Run multiple WordPress website by different user on Nginx

There are lot of articles tell how to install and setup Nginx + PHP-FPM + MYSQL. But few talk about how to secure WordPress website on the infrastructure. If you are a Windows guy, you perhaps familiar with ACL, it’s similar in Linux world. A user or group has 3 essential permission: read, write or execute. Read this article to understanding how permission works on Linux.

Think about this scenarios. You have two website users share one virtual machine, they don’t know each other and don’t want to share their website files with other. If you just follow up installation guide in internet, you will run into troubleshoot. Because both website folders and files run under user www-data. That means both websites are visible for the user www-data. What if one user upload a webshell?

My understanding is Nginx pass a website request to corresponding .sock in /var/run/ according to website config file in /etc/nginx/sites-enable/. PHP-FPM listens on the same .sock file and immediately executes the PHP script and pass back to Nginx. All the configuration file used here must be set to run by same user. So we basically need to change 3 things: Nginx website config file, PHP-FPM config file and a separate sock file.

Here is a nice article Run php-fpm with separate user/uid and group on linux to show how to setup it.

Chinese version

网上有很多关于如何安装配置 Nginx + PHP-FPM + MYSQL的文章,但是很少有提到怎样在这种架构下做WordPress的安全。如果使用Windows,你可能比较熟悉权限管控机制,其实Linux下也是类似的。一个用户或者组有3个基本的权限:读、写、运行。可以通过这篇文章了解一下Linux下的权限。



具体的配置可以参考这篇文章 Run php-fpm with separate user/uid and group on linux


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s