Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

[Raffaele Morelli <raffaele.morelli@gmail.com>]

2013/12/14 Lukasz Szybalski <szybalski@gmail.com>

Thanks for the feedback. I did check with other production sites I run, and most of them are owned by root. I have to test to see "if you want to use the "wordpress" to upload a theme using the site UI", I think you might be forced to have the www-data own and being able to write to theme folder. If you don't you would have to sftp the theme there and unzip it manually.

root should not own files served by apache for any reason, that's really "dangerous"!

you should never do that...

about uploading, if you are self hosting,  vsftpd allows to chroot users and assign a default permission to uploaded files, no need for sftp.

/r