DIY Super Secure WordPress on a VPS


Want secure wordpress for next to nothing…? (except a bit of work and understanding of course…) Read on!

I highly reccomend any tech minded website owner get familiar with how to run their own vps for hosting. As a musician I’ve noticed that the skills are the same as for building custom synths/recording appliances etc with single board computers (ie knowing your way around a linux OS). And with a vps you can do all your email marketing, automate a ton of stuff and handle your security far more effectively than you could under standard shared hosting.

It’s the security aspect that I’m going to focus on here in this article. WordPress sites used to be so simple – you just install it – blog stuff – maybe do your own custom theme if you’re clever. And you really could just leave it on one version of wordpress for the entire lifecycle of the site. You’d probably build another one before you needed to upgrade it!

Not so anymore. On the positive side, more features become available very rapidly these days. On the negative side security has become a running battle. There are teams of coders out there it seems writing robots that trawl the net for sites with security vulnerabilities. Once found these sites are infiltrated and usually end up posting up links to spam sites trying to sell you the usual viagra, debt consolidation, even (hilariously I think) seo…

Hence there are now expensive pieces of software like wordfence, ithemes security, securi… the list goes on. I have my opinions on which I would choose right now if I didn’t have a vps – but over time their different approaches and levels of effectiveness wax and wane according to conditions. If you have a vps/cloud server for your wordpress for some of the other reasons above then it seems to me logical that you should use that power to mimick their functionality and hence take control of your own security.

Essentially there are four main areas of security in a wordpress site:
1) Keep your site as up to date as possible both in wordpress, theme and plugin versions. This is a topic for another article…
2) Log in security – if someone wants to log in, ideally there should be some kind of two factor protection – also for another article (simple to achieve by the way)
3) Some kind of firewall – The open source approach is to use mod_security php module. This is also a subject for another article!
4) Intelligent File Permissions – this is what we’re going to focus on here today – and honestly if I could only have one out of these 4 it’d definitely be this one….

If your file permissions are set up right then wordpress literally CANNOT modify itself without your consent as the system admin (ie to install plugins/alter core/plugin files/do upgrades etc). If this is the case then one VERY major way that virusses/malware can infiltrate your site has been completely neutralised by design.

The concept is simple in the abstract but can be a little tricky to actually apply. Broadly we divide wordpress files into two types:

  • Everyday usage files Mainly this means images/videos and other media files. Note that this also includes files plugins create as part of their daily processing.
  • Site code files – basically this means the wordpress core files and the plugins/themes of your site.

We’re going to use the advanced permissions of a vps to create a situation where the first category can be modified as normal (ie you can upload media to your site and plugins can manipulate their own files as needed) but where your site can literally NEVER modify anything that comes into the second category UNLESS you personally as admin enter a password (or supply a private RSA key if you prefer).

We’re going to achieve this by having php run as one user for php (ie running the actual site) and have another user for handling the actual files via sftp. This user will also have read/write access to files created by the php user since it will belong to its group.

Therefore to begin with we’re going to set our vps to:

  sudo umask 002

This means that group write permissions are set for newly created files. So our sftp user (site code files from group 2 remember from above) will be able to read/write the php files from group 1 since the sftp user is a member of the php user’s group. (notice that vice versa is NOT the case so the php user cannot do anything with the sftp user’s files apart from read them.

Then you will need to set up the two users: (mysite-sftp for the sftp one and mysite-fpm for the php one)

  mkdir -p /media/mydisk/
  mkdir -p /media/mydisk/
  chmod 700 /media/mydisk/
  touch /media/mydisk/
  chmod 644 /media/mydisk/
  mkdir -p /media/mydisk/
  chmod 700 /media/mydisk/
  touch /media/mydisk/
  chmod 644 /media/mydisk/
  useradd -d /media/mydisk/ -s /bin/bash mysite-fpm
  useradd -d /media/mydisk/ -s /bin/bash mysite-sftp
  passwd mysite-sftp

make sftp user member of php user group

  usermod -aG mysite-php mysite-sftp

We will need apache/mysql/php-fpm set up so:

  ### Installing LAMP and other utilities
  apt update
  apt install -y apache2 mariadb-client mariadb-server php7.3-fpm php7.3-curl php7.3-gd php7.3-mbstring php7.3-mysql php7.3-xml php7.3-zip pwgen certbot zip unzip exim4
  ### Apache mods
  a2enmod proxy_fcgi setenvif ssl rewrite
  a2dismod -f autoindex
  systemctl restart apache2
  apache2ctl configtest
  # MySQL
  echo <mysql root pass enter one here!> > /root/mysql.pass

Add php-fpm config:

  touch /etc/apache2/sites-available/
  cat > /etc/apache2/sites-available/ << EOF
  <VirtualHost *:80>
  	DocumentRoot /media/mydisk/
         <Directory /media/mydisk/>
          Options Indexes FollowSymLinks MultiViews
  	AllowOverride All
  	Require all granted
          CustomLog /var/log/apache2/mydisk.access.log combined
  	        ErrorLog /var/log/apache2/mydisk.error.log
  <FilesMatch \.php$>
         SetHandler "proxy:unix:/var/run/php7.3-mysite-fpm.sock|fcgi://localhost"

It’s a bit more complicated for SSL… Ping me if you’ve got an https site and I’ll try to post something…

And restart your php:

  /etc/init.d/apache2 reload
  /etc/init.d/php7.3-fpm reload

Then to get this sucker over the line we’re also gonna need wp cli:

  curl -O
  chmod +x wp-cli.phar
  sudo mv wp-cli.phar /usr/local/bin/wp

Get wp core and set up your db with mysql then set wp to use that db:

  su -u mysite-sftp
  cd ../public/
  wp core download --path=/media/mydisk/ --locale=en_GB
  mysql -u root -p<Rootpassword>
  CREATE USER mysite@'localhost' IDENTIFIED BY '<mypass>';
  GRANT ALL PRIVILEGES ON `mysite_%`.* TO  `mysite`@`localhost`;
  CREATE DATABASE `mysite_wpdev`;
  wp config create --dbname=mysite_wpdev --dbuser=mysite --dbpass=mypass --path=/media/mydisk/
  wp core install --title=SITE_TITLE --admin_user=myuser --admin_password=mypassword --path=/media/mydisk/

Then run this permissions script:

  #### Script is used after setting up the environment via script
  ### change the path to the disk as appropriate
  umask 002
  #### INPUT
  echo "Enter website (domain) for which you want to edit permissions and ownership  (example:"
  read website
  echo "Enter handle/prefix for existing SFTP user who has ownership over $website files: (eg mysite)"
  read user
  #### Ownership and permisssions set
  ## Basic ownership
  chown -R $user-sftp:$user-sftp $diskpath/$website/
  chown -R $user-fpm:$user-fpm $diskpath/$website/$user-fpm/
  ## wp-content ownership (sftp languages, mu-plugins, plugins, themes, upgrade)
  chown -R $user-fpm:$user-fpm  $diskpath/$website/public/wp-content/
  chown -R $user-sftp:$user-sftp $diskpath/$website/public/wp-content/languages/
  chown -R $user-sftp:$user-sftp $diskpath/$website/public/wp-content/mu-plugins/
  chown -R $user-sftp:$user-sftp $diskpath/$website/public/wp-content/plugins/
  chown -R $user-sftp:$user-sftp $diskpath/$website/public/wp-content/themes/
  chown -R $user-sftp:$user-sftp $diskpath/$website/public/wp-content/upgrade/
  ## Permissions on folders and files
  find $diskpath/$website/public/ -type d -exec chmod 755 {} \;
  find $diskpath/$website/public/ -type f -exec chmod 644 {} \;
  find $diskpath/$website/public/wp-content/ -type d -exec chmod 775 {} \;
  find $diskpath/$website/public/wp-content/ -type f -exec chmod 664 {} \;
  chmod 775  $diskpath/$website/public/wp-content/
  echo "Finished."

In a nutshell this makes wp core files and the plugin/theme files sftp user files and the wp-content’s immediate contents plus the uploads folder php user files. If something goes wrong – use this script and it’ll put it right.

Lastly use wp-cli to install this plugin:

  su mysite-sftp
  wp plugin install ssh-sftp-updater-support --activate

Total genius! This thing is an absolute godsend. Had it not existed I’d probly have written it eventually.

Phew – still with me?:) Now the fun part – usage cases:

  • media uploads – try it! when you ls -ltr your uploads/2020/01 directory (or whatever the date of your upload was) you should see something like this:
      -rw-rw-rw- 1 mllorg-fpm mllorg-fpm 674870 Mar  1 09:43 preamp.jpg
      -rw-rw-rw- 1 mllorg-fpm mllorg-fpm  11597 Mar  1 09:43 preamp-225x300.jpg
      -rw-rw-rw- 1 mllorg-fpm mllorg-fpm   5426 Mar  1 09:43 preamp-150x150.jpg
      -rw-rw-rw- 1 mllorg-fpm mllorg-fpm  89359 Mar  1 09:43 preamp-768x1024.jpg
      -rw-rw-rw- 1 mllorg-fpm mllorg-fpm 202460 Mar  1 09:43 preamp-1152x1536.jpg

    …which means your files are created by the php user (mllorg-fpm) but modifiable by both the php user and the sftp user (mllorg-sftp) because the sftp user is a member of the php user group

    On the other hand if you were to ls -ltr in theregular site root dir you’d see this:

      -rw-r--r--  1 mllorg-sftp mllorg-sftp  4764 Mar 21  2020 wp-trackback.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp 19120 Mar 21  2020 wp-settings.php
      drwxr-xr-x 20 mllorg-sftp mllorg-sftp 12288 Mar 21  2020 wp-includes
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  2898 Mar 21  2020 wp-config-sample.php
      drwxr-xr-x  9 mllorg-sftp mllorg-sftp  4096 Mar 21  2020 wp-admin
      -rw-r--r--  1 mllorg-sftp mllorg-sftp 19935 Mar 21  2020 license.txt
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  3150 Mar 21  2020 xmlrpc.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp 31112 Mar 21  2020 wp-signup.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  8483 Mar 21  2020 wp-mail.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp 47597 Mar 21  2020 wp-login.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  3326 Mar 21  2020 wp-load.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  2504 Mar 21  2020 wp-links-opml.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  3955 Mar 21  2020 wp-cron.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  2283 Mar 21  2020 wp-comments-post.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp   369 Mar 21  2020 wp-blog-header.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  6939 Mar 21  2020 wp-activate.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  7368 Mar 21  2020 readme.html
      -rw-r--r--  1 mllorg-sftp mllorg-sftp   420 Mar 21  2020 index.php
      -rw-r--r--  1 mllorg-sftp mllorg-sftp  2888 Jan 12 13:23 wp-config.php
      drwxrwxr-x  6 mllorg-fpm  mllorg-fpm   4096 Mar  1 09:37 wp-content

    These files are *only* modifiable by the mllorg-sftp (SFTP) user and NOT the mllorg-fpm (PHP) user since mllorg-fpm is NOT a member of the mllorg-sftp (SFTP) group! In fact the permissions script sets files so that they are not group writeable when they are SFTP files – but even if your sftp app does something different or some plugin (with your permission…) does something different while modifying files it won’t be a problem. You could set all those group write flags to true and the mllorg-fpm (PHP) user that your plugins and theme and wordpress use in execution would never be able to write to those files as that user does not belong to the right group. And no-one and nothing is stupid enough to set global write permissions:)

  • plugin/theme/core update – use that genius sftp-ssh-updator plugin we installed earlier to install plugins/update etc – literally just enter in your sftp user’s name/password and it’ll get on with it! Cool huh? I’d like to see a piece of malware do that…
  • File changes for custom editing – use the sftp user
  • WP CLI – Use the sftp user if its a core/plugin/theme related command. Use the php user if its media related. Use either if its just doing db queries. If you get tangled up just use the initial permissions script again to reset everything
  • er… that’s it… Your site is now uber-secure!

Actually there’s one more thing you can do… You can set the .htaccess of the wp-content and uploads directories so that it cannot ever execute php files. Just in case someone puts a php file somewhere (your php user can modify stuff there remember):

  <Files *.php>
  deny from all

You could even add a .htaccess permission set to your permissions script so that no one could modify it then exectute php:

  chown mysite-sftp:mysite-sftp wp-content/uploads/.htaccess
  chown mysite-sftp:mysite-sftp wp-content/.htaccess

This article, for a few hrs work if you know what you’re doing, has just given you top notch security included in the price of your VPS. A bit crazy this is on a musician’s site and not a general webdev one right? But why shouldn’t us musicians have top notch systems?

Fact is I went through hell being hacked finding this out so feels good to share…

Let me know how you get on. My web development business uses a system similar to this in production and we and our clients love it!

Next artile I’ll get back to something more musical – my raspberry pi based sample player!