Why Read-Only filesystem for WordPress is important to security

Almost all the hacks for wordpress revolve around writing some code to the server, and then using a URL to run the code.

The hacker exploits some weakness in some code already deployed on your server. The main job is to upload more code. Once the extra code can be uploaded it is executed, and the hacker can do whatever they like. Upload more code, that can do more hacking.

A normal wordpress install needs the web server (apache or nginx) to be able to write and modify files. When a plugin is installed, it needs to be written to the filesystem by the web server. If you take notice, installing a plugin is a bit like a hack getting installed.

So the struggle in running wordpress security long term, is enough access to run wordpress upgrades/plugins, and enough security to stop hackers. Long term, how are you going to guarantee you keep plugins up-to-date, and wordpress install up-date – that brings a whole lot of other issues. Even up-to-date plugins can be hacked.

What if we totally disabled writing to the filesystem ? WordPress wouldn’t be able to install any hacks – woohoo !!! wpDone mounts the hard disk as read-only – so not even the web server, or root, can write to wordpress. How is the hacker going to get a toe hold into your server now ? the hackers will have no chance.

The idea is that a hack attempt gets to crash into all our layers of security, and if it get’s through all those, then the final line of defense is to disallow any permanent writes to the disk. The linux kernel becomes part of our security, disallowing disk writes.

We are investigating ways we use this strategy for the mysql database as well, and use a read only database server. We already have mysql readonly slave replicas. But there are some other issues we need to untangle.

but how about plugins and wordpress updates, wp-cron tasks etc ? Well, wpDone has 2 strategies to deal with that.

• firstly, we have a separate staging server that you can use. You can install plugins, upgrade wordpress on the staging server. Once you are happy with the staging server, you can push your changes to the production server cluster.
• you can also use the wordpress admin console to make changes. ‘but its read only isn’t it’ ? Well, any /wp-admin/ URLs we request a second password from the user, and redirect to production admin server, that does have read/write privileges.

More technical details, for the linux minded

• we are using a bind mount, which is read-only, on the production web servers
• /wp-admin/ /wp-cron/ are redirected on the load balancer to a protected admin web server that does have read/write capability
• the load balancer has a separate basic web challenge password. At some stage we might put the admin webserver behind a ssl based VPN.
• currently the staging server is on cpanel/whm. Its likely we’ll lock this behind a SSL VPN soon as well.

 

By Scott Farrell on December 15th, 2015 , Follow @scott_WordPress Tweet to @scott_WordPress