Question to hosters about security?

philipto2012-09-21 14:15:40

Information Security

philipto, 2012-09-21 14:15:40

I set up Wordpress on my personal hosting, on a VPS. Himself an admin, owner and webmaster. I saw on other hostings that the Wordpress administrator can change theme files (header, for example), install and update plugins, upload photos. On your hosting, this can be done only if you give the user on whose behalf apache runs write permissions to some wordpress directories, incl. /wp-content/themes/. Which to me, as a person with sysadmin experience behind me, seems very unsafe. Is it possible to run a web server exclusively for your site and not to fumble with anyone, but for a hoster this is not an option.

There is a solution to this problem with suexec PHP, but they say that this slows down the site tenfold (at least 20, but there is an opinion that the visited site will simply fall down from such a load).

I don't know any other options. Are they really not? Friends working in commercial hosting sites say that they often rely on the reliability of CMS (in particular, Wordpress), and because of this, sites often break, and more often through poorly written plugins.

Is everything really that bad?

Answer the question

In order to leave comments, you need to log in

6 answer(s)

Andrey Shiryaev, 2012-09-21
@Claud

I can't tell you anything for apache, but on php-fpm + nginx I do this.
user = nginx group = $pool # $pool равен группе пользователя в директории, которого храним сайт
Well, I'm setting up chroot.
With these settings, to write to the directory, it is enough for us to give rights 775, i.e. access will be only for the user in whose directory nginx sites will not be able to write.

Hosted by NetAngels, 2012-09-26
@NetAngels

Sorry, but where does the opinion that “suexec PHP” slows down the site by 20 times come from? PHP can work in 3 modes:
1. as an apache module (mod_php), then php runs as the same user as apache is running (your original version)
2. In FastCGI mode. And in terms of speed, php-fcgi is no slower than mod_php
3. In simple CGI mode. This is 10 times slower than mod_php, yes
. So, suexec can be used both for (3) option, and for (2) and in case (2), that is, php is launched as fastcgi, plus suexec, you will get a system, in which each individual site can be run on behalf of and with the rights of different accounts, but everything will work under the same apache. This is how many shared hostings work.
All it takes is apache, suexec, mod_fcgid and php built with fastcgi support.

Puma Thailand, 2012-09-21
@opium

suexec does not slow down the site twenty times, otherwise all sites would open for 10-20 seconds with it.

Alexander Maslov, 2012-09-21
@drakmail

For normal technologies (python, ruby, java) there is the same uwsgi with emperor mode and tyrant mode. Each user then has a web server running under his own name. Well, plus the MPM mentioned above for apache.

Nikolai Turnaviotov, 2012-09-21
@foxmuldercp

virtual shared (not VPS) hosting settings - I will be very different from hoster to hoster, because The qualifications and habits of administrators are different everywhere.
My current site with a fellow hoster, for example, is launched under one separate user and I can easily click the “update wordpress” button and in half a minute wordpress will update itself.
At my last job, also hosting, the ftp user and the apache user had different groups and I had to upload the distribution kit manually via ftp to the server.

Wott, 2012-09-27
@Wott

user in WP for the server is just a cookie, and you also need to climb into the database to check it. Of course, you can make a mod for the server that will look at a specific cookie, check and broadcast it in the database. then change the user for the request - but IMHO this is a perversion and unnecessary.
At home, I give access to wp-admin only for my IPs.
Plus, of course, all plugins are checked and often rewritten - you can put anything into the plugin, they write disgustingly.