[wp-hackers] Security in wordpress

Otto otto at ottodestruct.com
Fri May 7 14:56:19 UTC 2010

On Fri, May 7, 2010 at 9:42 AM, Marko Heijnen <mailing at markoheijnen.nl> wrote:
> It simply doesn't matter who ownes it because most host apache runs under
> his own user.

The goal is not to run Apache as a different user, but to run PHP as a
different user. Apache can run as whoever you want it to, that bit is

> I think most host don't use suphp because it probably cost extra memory
> since the apache process runs for an specific user.

Any shared host not using a setuid method for executing scripts is
inherently insecure. An intrusion into the system via a shoddy script
will give the attacker the credentials of the php process (which will
be the same as that of apache), and thus read-access to all files
being served by the webserver, for all users.

Most shared hosts I've seen use a combination of Apache, FastCGI, and
suEXEC. This lets the spawned CGI process run as the owner of the file
in question. Thus, Apache can run as nobody, but the spawned php
process would run as "otto" and thus somebody breaking in would only
have otto's credentials. The only person compromised would be that one
user, not all users on the server.

There's plenty of HOWTO guides on the web as to how to set this sort
of thing up properly.


More information about the wp-hackers mailing list