This has been fully covered under NGINX and PHP-FPM. What my permissions should be?.
Essentially:
- Always have a site-specific user for security purpose, and that, for convenience is named after your domain name, e.g. for
example.com
, create an example
user.
- Set up NGINX to be member of site-specific usergroup:
usermod -a -G example nginx
- Now you can secure things as needed by giving chmod to user bit where PHP needs to read/execute files, and removing group chmod bit where NGINX does not need to access
With the suggested setup chmod 400 for wp-config.php
will result in read-only access to configuration, only to the site user (and NGINX won't be able to serve it, which is good).
Regarding where files should be stored
Provided that there are: nick
(sudo user), and example
user (site-specific)...:
Website files should be either moved to a user-agnostic location (e.g. under /var/www/example.com
). Or (slightly worse) be put under the website user's homedir, e.g. /home/example/example.com
.
If you intend to use a single SSH user for connections, you can simply change to a user-specific user at will. E.g. if you prefer to always connect with nick
, but sometimes work with example.com
, you would change to website user by sudo -iu example
.
Storing website files in a home directory of a sudo-able user doesn't sound secure and is least preferable:
- if the website files are owned by
nick
(and you won't have example
user at all), should the website be hacked, they can gain administrative access to the entire server
- if the website files are owned by
example
, the only way it will work is by lowering restrictions on /home/nick
from 0700 to 0750, at least).
FHS-blessed location for served files is actually /srv/
which is arguable, but is anyway better than homedirs.