If this is your first time looking at a post from this series, have a look at this summary: Server Setup 0: Contents
One recommendation that many security experts make is that the WordPress configuration files should be outside the web root. Lets make this change.
WordPress
Create a new folder called /var/www_config
. Put a new folder in here, wordpress
cd /var sudo mkdir www_config cd www_config sudo mkdir wordpress
Copy the WordPress configuration file across, and set it’s permissions so no-one apart from www-data (and root, of course) can read it:
sudo cp -a /var/www/wordpress/wp-config.php /var/www_config/wordpress/ sudo chown -R www-data:www-data /var/www_config sudo chmod -R u=rX,go= /var/www_config
Now we need to tell Apache that the when PHP scripts on the wordpress site run, they can only access the folders we want them to:
- /var/www/wordpress : our wordpress installation
- /var/www_config/wordpress : our wordpress config
- /tmp : WordPress needs this for handling plugin upgrades etc.
Modify the wordpress Apache site configuration file and add this line inside the VirtualHost section:
php_admin_value open_basedir "/var/www/wordpress/:/var/www_config/wordpress/:/tmp/"
Now reload Apache.
Finally, WordPress still needs to be able to find this file, so replace the contents of the original wp_config.php with this:
<?php
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Location of your WordPress configuration. */
require_once('/var/www_config/wordpress/wp-config.php');
It’ll take effect the moment you save it, so now visit your site from the client, and hopefully nothing has broken!
Nextcloud
For some reason this isn’t as widely recommended by Nextcloud users. I’ll investigate and update this post with my suggestion.
For now, just make sure only www-data can read and write the config file:
sudo chown -R www-data:www-data /var/www/nextcloud/config/ sudo chmod -R u=rX,go= /var/www/nextcloud/config/