screen when I navigate to my homepage.
EX:2
sudo chown root:root wp-config.php
sudo chmod 444 wp-config.php
This successfully allows me to see my wordpress homepage, and seems to work.
EX:3
sudo chown root:root wp-config.php
sudo chmod 404 wp-config.php
This also successfully allows my wordpress installation to work and I can get to the homepage just fine. However, It also indicates that in order for Wordpress to work, it needs the wp-config.php file to allow world readable permissions. WHY IN THE WORLD IS THAT? Isn’t that insecure? Shouldn’t www-data be the only user that should be able to read this file?
To prove this theory of "world readable permissions required", I proceeded to example 4.
EX:4
sudo chown root:root wp-config.php
sudo chmod 004 wp-config.php
These permissions with root ownership still allow my Wordpress installation to work, even though the group root can’t read/write/execute, and the user root can’t read/write/execute.
Next, I tried something different to understand how group permissions are used.
EX:5
sudo chown root:www-data wp-config.php
sudo chmod 040 wp-config.php
Again, with the group being owned by www-data, and giving www-data read permissions only, this allowed my Wordpress installation to work as well. My homepage works just fine with this configuration. This seems like it might be the winner for the most secure permissions/ownership configuration. But I’m not sure I fully understand what the “Group” access allows with these permissions. Can the group www-data override the user root in this configuration by any means? Can Wordpress, or my root user write to this file? If not (which I assume is what the permissions dictate), then why can I edit this file with nano using my root account on linux? For example, If a file has ---------- (no permissions whatsoever) permissions on it, then why can my root user use the nano editor to access and write to this file? Shouldn’t ---------- permissions lock the file into the operating system permanently and render it immutable because according to the permissions set, nobody is allowed to access or change it? I’m not sure I fully understand or grasp how the root account can override permissions for files that have limited permissions, and I’m not sure the repercussions of giving wp-config.php group access to www-data, and user access to root.
Could someone please explain to me how all of this works, by answering some of these questions, and the with all things considered with my setup (LEMP SERVER with Nginx running as www-data:www-data), could you please recommend what user ownership/ group ownership/permissions, I should be using on my wp-config.php, .htaccess, and then the rest of my Wordpress directories, for my setup to be as restricted and secure as possible without impacting the usability of Wordpress itself?
Thanks for any explanations, examples, and gained understanding.
