DigitalOcean

Report this

What is the reason for this report?
Question

Best practice setting users and permissions for multiple Wordpress sites

Posted on November 15, 2016
Nginx
Security
Ubuntu 16.04
Apache
Getting Started
WordPress
sebask

By sebask

Hi everyone,

I could use a little advise regarding running multiple Wordpress sites on a single server, as multiple users, and making sure the webserver has the proper permissions to make changes while making sure security is in order.

What I like to achieve… A configuration in which I can use a user per website, and where the webserver can make changes (i.e. uploading media, plugins, etc), without relying on chmod (not having to use chmod at all feels better). Where the user can make changes to it’s directory (e.g. a git working directory for automatic deployments). When the users can’t change each other files.

I wonder… Is the configuration described below a proper one? Should I do something differently? Are there better solutions?

Some backstory… For a while now I have been setting up servers for websites and web apps. Most of the time I run multiple websites from the same server. Could be a staging and production environment, but also different (client) websites. Sometimes I add CI to the mix using CircleCI. Basically CircleCI pushes to a repository on the server, this repo then updates the working directory which could be a web app or Wordpress theme. Everything currently works okay, although I think security, and how things are set up, could be improved.

Currently my configuration often looks like…

Users

somewebsite 
# User on the server with the directory `/var/www/somewebsite`

someotherwebsite
# Another user on the server with the directory `/var/www/someotherwebsite`

When needed I use these users to make changes to the contents.

Directories

/var/www/somewebsite/html 
# Wordpress website

/var/www/somewebsite/somewebsite.git 
# Git repo with a working dir set to `/var/www/somewebsite/html/wp-content/themes/sometheme`

/var/www/someotherwebsite/html
# Some other website

/var/www/yetanotherwebsite/html
# Yet another Wordpress website

Permissions The contents of /var/www/somewebsite/html, /var/www/someotherwebsite/html, and /var/www/yetanotherwebsite/html belong to the user and group www-data. Although, when I would upload something manually later, this upload (logically) belongs to the user I am using for access (not www-data).

The users somewebsite, someotherwebsite, and yetanotherwebsite have been added to the www-data group. I believe this means someotherwebsite could make changes to somewebsite (and vice versa). Which would be better if it couldn’t.

Trivia

  • Depending on the requirements I use Apache or nginx.
  • SSH keys are used for authentication, Password Authentication is disabled.

I understand my current configuration isn’t the most straightforward one. I do hope I clarified the most of it.

I read a lot of information regarding the subject. But It’s hard to find something which is applicable to my situation. This tutorial was very useful https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-wordpress-sites-on-a-single-ubuntu-vps.

Any tips, feedback and insights are welcome!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
FLS
FLS
May 31, 2018

Realise this is a little late, but people could still turn up from Google…

Why not just invert it?

Something like:

/var/www/app1	770		app1:app1
/var/www/app2	770		app2:app2

app1 group members:
	- app1
	- www-data

app2 group members:
	- app2
	- www-data

app1 can change anything in:
	- /var/www/app1

app2 can change anything in:
	- /var/www/app2

www-data can change anything in:
	- /var/www/app1
	- /var/www/app2

Technically speaking, this still isn’t a great setup, as www-data is by design an unprivileged user:group, and should the www-data user be compromised you’re in for a world of hurt, so shouldn’t be given blanket control of anything, but that’s outside the scope of this question.

0
Ryan Quinn
Ryan QuinnDigitalOcean Employee badge
December 15, 2016

Yes. With your current setup theoretically one user could modify another user’s files. Having these permissions all within the www-data group is important so that the web server has permission to write and modify the files it needs to so your best bet may be to give your users ssh/sftp chroots which would lock their ssh/sftp access to their site’s directory and only allow them access to those files. The group could remain www-data for apache while the users would have the ability to access any files in their directory. Something like this in your ssh server configuration would do the trick:

Match User john
    ChrootDirectory /home/john
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

More information can be found here

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.