Best practice setting users and permissions for multiple Wordpress sites

November 15, 2016 147 views
WordPress Nginx Getting Started Security Apache Ubuntu 16.04

Hi everyone,

I could use a little advise regarding running multiple Wordpress sites on a single server, as multiple users, and making sure the webserver has the proper permissions to make changes while making sure security is in order.

What I like to achieve... A configuration in which I can use a user per website, and where the webserver can make changes (i.e. uploading media, plugins, etc), without relying on chmod (not having to use chmod at all feels better). Where the user can make changes to it's directory (e.g. a git working directory for automatic deployments). When the users can't change each other files.

I wonder... Is the configuration described below a proper one? Should I do something differently? Are there better solutions?

Some backstory... For a while now I have been setting up servers for websites and web apps. Most of the time I run multiple websites from the same server. Could be a staging and production environment, but also different (client) websites. Sometimes I add CI to the mix using CircleCI. Basically CircleCI pushes to a repository on the server, this repo then updates the working directory which could be a web app or Wordpress theme. Everything currently works okay, although I think security, and how things are set up, could be improved.

Currently my configuration often looks like...


# User on the server with the directory `/var/www/somewebsite`

# Another user on the server with the directory `/var/www/someotherwebsite`

When needed I use these users to make changes to the contents.


# Wordpress website

# Git repo with a working dir set to `/var/www/somewebsite/html/wp-content/themes/sometheme`

# Some other website

# Yet another Wordpress website

The contents of /var/www/somewebsite/html, /var/www/someotherwebsite/html, and /var/www/yetanotherwebsite/html belong to the user and group www-data. Although, when I would upload something manually later, this upload (logically) belongs to the user I am using for access (not www-data).

The users somewebsite, someotherwebsite, and yetanotherwebsite have been added to the www-data group. I believe this means someotherwebsite could make changes to somewebsite (and vice versa). Which would be better if it couldn't.


  • Depending on the requirements I use Apache or nginx.
  • SSH keys are used for authentication, Password Authentication is disabled.

I understand my current configuration isn't the most straightforward one. I do hope I clarified the most of it.

I read a lot of information regarding the subject. But It's hard to find something which is applicable to my situation. This tutorial was very useful

Any tips, feedback and insights are welcome!

Be the first one to answer this question.