Question
One-Click Install Apps: create a new user to avoid using roote user
- Posted November 5, 2018
- WordPressDigitalOcean 1-Click Apps MarketplaceUbuntu 18.04
One of the secutity steps to protect Ubuntu instalattion is create a daily user with less privileges that administrative user (root user), as described in this tutorial.
This is necessary when I use One-Click Install Apps or it’s one of secutity task automatically runned when I install it (in my case, WordPress)?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hey friend!
That’s a great question. I’m afraid the answer won’t be as clear. First I’ll say that is not automatically done in the one-click images. Second, I’ll add that whether or not it’s necessary is up to you. The web server will run Wordpress through the privileged user “www-data” which does mean that a compromised Wordpress is not necessarily a compromised root user (I’ll side-step privilege escalation for this discussion as it gets further away from common, automated compromises).
Now, if you’re just managing a Wordpress site and the only reason you log in is to update packages (apt-get update && apt-get upgrade), you’re either going to use a sudo user or root, so most people honestly just stick with root and lock it down to SSH key only.
Since Wordpress isn’t running as root, and since you’re probably not doing much in the terminal, creating a second privileged user is probably not something that is worth your time to do (or would be of any real value in that case). That’s my two cents, and this is a topic in which someone will absolutely disagree with me (and they won’t be wrong for doing so).
Jarland
Thanks for the explanation @jarland!