Spruce interactive


Installing and Securing WordPress on a MediaTemple Dedicated Server (dv)

Posted: July 4th, 2012

Author: Ben Heller


, , , ,

 Details

Spruce has an ongoing love affair with WordPress. We use it on almost every website we build. It’s a fast, flexible, and feature-rich platform that continues to grow and improve. While most WordPress installations are one-click setups on shared hosting situations, sometimes a more robust server is needed. We’ve started to move our e-Commerce and heavy-traffic WordPress sites over to MediaTemple Dedicated Virtual (dv) servers. When you’re administering an entire server and not just a “website”, there’s a bit more to consider in setting things up. And, there are some configuration variables you’ll need to set manually in order for things to work smoothly. This isn’t meant to be a one-size-fits-all tutorial. Rather, it’s a documentation of the steps we typically take when setting up a new (dv) 4.0 for a WordPress install.

Permissions Errors and File Ownership

If you don’t know how to fix them, permissions errors can be a time sink and a huge security flaw. Many new users will panic and chmod 777 whole directories. This is a tragic error, and leads to hacked WordPress installs. If you do this, it will no longer be a question as to whether your site gets exploited for nefarious purposes, but rather when. The correct permissions are as follows:

All directories to 755

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

All files to 644
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

This is the official WordPress suggestion. However, we found it necessary to change the wp-content/uploads directory to include write access by the group:
chmod 775 /path/to/your/wordpress/install/wp-content/uploads

While permissions are generally well understood by your average web developer, file ownership can sometimes seem a mystery. One of the first problems we ran into after the move to a (dv) was a prompt to enter FTP information when adding or removing plugins. This is because WordPress needs permission to write to the /wp-content/plugins directory in order to perform the installation. There are numerous suggestions as to how this might be resolved. The easiest to implement (and the most foolhardy) method is to chown all WordPress files to the user Apache. This is disastrous, as the web server then has read/write/execute permissions on every file in the installation. The correct method is to assign the following ownership to all files within the WordPress installation:
chown -R username:apache *

Replace “username” with your local user and “apache” with the user that Apache runs under. Not sure what user Apache’s running as? Enter ps aux | grep apache in your shell. This gives the local user ownership over the WordPress install, and gives group permissions to Apache. It’s a much safer and smarter method of resolving any permissions problems. For those that continue to experience the “please enter your FTP credentials” message, just open wp-config.php and add this:

PHP as FastCGI vs. Apache Module

One fix that’s often the cure of many woes is to switch from running PHP as an Apache module to running PHP as FastCGI. As FastCGI, PHP runs as the “user”, which jives well with the user/group permissions we’ve set above. As an Apache module, it runs under the user “apache”, which means it’s more likely to run into some security issues. This is the underlying reason why it’s not a good idea to chown all WordPress files to the user Apache. Besides fixing potential permissions issues, FastCGI can result in a noticeable speed increase for some users. To make the switch, go into your Plesk administrative panel (remember, we’re talking about a MediaTemple (dv) 4.0 install here), and navigate to the subscription in question. Click on the “websites & domains” tab and then click on the domain. Under “Web Scripting and Statistics” choose “FastCGI application” in the “PHP support, run as…” pulldown. Hit OK. For extra measure, you can restart Apache using /etc/init.d/httpd in shell.

Tinfoil Hat

The Hardening WordPress codex page has some smart suggestions on locking down the /includes directory and wp-config.php file. Add the following to your .htaccess outside the #Begin WordPress / #End WordPress permalinks block:

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Secure WP Config
<files wp-config.php>
order allow,deny
deny from all

  • http://twitter.com/mediatemple mediatemple

    We’re very happy to see that you are moving everything over to our (dv) servers. It looks like you have everything under control so far. If you have any questions or concerns, feel free to contact us via Twitter, phone, or support request/chat. Good luck with everything!

  • John Marston IV

    Note: many common .htaccess rules will not work if you implement FastCGI.

  • http://www.ericleeclark.com/ Eric Clark

    Thanks for the tutorial. I was struggling with ownership issues on a new install and this helped me get things fixed up and working correctly.

    • spruceit

      Super glad to hear it!

  • avexdesigns

    awesome article. been looking for a fix and it worked perfectly.

  • Dave

    Hi, i have been using a DV server and the 1-click method for installing wordpress, thinking that should be the ‘best’ method. But Im just starting to look into this and it appears everything has 777 properties. Im guessing that this is bad! So I have tried an manual install but have run into trouble with getting media to upload as wordpress is telling me that the server requires access to the parent directory. – Any help much appreciated.

  • denitto

    Essential. Thank you.

Talk to Us

Wise men have said, "All good things must come to an end", and so it was with Spruce. We began our first project in 2006, and completed our last in Fall 2013. It's been a wonderful experience, but now it's time to begin the next adventure.

Though...we wouldn't want to leave you hanging, now would we? Here are our top recommendations for world-class branding, design, and web development:

  • Kristina (KJ) Parish and Beam Collective:
    KJ provided the artistic vision that allowed Spruce to succeed, and we still think she's the greatest designer in the entire world. She's started a new collective with some talented developers, and is covering much the same territory as Spruce--design and development all under one roof, with a caliber of service and professionalism seldom seen in this business or any other. If you like what you see on the Spruce site, then definitely get in touch with KJ at kj@beamcollective.com
  • Permanent Art & Design
    Permanent is a nationally recognized design & branding firm out of Minneapolis, MN. They've been a long term collaborator and strategic partner over the past couple years, and we'd recommend them for medium to large sized businesses/organizations who are serious about putting their best foot forward. In addition to design, Permanent offers strategy and marketing services, plus in-house and networked developers. For more information contact Joseph Belk joseph@permanentadg.com
  • Nate Thompson
    A freelancer, Nate reminds us of ourselves back in the day. Smart, communicative, and skilled, Nate is our recommendation for small to medium sized businesses/organizations who have sites built on Wordpress or other open source content management solutions. With a background in both design and development, he's a one-stop shop for most web-related tasks. You can get in touch at nate.a.thompson@gmail.com
  • Kevin DeBernardi
    Designer turned developer, Kevin is embarking on a freelance web career after working as the in-house designer at the Museum of the City of New York. He's adept at translating his design ideas into custom PHP code, and is constantly expanding his technical palette. Kevin's a good choice for projects that don't quite fit into the Wordpress mold, and that would benefit from a consistency of presence and vision from design through execution. Kevin can be reached at kevin@analoglifestyle.com