Re: would it be possible to host a wordpress site using my own vps?
@22
because if someone gets root, it makes it trivial to do anything at all that you can do to your VPS.
If properly secured WordPress gets hacked as non-root, worst that happens is you get some bad content on the site or something.
If WordPress gets hacked as root, worst that happens is your VPS provider bans you because they dragged you into a botnet. Almost true story: I got shut down for that once, but not banned, fortunately. Though that VPS did end up getting destroyed because I couldn't get them out (in general, once hacked, permanently hacked).
If I was going to provide security advice here it would be that root is okay if and only if all the following are true:
1. Your ssh keys are all password protected.
2. Nothing on the VPS is used by anyone but you.
3. Nothing on the VPS deals with money in any fashion.
4. The VPS is for exactly one thing, i.e. the WordPress site, and will never, ever be used for anything but that one thing.
5. You've put a firewall on the VPS, from your VPS provider's side, which restricts all outgoing traffic and restricts all incoming traffic to port 80 and 443, which is only ever disabled while you are sshing the VPS for maintenance or deployment.
6. Nothing on the VPS contains personal information of anyone else, i.e. comment systems, e-mails for people from your comment systems, etc.
7. Nothing on the VPS contains an API key that can be used to reach another service, i.e. a Google Cloud service account.
8. Nothing on the VPS is a nicely pre-authenticated CLI to something important, i.e. to your VPS provider, which might be used to do things on your behalf.
It is actually relatively common to run software on VPSs as root, believe it or not, but when you do so you are saying "Okay, I'm fine if everything on this machine gets owned, permanently, forever". For someone who isn't doing a large cloud deployment, that's usually not actually how you feel about it.
In addition, the above point about firewalls is of critical importance if you want to do this. Firstly, if you go over your bandwidth caps you will get charged, irregardless of if it was because you were hacked. But secondly, if you aren't firewalling through the cloud provider and are instead using something on the VPS itself, then when they own WordPress as root they can just issue the commands to turn off the firewall and that's the end of that.
This is really worth learning to do right, and is honestly probably just using the user Apache should have installed for you when you installed it in your configs. You will need to learn Linux users and permissions very shortly anyway because you'll have to troubleshoot it when you start uploading files, so you might as well do it now.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
