Securing PHP-FPM For WordPress On Ubuntu
Overview
PHP-FPM uses resource or process pools that are owned by specific users and provide specific sets of permissions to do things on the server. When you first install PHP-FPM, it creates a default process pool where the default user (often named www-data) has read permissions for everything on the server. If you’re on a shared server and there are tons of www-data users, this is a potential security risk because it increases the chances that someone can get access to and read the files on your site.
Whenever I first set up a web server, one of the first things I do is create a new non-root user (eg: supernifty) that I use to SSH into the box and get everything set up. Now I’m going to update the PHP-FPM config file to have that user run PHP-FPM rather than the default www-data user. This provides an additional layer of protection should a malicious user (anyone other than supernifty) gain access to the server – they wouldn’t be able to change anything because they won’t have the permission to.
The video walks you through the process outlined below.
Securing PHP-FPM
ssh -i ~/.ssh/supernifty supernifty@143.198.116.106 RETURN
To change the user running PHP-FPM, use the nano text editor to open the PHP-FPM config file:
sudo nano /etc/php/8.0/fpm/pool.d/www.conf RETURN
Update the pool name from www to your non-root user name (eg: supernifty):
[www] [supernifty]
Update the user and group:
user = www-data supernifty
group = www-data supernifty
Update the permissions for the unix socket:
listen.owner = www-data supernifty
listen.group = www-data supernifty
Then save the /etc/php/8.0/fpm/pool.d/www.conf file with CONTROL-0 and RETURN then exit out of the nano text editor with CONTROL-X
Next, use the nano text editor to open the tempfiles.d config file:
sudo nano /usr/lib/tmpfiles.d/php8.0-fpm.conf RETURN
and update the user id (uid) and group id (gid) running PHP-FPM:
d /run/php 0755 www-data www-data - -
d /run/php 0755 supernifty supernifty - -
and save the /usr/lib/tmpfiles.d/php8.0-fpm.conf file with CONTROL-0 and RETURN then exit out of the nano text editor with CONTROL-X
Next, use the nano text editor to open the Apache environment variables file:
sudo nano /etc/apache2/envvars RETURN
and update the user and group Apache runs under:
export APACHE_RUN_USER=www-data supernifty
export APACHE_RUN_GROUP=www-data supernifty
and save the /etc/apache2/envvars file with CONTROL-0 and RETURN then exit out of the nano text editor with CONTROL-X
Then restart Apache so that all the new settings kick in:
sudo service apache2 restart RETURN
Next, lock down all the folder permissions nice and tight and make sure your user owns everything in the www directory:
sudo find /var/www/25monkeys.com/public_html/ -type d -exec chmod 755 {} \; RETURN
sudo find /var/www/25monkeys.com/public_html/ -type f -exec chmod 644 {} \; RETURN
sudo chown -R supernifty:supernifty /var/www/ RETURN
and if you have WordPress installed, it’s a good idea to lock down the wp-config.php file too:
sudo chmod 644 /var/www/25monkeys.com/public_html/wp-config.php RETURN
To confirm that the new permissions are working properly, run the following command to create a test file:
sudo echo ‘testing permissions’ > /var/www/25monkeys.com/public_html/test.html RETURN
and then open https://25monkeys.com/test.html in a web browser. If you already have WordPress installed, you can also test the permissions by uploading a file in the Media section of the administrative area.
With PHP-FPM 8.0 properly secured, it’s time to install WP-CLI for WordPress administration from the command line.