[BlueOnyx:17573] Re: Document root

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Mon May 11 16:43:13 -05 2015 

On 5/11/2015 4:19 PM, Colin Jack wrote:
> Firstly it installs as root ownership but much of the GUI based work requires apache to have write permissions.

EEEK!  Red alert! Red alert!     Here's what you can do to ensure that 
everything runs smoothly.   And I mean everything.

#1: Put the site in suPHP.
#2: Make one of the site admin's the owner of the web.
(Do both these tasks in the GUI.)

That's it.   Drop your objections.  Trust in The Force.

If you like, create a new user that's JUST for the website.  That's for 
bonus points.   That way, the website doesn't count against an email 
user's quota.

Ideally, make the user something recognizable, because now when it runs 
a process in top or when you're using another method to see what's 
running on the server, you can tell instantly what user (and therefore 
site) is responsible.   That's extremely helpful when you have a site 
that's being exploited and you need to identify exactly which one.

We run *ALL* of our WordPress sites in suPHP.

<rant>
I will not buy the "it slows things down" argument.  The slowdown is 
hardly noticeable (if at all) on modern hardware and even if you're 
running garbage servers or a maxed-out VPS, it's well worth the trade-off.

I don't want to hear about FTP from the users.  Nobody cares.  You build 
a WordPress site because you don't want to have to be FTP'ing to the 
server.  Don't talk to me about "but my special case wants to upload 
XYZ..."  Fail.  Want it on the website?  Use the WordPress upload 
mechanism.  Just want a user to have a place to stash or share files? 
If that's the case, they can upload to their user-space.

"But if I don't ________ then WordPress uploads don't work / updates 
don't work / I can't save images / insert your failure here."  Not so. 
If you use suPHP and valid web ownership, your site will work properly. 
  Every time.
</rant>

Sounds like I've got a real axe to grind here, doesn't it?   Well don't 
misunderstand me, I'm not an angry guy.  But we have spent a lot of time 
(a lot of time) helping customers out of a jam.  And by customers, I'm 
talking about dedicated server / colocation customers who set things up 
with relaxed permissions, or the web owned by Apache, or... the list 
goes on.   A site gets hacked, then they can't narrow down where it came 
from.  Maybe that spreads and the entire server has to be scrapped. 
Meanwhile, if you follow the recipe of suPHP and proper web ownership, 
you greatly reduce the risk.    And one thing we all know when dealing 
with a WordPress (or Joomla, or Drupal, or...) website is that the name 
of the game is reduce risk.

Sorry to thread-jack ya.  But this set off an alarm.

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list