Help Me, Geek Force Alpha— Server Issues
May 4, 2006 12:54 PM   Subscribe

Website/Weblog/Apache/Chroot/mod_rewrite Wordpress? I've been hired to create website content for a record store. That's turned into also being in charge of the website creation/management. They already have hosting, a virtual server that uses chroot to keep separate clients separate. I had hoped to use Wordpress, and the guys who hired me want something that looks bloggish, even while maintaining their eBay store as the ecommerce backend (posts/album descriptions with samples would link to eBay auctions). The problem is that Wordpress needs to use mod_rewrite access (in Apache) to create permalinks when content is added (through .htaccess), and the host has said that mod_rewrite is a security risk for the rest of his clients unless we go for dedicated hosting. He's talked about using read/write permissions access to circumvent the need for .htaccess.

I'm out of my depth a bit here, having previously only done a little bit of bug fixing on plone and drupal (the extent of my server-side knowledge), under the fantastic tech-head supervision of a pal of mine. Since he's not available, I'm asking you:
Is .htaccess necessary for Wordpress to function? Can it be run on a chroot-ed virtual server? Am I even using these words correctly? What would you suggest to solve the problem? What should I be looking up to learn enough about this to handle some of it myself? How common is the problem that I'm facing? What should I tell the guy who's handling our hosting?
posted by klangklangston to Computers & Internet (13 answers total)
 
I was under the very good impression that mod_rewrite is NOT a security risk...
posted by maxpower at 12:59 PM on May 4, 2006


Response by poster: He was saying that mod_rewrite access would allow people to change settings on any of the other clients that were hosted on the same machine. Though, again, I'm out of my depth and had to just go with what he was saying...
posted by klangklangston at 1:02 PM on May 4, 2006


Lots of hosting services let you use mod_rewrite. Perhaps some aspect of the way this server is set up creates a security risk—I don't know enough about it to say.

What should I tell the guy who's handling our hosting?

Tell him "we'll find a better host, thank you." Web hosting is cheap, and mod_rewrite (plus lots of other goodies) is widely available.
posted by adamrice at 1:13 PM on May 4, 2006


That's weird. I've been on plenty of shared hosts where mod_rewrite is allowed; if it's allowed for that kind of environment, why would it be riskier in a chrooted environment? I think they just want to make you upgrade to a dedi.
posted by evariste at 1:13 PM on May 4, 2006


He was saying that mod_rewrite access would allow people to change settings on any of the other clients that were hosted on the same machine.

He was saying that if he lets you have access to rewrite your URLs, then you could rewrite other clients' URLs?

Surely that just means he should install it but only have access himself? It's not like WordPress needs to create a new rule every time you post, is it? Just one general rule, surely?

Mind you, I wasn't aware it was a requirement for WordPress. That part sound strange to me.
posted by AmbroseChapel at 1:32 PM on May 4, 2006


No suggestions about Wordpress, but I can explain where mod_rewrite would be a security issue.

The RewriteMap directive allows you to define a mapping "function" that maps one value to another in your rewrite rules. Your map can be a text file, a dbm file, an internal function, or (drum roll please) an external program. This program would be executed as the server user so you could (potentially) stomp all over everyone's setup. Also, because it processes external data, a poorly written mapping program could be remotely exploitable.

Because of the dangers, this directive is only valid inside the main section and virtual hosts. Hence, I imagine, the restriction.
posted by sbutler at 1:45 PM on May 4, 2006


mod_rewrite isn't a requirement for WordPress, but it is a requirement if you want permalinks that make sense. id=6 vs /mystory/goeshere/. I'd find a better host.
posted by maxpower at 2:02 PM on May 4, 2006


Best answer: Ditto on finding a better host. So many hosts allow the use of mod_rewrite that I can't imagine it being a very big security issue.

However, should switching hosts not be an option, you should be able to use Wordpress without mod_rewrite in one of two ways. The first is to go to Options/Permalinks and use the Default mode (links that look like http://www.blahblahblah.com/?p=123). This is inelegant but requires absolutely no mod_rewrite capabilities.

Another option, which I have not actually tested myself, is to try using a custom permalink structure involving the index.php file, such as /index.php/%year%/%monthnum%/%day%/%postname%/ —the idea is that the webserver will attempt to load index.php, and pass the following parts of the URI to Wordpress, which will take it from there.
posted by chrominance at 2:32 PM on May 4, 2006


Response by poster: Chrominance— I saw that in the Wordpress support pages, and I think I may end up advising that. If the addresses are ugly, it becomes a pain for people to use, but the PHP solution looks fairly elegant.
posted by klangklangston at 2:35 PM on May 4, 2006


Can you do some kind of redirect script of sending a 301 (or is it 303?) code forwarding to the correct link?
posted by ao4047 at 3:24 PM on May 4, 2006


Response by poster: I'd assume so, but I worry that it would have to be written manually, like each page getting its own "this redirects to this" thing, and that would seem cumbersome after a while.
posted by klangklangston at 4:59 PM on May 4, 2006


If you're not committed to using WordPress, Movable Type can give you attractive URLs without requiring mod_rewrite to be enabled.
posted by anildash at 10:05 PM on May 5, 2006


Response by poster: Movable Type is what I wanted to use when I was starting out, but the licensing fees are too high for a small business with limited cash flow, and I like the open-source community's ability to handle problems.
posted by klangklangston at 7:42 AM on May 6, 2006


« Older How to undo more   |   You want me to count what?! Newer »
This thread is closed to new comments.