How To Secure Multiple WordPress Sites On Same Server (LEMP Stack)

Hi :slight_smile:

There is a known issue with installing multiple sites on the same server. i.e. if somebody gains access to one site, then he/she can affect other sites too.

How To Reproduce The Security Issue?

  • Install two WordPress sites on the same server with LEMP or LAMP stack.

  • Login to any site (let site1), install any file manager plugin, go to preferences and change public root path to β€œ/var/www”

  • Now you can edit files of all sites hosted on that server.

How To Solve It?

WordPress is a php based CMS, so when we run it using the master PHP-FPM process, it has all access rights which php has. It can access all other scripts/files which are using the same php process.

So here we are going to add different users for each website and create separate php-fpm pools for each website.

This will run a separate PHP-FPM process for each user/site and thus isolate them.

Prerequisites
Here I am assuming that:-

  1. You had already installed two or more sites on LEMP stack. (let site1 and site2).
  2. PHP-FPM version is 7.4

Step 1

  • Create a group site1 and add user site1 to it.
sudo groupadd site1 
sudo useradd -g site1 site1 
  • Create a new pool configuration for user site1
nano /etc/php/7.4/fpm/pool.d/site1.conf
  • Paste configs in file. Press ctrl + o to save and ctrl + x to exit.
[site1]
user = site1
group = site1
listen = /run/php/php7.4-fpm-site1.sock
listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
  • Disable php-opcache
nano /etc/php/7.4/fpm/conf.d/10-opcache.ini

add at the end of file--->  opcache.enable=0
  • Open server block of site1 (already configured server block of WordPress 1).
nano /etc/nginx/sites-available/site1
  • Edit this line β€œfastcgi_pass unix:/run/php/php7.4-fpm.sock;” as:-
fastcgi_pass unix:/run/php/php7.4-fpm-site1.sock;
  • Alter permissions of folder where site1 (WordPress1) is installed:-
sudo usermod -a -G site1 www-data
sudo chown -Rf site1:site1 /var/www/site1/
sudo chmod -R 750 /var/www/site1/
sudo find /var/www/site1/ -type f -exec chmod 644 {} \;
  • Restart PHP-FPM and Nginx
service nginx restart
systemctl restart php7.4-fpm.service

Step 2
Repeat same procedure for site2 , site3 … and all,

Step3

Now when you open file manager from site 1 (wordpress1), you should see something like this:-

Clearly, site1 can’t edit site2 and site3. Similarly site 2 can’t edit site1. But both site1 and site2 can edit there own files.

FAQs

I am getting 502 error. Error log says unix:/run/php/php7.4-fpm-site4.sock failed (2: No such file or directory) while connecting to upstream

  • service php7.4-fpm restart

My new site redirecting to first one.

  • nginx -t && service nginx restart

Source:- https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04

Hope you find this tutorial helpful.

Thanks and Regards
Rishi

6 Likes