Can I have Wordpress site isolation to prevent sites being compromised?

July 1, 2015 439 views
WordPress Security


I currently use another hosting service (unlimitewebhosting) to host my Wordpress sites (around 8 currently).

From time to time they the Wordpress sites have been compromised and whilst I have tried to stop this happening, I am losing the battle. The issue is that once one of the sites in the shared hosting is compromised, all the others are being compromised too.

Is there a way of setting up Wordpress in an iscolated manner on Digital Ocean so that one site being compromised won't affect all the others?

Is there anything that DO can do to help prevent the sites being compromised?


1 comment
  • This isn't a shared hosting environment. With that being said, DO can't do anything for you directly, because you control your server.

    What I would do, if I was in control of all facets of the sites is this:

    • change all file permissions to 644 (you should do this anyway)
    • change all folder permissions to 755 (you should do this anyway)
    • change ownership to some other user (not apache/www-data) that's not root
      • this will stop file modifications
    • when I need to make a change/post, change ownership back to apache/www-data

    A simple enough script to do this:


    ### Change the user to an existing user
    ### To create a new user, run this:
    ###     useradd USER_NAME_GOES_HERE
    ### Change to the directory that houses your sites, if not /var/www/
    if [ -d /etc/apache2 ]; then
    if [ "$1" = "" ]; then
        echo "Usage:"
        echo "      $0 [lock | unlock]"
        case $1 in
                chown $user:$user $web_path -R
                echo "Files now locked, and ownership set to $user"
                chown $web_user:$web_user $web_path -R
                echo "Files are now unlocked and ownership set to $web_user"
                echo "Invalid operator."
                echo "  Usage:"
                echo "      $0 [lock | unlock]"

    Just copy this, paste it in a new file, then upload it to your server. Once it's been uploaded, just make it executable:

    chmod +x change-web-permissions.sh

    Now, to run this:

    ./change-web-permissions.sh lock


    ./change-web-permissions.sh unlock

    Edit Added catch-all to case statement
    Edit 2 Forgot to add "fi" after getting the web user.

2 Answers

The issue is that once one of the sites in the shared hosting is compromised, all the others are being compromised too
Then it's not wordpress that was compromised but your server. If you host your wordpress sites on digitalocean then I recommend to sign up for a free plan with serverpilot (https://serverpilot.io). They will take care of your droplets security (for free) while you can focus on your business.

Thanks for the suggestions.

I really like the idea of serverpilot....it seems like a great solution. As suggested, I will try it out


Have another answer? Share your knowledge.