Best practice setting users and permissions for multiple Wordpress sites
I could use a little advise regarding running multiple Wordpress sites on a single server, as multiple users, and making sure the webserver has the proper permissions to make changes while making sure security is in order.
What I like to achieve... A configuration in which I can use a user per website, and where the webserver can make changes (i.e. uploading media, plugins, etc), without relying on chmod (not having to use chmod at all feels better). Where the user can make changes to it's directory (e.g. a git working directory for automatic deployments). When the users can't change each other files.
I wonder... Is the configuration described below a proper one? Should I do something differently? Are there better solutions?
Some backstory... For a while now I have been setting up servers for websites and web apps. Most of the time I run multiple websites from the same server. Could be a staging and production environment, but also different (client) websites. Sometimes I add CI to the mix using CircleCI. Basically CircleCI pushes to a repository on the server, this repo then updates the working directory which could be a web app or Wordpress theme. Everything currently works okay, although I think security, and how things are set up, could be improved.
Currently my configuration often looks like...
somewebsite # User on the server with the directory `/var/www/somewebsite` someotherwebsite # Another user on the server with the directory `/var/www/someotherwebsite`
When needed I use these users to make changes to the contents.
/var/www/somewebsite/html # Wordpress website /var/www/somewebsite/somewebsite.git # Git repo with a working dir set to `/var/www/somewebsite/html/wp-content/themes/sometheme` /var/www/someotherwebsite/html # Some other website /var/www/yetanotherwebsite/html # Yet another Wordpress website
The contents of
/var/www/yetanotherwebsite/html belong to the user and group
www-data. Although, when I would upload something manually later, this upload (logically) belongs to the user I am using for access (not
yetanotherwebsite have been added to the
www-data group. I believe this means
someotherwebsite could make changes to
somewebsite (and vice versa). Which would be better if it couldn't.
- Depending on the requirements I use Apache or nginx.
- SSH keys are used for authentication, Password Authentication is disabled.
I understand my current configuration isn't the most straightforward one. I do hope I clarified the most of it.
I read a lot of information regarding the subject. But It's hard to find something which is applicable to my situation. This tutorial was very useful https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-wordpress-sites-on-a-single-ubuntu-vps.
Any tips, feedback and insights are welcome!