WordPress’s minimum permission principle will miss headlines in the event of infringement, data loss and DOS attacks. However, this is one of the most effective security best practices for WordPress sites, even if ignored. In this blog post, we first define the minimum permission principle, and then look at the applicable time, place, risks of not adopting it, and why many website developers are still not applicable to WordPress websites. In addition, WordPress will help you improve your website security immediately. This blog post contains several mini case studies to help illustrate its use in a real-world environment.
What is the principle of minimum directory permissions? When and where does the principle of minimum authority apply? What are the risks if POLP is not applicable? Why do many website owners ignore WordPress’s minimum permission principle? How to apply POLP to WordPress, WordPress database user permissions, WordPress user roles and permissions custom roles, generate file and directory permissions, word press plug-in configuration, third-party contractor FTP access, mini case study e-commerce website applications, news websites of universities and educational institutions, blog and bank websites It health and fitness tracking word press and above minimum permission principle what is the principle of using minimum permission? The idea is very simple. Do not grant user accounts, processes, or programs more access than is required to perform the specified operation. Consider editors, authors, contributors and subscribers from the perspective of the ordinary WordPress website where the blog is located. Each of them needs to access the back end of the website to some extent.
The minimum privilege principle (POLP) is also known as the \
When and where does the principle of minimum authority apply? The simple answer is that it applies everywhere, from toddlers who want to climb stairs to users of WordPress hosting accounts. Financial freelancers who need to licenses every month do not need to have the same level of access as website administrators. The same is true for all types of authorized corporate accounts, file management systems, marketing strategy documents, or password administrators. What are the risks if POLP is not applicable? Controlling access to specific areas is not an easy task. Otherwise, does the change of login user completely leave the website? Including users who may make innocent, careless mistakes, do not know their mistakes or unintentional results.
Consider the following possible users: New users start on WordPress with little understanding of the impact of errors on the business. People with little experience in text imprinting management, if they do not know the significance of ing new word press versions or plug-ins at will or updating them without backup first, their security awareness will be limited, and they do not know how to deal with errors or other problems reported by creating new users or changing existing user permissions Post external blog posts (which may include partners, freelancers and clients)
For the press operation, the WordPress database user only needs to have the following permissions to manage data in the database: Select insert delete update. These permissions do not allow WordPress database users to modify the database structure. Suggestion: to enhance the security of WordPress websites or blogs in an ideal environment, you must configure secure and limited WordPress MySQL database permissions. This permission is returned only if you must assign all permissions to users who need to install a new plug-in to create new tables in the database or update WordPress and change the WordPress database schema.
Another suggestion is not to grant related websites access to databases other than the word press database. For more information about WordPress database permissions, please refer to the reasons why MySQL users improve the security of WordPress database permissions, and explain the impact of unsafe configuration. WordPress user roles and permissions WordPress users will make errors. Even administrators. Users also like to browse settings and configurations. If users are assigned super administrator or administrator access rights, curious users are likely to install any plug-ins. This can lead to unexpected changes in the user experience, such as changes in website features. WordPress has functions associated with multiple built-in user roles, as listed below (most are minimum): Top Administrator – site network administrator – site network administrator of a single site edit – author of managing and publishing posts (including posts of other users) – managing and publishing your own posts and publishers – creating and managing your own posts, but not publishing them. Manage subscribers only – manage profiles only. One way this actually works is that participants and authors can share certain functions (such as editing and deleting posts), but participants cannot do anything the author can do, such as uploading files or creating available blocks. Creating custom roles there are also many plug-ins available to create new custom word press roles. Here are some typical use cases: Larger organizations may need to appoint someone in the marketing team to review, approve and respond to comments. \
Directory permissions file and directory permissions are easy to configure. There are many online documents on how to enhance WordPress installation permissions. WordPress runs on all operating systems (usually Linux) running PHP. In terms of groups, Linux has three permission groups. Owner – the owner group of a file \/ directory whose permissions do not apply or affect other users – the user group assigned access to the file \/ directory, which does not apply or affect users outside the group. Other – the level of authority that all others have on the same file \/ directory, which is read (view content), write (write or modify content), or execute (execute script, etc.). These permissions are stored as a series of numbers that provide access to PHP code, images and other media, HTML and JavaScript files, and plug-ins. Assigning the wrong permissions to the wrong permission group means that malicious hackers may maliciously use these permissions, resulting in an unacceptable risk of low-level vulnerability. It is recommended that when installing WordPress, you should also use POLP to configure the minimum file and directory permissions that WordPress can work. Enhancing file and directory permissions may prevent some word press plug-ins from working. As mentioned earlier, you may be installing plug-ins that need to store data in the installation directory. If yes, please do not configure 777 permissions for the plug-in directory (full read, write and execute for all people with control permissions). That’s an easy exit. However, you should also avoid restricting relevant users from updating word press, themes and plug-ins in the Web UI. For more information, see WordPress file permissions: a guide to configuring permissions for secure websites and web servers. WordPress plug-in configuration is not equal for all administrators. As with many systems and networks, there are usually boot administrators between word press administrator groups. Typically, site owners have no options other than assigning administrator access to other users. For WordPress security plug-ins, administrators can usually save sensitive data, such as accessible WordPress security audit logs. It is recommended that WordPress security plug-ins generally restrict access to other WordPress administrators. Using these functions looks like widgets that help better manage user access, but they are sometimes ignored. For more information about individual plug-ins, contact your plug-in support and hosting provider. Then ask the plug-in to write to the directory. Then you can configure the permissions of the directory. You can hire an FTP access designer for third-party contractors, or grant full access to the root directory of the website when the plug-in support team needs FTP access to the website. Yeah. This is unnecessary. For the suggestion designer, only the directory in the theme needs access, so please restrict access to that directory. The same applies to plug-in support teams. If you need access to view the log file, grant the plug-in directory or FTP access to the location where the log file is stored. Do not rely on external personnel to perform security checks. Mini case study how this actually works, let’s look at a few related examples to understand how to apply POLP so that access control issues and decisions can have the right access to the right team and individuals. E-commerce website application consumers buy high priced goods such as refrigerators freezers, vacuum cleaners, cameras or laptops
What data will you share (name, profile image and average daily steps only?) Some are not clear enough. What information and how much information do other users need to access in order to make the regular Gamification functions of these tools easier? Should developers set all access rights or assign part of this decision to users? Using the minimum permission principle of WordPress and above, the above content is only one of the most common schemes. Although the minimum permission principle of WordPress is often ignored, it is easy to apply. To start adopting POLP, start by considering what you want to do with: Don’t be ashamed to apply the minimum permission principle because the web server database customization date can’t be solved immediately. Yes, in most cases, it takes hours to configure custom user roles and solve plug-in problems. Long term investment in WordPress website security.
