One-Click Install Apps: create a new user to avoid using roote user

November 5, 2018 638 views
WordPress One-Click Install Apps

One of the secutity steps to protect Ubuntu instalattion is create a daily user with less privileges that administrative user (root user), as described in this tutorial.

This is necessary when I use One-Click Install Apps or it’s one of secutity task automatically runned when I install it (in my case, WordPress)?

2 Answers
jarland MOD November 5, 2018
Accepted Answer

Hey friend!

That’s a great question. I’m afraid the answer won’t be as clear. First I’ll say that is not automatically done in the one-click images. Second, I’ll add that whether or not it’s necessary is up to you. The web server will run Wordpress through the privileged user “www-data” which does mean that a compromised Wordpress is not necessarily a compromised root user (I’ll side-step privilege escalation for this discussion as it gets further away from common, automated compromises).

Now, if you’re just managing a Wordpress site and the only reason you log in is to update packages (apt-get update && apt-get upgrade), you’re either going to use a sudo user or root, so most people honestly just stick with root and lock it down to SSH key only.

Since Wordpress isn’t running as root, and since you’re probably not doing much in the terminal, creating a second privileged user is probably not something that is worth your time to do (or would be of any real value in that case). That’s my two cents, and this is a topic in which someone will absolutely disagree with me (and they won’t be wrong for doing so).


Have another answer? Share your knowledge.