I am currently in the process of setting up Wordpress on my personal hosting, specifically on a VPS. As the admin, owner, and webmaster of this site, I have noticed that on other people's hosting platforms, the Wordpress administrator has the ability to make changes to the theme files (such as the title), install and update plugins, and upload photos. However, on my hosting, these actions can only be performed if I grant write permissions to the user running Apache on certain Wordpress directories, including /wp-content/themes/. As someone with sysadmin experience, this approach seems highly insecure to me, unless you are running a web server exclusively for your own site without any shared access.

There is a potential solution to this issue involving suexec PHP, but some claim that it significantly slows down the website, possibly even causing it to crash under heavy load.

I am not aware of any other alternatives. Are there really no other options available? I have friends who work in commercial hosting companies, and they often rely on the reliability of CMS systems like Wordpress, which leads to frequent site breakdowns, usually caused by poorly written plugins.

Is the situation truly as dire as it seems?

The situation is not as dire as it may seem. While granting write permissions to certain directories like /wp-content/themes/ can pose security risks, there are measures you can take to mitigate these concerns. Here are some options for managing Wordpress securely on your hosting platform:

1. Limit file system permissions: Rather than granting broad write access to the Apache user, you can narrow down file system permissions to specific files and directories that require write access. This way, you minimize the attack surface.

2. Use a secure hosting environment: Make sure your VPS is properly secured with firewalls, regular updates, and other security measures. Utilize SSH keys instead of passwords for remote access to enhance security. Keeping your server and software up to date is crucial in mitigating potential vulnerabilities.

3. Implement a backup strategy: Regularly backing up your website's files and database is essential. In the event of an incident, you can quickly restore your site to a working state. Consider using automated backup solutions or plugins that offer such functionality.

4. Use trusted plugins and themes: Be cautious when installing third-party plugins and themes. Stick to reputable sources and regularly update them to ensure you have the latest security patches. Deleted unused plugins and themes to reduce potential risk.

5. Employ website monitoring: Utilize monitoring tools to detect any suspicious activities or potential security breaches. This way, you can promptly respond to any potential threats and address them before they cause significant damage.

Regarding the issue of the suexec PHP solution, it's true that it may introduce additional overhead and potentially affect performance under heavy load. However, its impact depends on various factors, including the specific configuration and resources of your VPS. It is recommended to test and benchmark your website's performance after implementing suexec PHP to evaluate any noticeable impact.

In summary, while there are some security concerns associated with granting write permissions to the Apache user, there are steps you can take to enhance the security of your Wordpress installation. By combining proper server hardening techniques, cautious plugin and theme management, proactive monitoring, and regular backups, you can maintain a secure Wordpress website on your hosting platform.


Here are a few more considerations and additional measures you can take to further enhance the security of your WordPress installation:

1. Implement a Web Application Firewall (WAF): A WAF can provide an additional layer of security by filtering out malicious traffic and protecting against common web application vulnerabilities. There are both cloud-based and server-side WAF solutions available that can help mitigate potential threats.

2. Harden your WordPress installation: Follow WordPress best practices for securing your installation, such as:
  - Keep your WordPress core, themes, and plugins up to date.
  - Use strong, unique passwords for all user accounts, including the administrator account.
  - Remove or disable unnecessary plugins and themes.
  - Restrict file permissions to ensure that only necessary files are writable.
  - Disable file editing through the WordPress dashboard.
  - Enable two-factor authentication for added login security.

3. Utilize a Content Delivery Network (CDN): A CDN can help improve website performance by caching static content and distributing it across multiple servers. Additionally, some CDNs offer security features, such as DDoS protection and web application firewall capabilities, that can help safeguard your site from attacks.

4. Regularly scan for vulnerabilities: Utilize security plugins or online vulnerability scanners to check for any known vulnerabilities in your WordPress installation. Regular scans can help identify and patch potential security issues before they are exploited.

5. Enable security headers: Implementing appropriate security headers in your web server configuration can help protect against certain types of attacks, such as cross-site scripting (XSS) and clickjacking. Key security headers include Content Security Policy (CSP), Strict-Transport-Security (HSTS), and X-XSS-Protection.

6. Monitor and log activity: Enable logging on your server and WordPress installation to track any suspicious activities or unauthorized access attempts. Regularly review the logs to identify potential security concerns and address them promptly.

Is there any belief that "suexec PHP" significantly slows down the site by 20 times? PHP has three modes of operation:
1. As an apache module (mod_php), where PHP executes from the same user as apache (the original version).
2. In FastCGI mode, where the speed of php-fcgi is not slower than mod_php.
3. In CGI mode, which is slower than mod_php by a factor of 10.

Therefore, suexec can be utilized for both option (3) and option (2). In the case of option (2), where php runs as fastcgi along with suexec, a system can be achieved where each individual site can run under different accounts and permissions, while still operating under the same apache server. Many shared hosting services are organized in this manner.

To achieve this setup, you need apache, suexec, mod_fcgid, and php built with fastcgi support.

The type of hosting called virtual shared settings (not VPS) can vary significantly from one hoster to another, mainly due to different qualifications and practices of administrators.

For instance, my current website is hosted with a fellow provider where it operates under a distinct user. As a result, I can confidently click the "update WordPress" button, and within a short span of thirty seconds, WordPress will update itself seamlessly.

However, in my previous job at another hosting company, the FTP user and the Apache user belonged to different groups. Consequently, I had to manually download the distribution through FTP and then transfer it to the server.

One viable alternative is to use a combination of SFTP and a version control system like Git. By managing your WordPress files through Git, you can maintain a secure environment while allowing for efficient updates. This way, you can push changes to themes and plugins without needing to grant excessive permissions.

Additionally, consider using a plugin like WP-CLI, which allows you to perform administrative tasks via the command line, minimizing the need for direct file access.