How to Run WordPress Securely in a Sandbox Subfolder

by Posted on

Wordpress WooCommerce Nginx

Running WordPress in a subfolder like https://example.com/blog can help boost SEO, but it also introduces security concerns. WordPress and its plugins are common attack targets, and hosting them alongside your main website can expose the entire server if compromised.

This article explains how to sandbox WordPress in a secure subfolder using either Nginx or Apache, with separate system permissions and isolated PHP-FPM pools — reducing the risk of your main site being affected.

Why Sandbox WordPress?

WordPress is powerful but also complex and plugin-heavy. If exploited, it can grant attackers access to your web server, especially if everything runs under the same user account. Sandboxing WordPress ensures:

  • Filesystem isolation: WordPress can’t write or read outside its own folder.

  • Process isolation: PHP-FPM runs under a unique user with limited permissions.

  • Better control: Logs, errors, and performance metrics are easier to manage per app.

Prerequisites

  • A Linux server running Nginx or Apache

  • PHP-FPM installed and configured with Unix sockets

  • A dedicated system user (e.g., blog) to isolate WordPress

  • Assuming that WordPress is jailed in a separate subfolder, like:
    /home/blog/public_html/

Nginx Sandbox Configuration

Place the following configuration blocks before the main site’s location rules to ensure priority handling of /blog requests. This configuration:

  • Caches and serves static files efficiently

  • Uses a dedicated PHP-FPM socket for WordPress

  • Ensures URL rewriting works as expected

[...]

location ~ ^/blog/(.*\.(eot|otf|woff|woff2|ttf|css|svg|webp|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|xls|txt|tar|bmp))$ {
        alias /home/blog/public_html/blog/$1;
        expires 1y;
        log_not_found off;
        access_log off;
}

location /blog {
        alias /home/blog/public_html/blog;
        try_files $uri $uri/ @blog;
        if ($args ~ "^author=\d") { return 403; }

        location ~ \.php$ {
                fastcgi_pass unix:/run/php/php8.4-fpm.blog.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                include fastcgi_params;
        }
}

location @blog {
        rewrite /blog/(.*)$ /blog/index.php?/$1 last;
}

[...]

Apache Sandbox Configuration

Insert the Apache configuration before any <Directory> blocks for the main website, This:

  • Maps /blog to its own directory with Alias

  • Uses SetHandler with a separate PHP-FPM socket

  • Maintains strict control over access and overrides

[...]

Alias "/blog""/home/blog/public_html"

<Directory /home/blog/public_html>
    Options -Indexes +SymLinksIfOwnerMatch
    AllowOverride All
    Require all granted
    
    <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php8.4-fpm.blog.sock|fcgi://localhost"
    </FilesMatch>
</Directory>

[...]

Final Thoughts

By sandboxing WordPress in a subfolder with its own user and PHP-FPM socket, you achieve a strong layer of isolation without losing SEO benefits. This approach is ideal for shared environments or when you want maximum control over what WordPress can and cannot do on your server.

About Olvy ( www.olvy.net / www.olvy.eu ) :

Olvy is a private and independent Limited Liability Company based in Bratislava, Slovakia, in the heart of Europe. We combined our invaluable 20+ years experience to develop innovative and reliable, lightning-fast and affordable Managed Cloud Hosting services for Everyone. From a small blog to a growing eCommerce – Olvy takes care of your website 24/7.

Published by olvywriter

Leave a Reply