Best practice setting users and permissions for multiple Wordpress sites

November 15, 2016 402 views
WordPress Nginx Getting Started Security Apache Ubuntu 16.04

Hi everyone,

I could use a little advise regarding running multiple Wordpress sites on a single server, as multiple users, and making sure the webserver has the proper permissions to make changes while making sure security is in order.

What I like to achieve... A configuration in which I can use a user per website, and where the webserver can make changes (i.e. uploading media, plugins, etc), without relying on chmod (not having to use chmod at all feels better). Where the user can make changes to it's directory (e.g. a git working directory for automatic deployments). When the users can't change each other files.

I wonder... Is the configuration described below a proper one? Should I do something differently? Are there better solutions?

Some backstory... For a while now I have been setting up servers for websites and web apps. Most of the time I run multiple websites from the same server. Could be a staging and production environment, but also different (client) websites. Sometimes I add CI to the mix using CircleCI. Basically CircleCI pushes to a repository on the server, this repo then updates the working directory which could be a web app or Wordpress theme. Everything currently works okay, although I think security, and how things are set up, could be improved.

Currently my configuration often looks like...


# User on the server with the directory `/var/www/somewebsite`

# Another user on the server with the directory `/var/www/someotherwebsite`

When needed I use these users to make changes to the contents.


# Wordpress website

# Git repo with a working dir set to `/var/www/somewebsite/html/wp-content/themes/sometheme`

# Some other website

# Yet another Wordpress website

The contents of /var/www/somewebsite/html, /var/www/someotherwebsite/html, and /var/www/yetanotherwebsite/html belong to the user and group www-data. Although, when I would upload something manually later, this upload (logically) belongs to the user I am using for access (not www-data).

The users somewebsite, someotherwebsite, and yetanotherwebsite have been added to the www-data group. I believe this means someotherwebsite could make changes to somewebsite (and vice versa). Which would be better if it couldn't.


  • Depending on the requirements I use Apache or nginx.
  • SSH keys are used for authentication, Password Authentication is disabled.

I understand my current configuration isn't the most straightforward one. I do hope I clarified the most of it.

I read a lot of information regarding the subject. But It's hard to find something which is applicable to my situation. This tutorial was very useful

Any tips, feedback and insights are welcome!

1 Answer

Yes. With your current setup theoretically one user could modify another user's files. Having these permissions all within the www-data group is important so that the web server has permission to write and modify the files it needs to so your best bet may be to give your users ssh/sftp chroots which would lock their ssh/sftp access to their site's directory and only allow them access to those files. The group could remain www-data for apache while the users would have the ability to access any files in their directory. Something like this in your ssh server configuration would do the trick:

Match User john
    ChrootDirectory /home/john
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

More information can be found here

Have another answer? Share your knowledge.