Recommended WordPress MySQL Permissions

Just upgrading WordPress because of yet another security scare

Here’s 4 things you can do to improve the security of your WordPress blog:

1) For some reason, the WordPress documentation recommends that the WordPress MySQL user get GRANT ALL PRIVILEGES, but that’s a bad idea since a privileged MySQL user can not only drop databases, but also read and write to the disk.

After running the WordPress post-installation upgrade.php script and installing your plugins, this drastically more limited GRANT works fine assuming your db and userid name is ‘wordpress’, and your wordpress MySQL password is ‘newpassword':


mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'wordpress'@'localhost';
mysql> GRANT SELECT, INSERT, UPDATE ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'newpassword';
mysql> FLUSH PRIVILEGES;

Then update wordpress/wp-config.php with the userid and newpassword.

(Generally speaking, only the MySQL userid ‘root’ needs ‘Y’s in the mysql.user table. All other accounts can usually run with 3 or 4 ‘Y’s in the mysql.db table. So SELECT * FROM mysql.user WHERE user != ‘root’ should be a sea of ‘N’s only.)

Use the SHOW GRANTS command to see the current settings:


mysql> SHOW GRANTS FOR 'wordpress'@'localhost';
+----+
| Grants for wordpress@localhost
+----+
| GRANT USAGE ON *.* TO 'wordpress'@'localhost' IDENTIFIED BY PASSWORD '*hashed*'
| GRANT SELECT, INSERT, UPDATE ON `wordpress`.* TO 'wordpress'@'localhost'
+----+
2 rows in set (0.02 sec)

2) You can disable the WordPress banner in content headers by setting $gen=”; in
wordpress/wp-includes/general-template.php::get_the_generator()

3) The WordPress PHP files should not be owned by the web server process. Fix that with:


chown -R root:root wordpress/

4) Update your WordPress installation as frequently as necessary.

Doug’s Blog: Checking Your WordPress Security
wordpress.org: How to Keep WordPress Secure
wordpress.org: Security Category Archive
wordpress.org: Hardening WordPress

This entry was posted in Tech. Bookmark the permalink.

6 Responses to Recommended WordPress MySQL Permissions

  1. James, good suggestion. I personally didn’t like the idea of granting all permissions when it really only needs the 4 you mentioned. That’s how I came across your post since I wanted to give it as limited permission as necessary.

    But I also see a problem with leaving only those 4 permission for a client’s WordPress. Create and Alter are likely to be used in WordPress upgrade as well as some of the install/upgrades that these plugins that create their own data types and tables. Uninstallations of those above mentioned plugins will require Drop access but that can be manually done with PHPMyAdmin for most users.

    For letting clients upgrade their own WordPress blogs, I would also not recommending chown root the WordPress folder. Updates could fail mid way which could be a mess to clean up. You have folders in there that have files that need to be updated. Themes and Uploads, for example.

  2. Hi Sean.

    I think you’re missing the point.

    If one can’t trust WordPress, then the minimal permissions I defined are necessary to secure your system.

    Naturally, that’s inconvenient to end-users.

    The alternative to what I have done is to host my blog with wordpress.com and let them deal with the security issues.

    James.

  3. Interesting and I agree in theory, but I’m not sure that current WP version will work fine if I don’t grant him all privileges. Greetings from Italy, Salvatore

  4. WP works fine with minimal privileges (I’ve been doing it for years), but you may need to restore more privileges during the upgrade process only.

  5. J says:

    I fixed an installation that had grants set up like this – probably on the advice of this page. If anybody got here after googling:

    WordPress needs to DELETE.

    Preventing DELETEs doesn’t offer any additional security if you then allow UPDATEs, which could just set every field of every row to nulls anyway.

    Also, if your admins can’t delete comments, or spam, and/or akismet never stops squawking even after you restored connectivity/updated the key – this is your problem.

  6. Jonay says:

    Well, you always can create two users, one to update, change and everything and another one to do the basic stuff, so everytime you have to update your wordpress or plugins, via FTP, SSH, etc., you change the config file and change it back when you finish :-)

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>