ada recommended color contrast radios be damned

Securing PHP-FPM For WordPress On Ubuntu

Overview

PHP-FPM uses resource or process pools that are owned by specific users and provide specific sets of permissions to do things on the server. When you first install PHP-FPM, it creates a default process pool where the default user (often named www-data) has read permissions for everything on the server. If you’re on a shared server and there are tons of www-data users, this is a potential security risk because it increases the chances that someone can get access to and read the files on your site.

Whenever I first set up a web server, one of the first things I do is create a new non-root user (eg: supernifty) that I use to SSH into the box and get everything set up. Now I’m going to update the PHP-FPM config file to have that user run PHP-FPM rather than the default www-data user. This provides an additional layer of protection should a malicious user (anyone other than supernifty) gain access to the server – they wouldn’t be able to change anything because they won’t have the permission to.

The video walks you through the process outlined below.

Securing PHP-FPM

SSH into your web server:

ssh -i ~/.ssh/supernifty supernifty@143.198.116.106 RETURN

To change the user running PHP-FPM, use the nano text editor to open the PHP-FPM config file:

sudo nano /etc/php/8.0/fpm/pool.d/www.conf RETURN

Update the pool name from www to your non-root user name (eg: supernifty):

[www] [supernifty]

Update the user and group:

user = www-data supernifty

group = www-data supernifty

Update the permissions for the unix socket:

listen.owner = www-data supernifty

listen.group = www-data supernifty

Then save the /etc/php/8.0/fpm/pool.d/www.conf file with CONTROL-0 and RETURN then exit out of the nano text editor with CONTROL-X

Next, use the nano text editor to open the tempfiles.d config file:

sudo nano /usr/lib/tmpfiles.d/php8.0-fpm.conf RETURN

and update the user id (uid) and group id (gid) running PHP-FPM:

d /run/php 0755 www-data www-data - -

d /run/php 0755 supernifty supernifty - -

and save the /usr/lib/tmpfiles.d/php8.0-fpm.conf file with CONTROL-0 and RETURN then exit out of the nano text editor with CONTROL-X

Next, use the nano text editor to open the Apache environment variables file:

sudo nano /etc/apache2/envvars RETURN

and update the user and group Apache runs under:

export APACHE_RUN_USER=www-data supernifty

export APACHE_RUN_GROUP=www-data supernifty

and save the /etc/apache2/envvars file with CONTROL-0 and RETURN then exit out of the nano text editor with CONTROL-X

Then restart Apache so that all the new settings kick in:

sudo service apache2 restart RETURN

Next, lock down all the folder permissions nice and tight and make sure your user owns everything in the www directory:

sudo find /var/www/25monkeys.com/public_html/ -type d -exec chmod 755 {} \; RETURN

sudo find /var/www/25monkeys.com/public_html/ -type f -exec chmod 644 {} \; RETURN

sudo chown -R supernifty:supernifty /var/www/ RETURN

and if you have WordPress installed, it’s a good idea to lock down the wp-config.php file too:

sudo chmod 644 /var/www/25monkeys.com/public_html/wp-config.php RETURN

To confirm that the new permissions are working properly, run the following command to create a test file:

sudo echo ‘testing permissions’ > /var/www/25monkeys.com/public_html/test.html RETURN

and then open https://25monkeys.com/test.html in a web browser. If you already have WordPress installed, you can also test the permissions by uploading a file in the Media section of the administrative area.

With PHP-FPM 8.0 properly secured, it’s time to install WP-CLI for WordPress administration from the command line.