hardened wordpress linux install

Heavily edited from the above link

How to Harden your Word Press if you’re a server admin

Bear in mind I am not an expert on Word Press nor even a user of it: you will probably not be able to automatically self update word press (which is by default a massive security issue since vulnerabilities today are published in the future by the open source community and easily viewable/used in the future) by using this method and your may or may not be able to install/update plugins and you will not be able to do this at all on Windows Servers.

/ 
The root WordPress directory:

all files should be writeable only by your user account (*not Apache*), except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/ 
The WordPress administration area:

all files should be writeable only by your user account (*not Apache*).

/wp-includes/ 
The bulk of WordPress application logic:

all files should be writeable only by your user account (*not Apache*).

/wp-content/ 
User-supplied content:

intended to be writeable by your user account AND Apache.

Within /wp-content/ you will find:

/wp-content/themes/ 
Theme files.

If you want to use the built-in theme editor, all files need to be writeable by the web server process (Apache). If you do not want to use the built-in theme editor, all files can be writeable only by your user account (*not Apache*).

/wp-content/plugins/ 
Plugin files:

all files should be writeable only by your user account (*Not Apache*).

so the ACTUAL answer on CENTOS is:

do the following substituting mywordpressplace for your word press installation directory, do the commands as root and use root too if you like it won’t matter, the books say you should do the following shell commands in root and then use a 3rd party user as the user in the command line entries below but I think that if you have multiple servers (I have around 40 that I run) and if you have hardened infrastructure it’s probably satisfactory to merely use root for both – so long as you have ssh correctly configured etc etc

# chown -R root:root /var/www/html/mywordpressplace/
# chmod -R 744  /var/www/html/mywordpressplace/
# chown -R apache:root /var/www/html/mywordpressplace/.htaccess
# chown apache:root /var/www/html/mywordpressplace/wp-content/ 
# chown -R apache:root /var/www/html/mywordpressplace/wp-content/themes/
# chown -R apache:root /var/www/html/mywordpressplace/wp-content/plugins/

one last gotcha

the last bit is important – since the wordpress malware that can and does exist often uses php to read/write/traverse your directory to insert code and since apache must be able to read the /var/www/html/ dir you also need to ensure that anything ELSE on that server in /var/www/html/ must ALSO be 

# chown -R root:root /var/www/html/*

What happens is that WordPress malware will traverse the web root dir and inject code (curl() commands usually) into any index.php/default.php files from OTHER sites that are NON word press at all. WordPress can often be the vector for other sites on the vhost

Related Posts:

  1. How to prevent plugin, theme installation failures on WordPress?
  2. What are nulled themes?
  3. Extra themes – ok or bad?
  4. Migrating October CMS to WordPress
  5. During theme installation theme upload failed
  6. wp theme.. Could not create directory
  7. WordPress not displaying themes in the wp-content/themes folder
  8. How to run WordPress from other location on the same domain
  9. Is that a malicious code?
  10. Permissions for installing themes and files in general?
  11. Configure new installed WordPress in live server
  12. Is a very simple theme secure enough?
  13. Installing a theme on localhost, Ubuntu 16.04
  14. Create QuickStart Package for WordPress just like in Joomla
  15. Get WP Install Directory
  16. Error when installing theme – “failed to open stream: No such file or directory in…”
  17. How can i set default pages to a word press theme? it shouldn’t be changed even if i install the theme in different host
  18. WP Snippet to Hide Theme Editor In Dashboard Only Works On LocalHost Site
  19. Is there significant risk in not keeping a theme updated? [closed]
  20. Customized wordpress theme locally put on someones WordPress account
  21. WP-CLI wp theme install url PCLZIP_ERR_BAD_FORMAT (-10) : Unable to find End of Central Dir Record signature
  22. How to display post meta data in secure manner
  23. Unable to access new installed theme
  24. Orion theme (from theme forest) [closed]
  25. Load all files from folder in theme – Security concerns?
  26. I can’t install theme: theme install failed
  27. suspicious boolean.php file in wp web root [closed]
  28. How are my own themes updated?
  29. Theme install failed
  30. Encrypt Password in Configuration Files?
  31. What is the role and history of the $content_width global variable?
  32. Override parent theme translation on child theme
  33. Add a page outside of the current theme?
  34. How to create a live demo page for a theme? [closed]
  35. How to incorporate admin theme in my back-end-plugin
  36. Using chunk theme from wordpress.com on my own host
  37. What is the first file wordpress looks at in a theme?
  38. Duplicate and change a Theme Widget
  39. Two Navigation Menus in Themes Produce the same menus?
  40. Theme not showing after uploading
  41. Being asked to update a theme that I don’t have
  42. I want to run different WordPress websites under the same database
  43. get_template_directory_uri does not seem to work when defining WP_CONTENT_DIR
  44. Using a _GET gives me a debug error (over my head)
  45. How to go about pre generating css file with variables from theme options
  46. How can I create an “excerpt” with text that won’t be displayed in the post itself?
  47. Possible to put header-{your_custom_template}.php in subdirectory?
  48. Why wp_enqueue_style() not working?
  49. 404 Error while accessing the font files
  50. Child Style.css not overriding parent theme style located in assets/css/main.css
  51. Creating a theme options page
  52. OptimizePress Theme Overriding add_filter page_template
  53. How do I change the scan depth for page template files?
  54. Moving test theme to live site without mySQL error – how? [closed]
  55. Apache errors when retrieving taxonomies
  56. wp_get_theme() works fine, but wp_get_themes() returns empty array
  57. Can’t resize logo in responsive theme?
  58. How to display message (with switch_theme hook) after deactivating My theme?
  59. GPL 2 Theme using a framework for commercial Theme?
  60. Using twitter bootstrap in a theme
  61. Featured images, am I missing something?
  62. Is there a way to upgrade a theme without losing custom templates?
  63. It’s okay if I do not write add_action()
  64. Basic Theme for a Static Corporate Website?
  65. SOLVED Custom Add rewrite rule and Get string
  66. Section Background Images?
  67. Theme update deleted my custom page
  68. Homepage showing a simple listing of title, featured image, then posted on
  69. Permissions error
  70. Setting a new default template for the creation of a page
  71. Event Organiser breaks the theme [closed]
  72. How to remove the tripadvisor logo from the wordpress theme?
  73. Can’t see themes for Multi-site wildcard subdomain
  74. Transclude/Import one wordpress page to another
  75. share wrordpress data between two shared hosts using REST API
  76. Video not showing on smaller resolutions
  77. I want to remove part of a header
  78. Moving website from localhost to existing website without altering existing live theme
  79. Default and warning messages & no login
  80. Theme customizer hiding sections
  81. How do I change theme demo [duplicate]
  82. Media previews on posts
  83. Updating theme resets theme options settings and widgets
  84. load language file
  85. Are immediately-called actions not usable in themes?
  86. Where is the stylesheet code?
  87. Add Media + Quick Edit buttons not working
  88. WordPress Theme Problem
  89. What happens to bespoke page template references on theme change?
  90. Stylesheet not being loaded? [closed]
  91. is it possible to create a website with wordpress with these requirements without coading?
  92. Theme making direct ajax calls to theme folder
  93. Where can I decide the number of posts to display on the blog index page?
  94. I need to disable responsive feature of a theme called Meet GavernWP [closed]
  95. how to add dynamic footer credit in Greatmag theme [closed]
  96. Twenty Fifteen Premium Theme [closed]
  97. Can i Remove copyright text wordpress.org theme
  98. Is it possible to dynamically show different themes for different users? [duplicate]
  99. Why does WP theme not look like promoted? [closed]
  100. How do I get rid of the Mindblown and the book recommendations?