Am 02.12.2017 um 14:27 schrieb Nicolas Kovacs info@microlinux.fr:
Le 02/12/2017 à 14:19, Leon Fauster a écrit :
I would build a rpm package of wordpress (everything can be defined there like permissions etc)
The initial question was: WHAT permissions?
The application design should have considered security best practices. I do not known WP but check their sites. So, following the "need to write" requirement, its a good decision (yours) to allow only the minimum. "Normally" such space should be outside of the "document root" of the hosting.
and disabling the automatic update
function in wordpress. Build once it can be installed on all (two dozen) webservers automagically (local yum repository) ... externe
That would mean one package per Wordpress, since I don't have only one Wordpress installation per server. Not a solution.
All installations should have the same base (normally the latest WP release) - so, to be clear one package for all. This has nothing to do with different content or themes.
I other words, if security is your focus then the process is the target of your effort.
Its just my suggestion ...
-- LF