How to jail Wordpress directory inside Magento directory?

Question

Goal: We have a Magento installation which contains a lot of sensitive data. We're looking to host a Wordpress installation.

Problem: Since we're installing third-party modules on Wordpress, we don't want any security issues in Wordpress to be able to compromise Magento.

I've spoken to a couple of my friends, and also had a think back to how it's been implemented in the past, but I wanted another opinion.

Since the wordpress directory will reside inside of the magento directory, would it be sufficient to chown the files inside of wordpress to a new user (" user-wp "), and then to chroot the user-wp user to the wordpress directory? Magento would then still have access to all of the Wordpress files, but not vice-versa.

Any other suggestions on how to go about implementing this would be more than appreciated! Somebody also suggested configuring a separate vhost.

Answer 1

Using a subdomain like blog.site.com would probably be the easiest way to set this up. All you would have to do is add a new VHost for the WordPress installation.

I don't think Chrooting would provide much security. You may also run into WordPress Plugin issues with such a configuration.

The setup is tricky. You would have to go and modify the PHP-fpm process pool and users it runs with. Then assign one pool to Magento and another to WordPress. Additionally you will also want to serve static assets & uploads from the Webserver itself.

And when you change this config you have to retest your Magento install to make sure things you didn't break anything accidentally.

Too much hassle, just use the subdomain. :)