Server Setup 13: Security Improvements

If this is your first time looking at a post from this series, have a look at this summary: Server Setup 0: Contents

One recommendation that many security experts make is that the WordPress configuration files should be outside the web root. Lets make this change.


Create a new folder called /var/www_config. Put a new folder in here, wordpress

cd /var
sudo mkdir www_config
cd www_config
sudo mkdir wordpress

Copy the WordPress configuration file across, and set it’s permissions so no-one apart from www-data (and root, of course) can read it:

sudo cp -a /var/www/wordpress/wp-config.php /var/www_config/wordpress/
sudo chown -R www-data:www-data /var/www_config
sudo chmod -R u=rX,go= /var/www_config

Now we need to tell Apache that the when PHP scripts on the wordpress site run, they can only access the folders we want them to:

  • /var/www/wordpress : our wordpress installation
  • /var/www_config/wordpress : our wordpress config
  • /tmp : WordPress needs this for handling plugin upgrades etc.

Modify the wordpress Apache site configuration file and add this line inside the VirtualHost section:

php_admin_value open_basedir "/var/www/wordpress/:/var/www_config/wordpress/:/tmp/"

Now reload Apache.

Finally, WordPress still needs to be able to find this file, so replace the contents of the original wp_config.php with this:


/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Location of your WordPress configuration. */

It’ll take effect the moment you save it, so now visit your site from the client, and hopefully nothing has broken!


For some reason this isn’t as widely recommended by Nextcloud users. I’ll investigate and update this post with my suggestion.

For now, just make sure only www-data can read and write the config file:

sudo chown -R www-data:www-data /var/www/nextcloud/config/
sudo chmod -R u=rX,go= /var/www/nextcloud/config/

Leave a Reply

Your email address will not be published. Required fields are marked *