Correct file permissions for WordPress

Question

I ve had a look over here but didn t find any details on the best file permissions   I also took a look at some of WordPress s form s questions over here too but anybody that suggests 777 obviously needs a little lesson in security   In short my question is this   What permissions should I have for the following    root folder storing all the WordPress content wp-admin wp-content wp-includes   and then all the files in each of those folders

User · Answer

It actually depends on the plugins you plan to use as some plugins change the root document of the wordpress. but generally I recommend something like this for the wordpress directory.

This will assign the "root" (or whatever the user you are using) as the user in every single file/folder, R means recursive, so it just doesn't stop at the "html" folder. if you didn't use R, then it only applicable to the "html" directory.

sudo chown -R root:www-data /var/www/html

This will set the owner/group of "wp-content" to "www-data" and thus allowing the web server to install the plugins through the admin panel.

chown -R www-data:www-data /var/www/html/wp-content

This will set the permission of every single file in "html" folder (Including files in subdirectories) to 644, so outside people can't execute any file, modify any file, group can't execute any file, modify any file and only the user is allowed to modify/read files, but still even the user can't execute any file. This is important because it prevents any kind of execution in "html" folder, also since the owner of the html folder and all other folders except the wp-content folder are "root" (or your user), the www-data can't modify any file outside of the wp-content folder, so even if there is any vulnerability in the web server, and if someone accessed to the site unauthorizedly, they can't delete the main site except the plugins.

sudo find /var/www/html -type f -exec chmod 644 {} +

This will restrict the permission of accessing to "wp-config.php" to user/group with rw-r----- these permissions.

chmod 640 /var/www/html/wp-config.php

And if a plugin or update complained it can't update, then access to the SSH and use this command, and grant the temporary permission to "www-data" (web server) to update/install through the admin panel, and then revert back to the "root" or your user once it's completed.

chown -R www-data /var/www/html

And in Nginx (same procedure for the apache)to protect the wp-admin folder from unauthorized accessing, and probing. apache2-utils is required for encrypting the password even if you have nginx installed, omit c if you plan to add more users to the same file.

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd userName

Now visit this location

/etc/nginx/sites-available/

Use this codes to protect "wp-admin" folder with a password, now it will ask the password/username if you tried to access to the "wp-admin". notice, here you use the ".htpasswd" file which contains the encrypted password.

location ^~ /wp-admin {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    index  index.php index.html index.htm;
}

Now restart the nginx.

sudo /etc/init.d/nginx restart

User · Answer

Correct permissions for the file is 644 Correct permissions for the folder is 755  To change the permissions   use terminal and following commands   find foldername -type d -exec chmod 755       find foldername -type f -exec chmod 644         755 for folders and 644 for files

User · Answer

chown -Rv www-data www-data chmod -Rv 0755 wp-includes chmod -Rv 0755 wp-admin js chmod -Rv 0755 wp-content themes chmod -Rv 0755 wp-content plugins chmod -Rv 0755 wp-admin chmod -Rv 0755 wp-content chmod -v 0644 wp-config php chmod -v 0644 wp-admin index php chmod -v 0644  htaccess

User · Answer

I think the below rules are recommended for a default wordpress site    For folders inside wp-content  set 0755 permissions      chmod -R 0755 plugins     chmod -R 0755 uploads     chmod -R 0755 upgrade Let apache user be the owner for the above directories of wp-content   chown apache uploads  chown apache upgrade  chown apache plugins

User · Answer

Define in wp config file       var www html Your-Project-File wp-config php   define   FS METHOD    direct       chown - changes ownership of files dirs  Ie  owner of the file dir changes to the specified one  but it doesn t modify permissions   sudo chown -R www-data www-data  var www

User · Answer

I can t tell you whether or not this is correct  but I am using a Bitnami image over Google Compute App Engine  I has having problems with plugins and migration  and after further messing things up by chmod ing permissions  I found these three lines which solved all my problems  Not sure if it s the proper way but worked for me   sudo chown -R bitnami daemon  opt bitnami apps wordpress htdocs  sudo find  opt bitnami apps wordpress htdocs  -type f -exec chmod 664       sudo find  opt bitnami apps wordpress htdocs  -type d -exec chmod 775

User · Answer

When you setup WP you  the webserver  may need write access to the files  So the access rights may need to be loose   chown www-data www-data  -R     Let Apache be owner find   -type d -exec chmod 755          Change directory permissions rwxr-xr-x find   -type f -exec chmod 644          Change file permissions rw-r--r--   After the setup you should tighten the access rights  according to Hardening WordPress all files except for wp-content should be writable by your user account only  wp-content must be writable by www-data too   chown  lt username gt   lt username gt   -R     Let your useraccount be owner chown www-data www-data wp-content   Let apache be owner of wp-content   Maybe you want to change the contents in wp-content later on  In this case you could   temporarily change to the user to www-data with su  give wp-content group write access 775 and join the group www-data or  give your user the access rights to the folder using ACLs    Whatever you do  make sure the files have rw permissions for www-data

User · Answer

For OS X use this command   sudo chown -R www www  www folder name

User · Answer

Commands   chown www-data www-data -R   find   -type d -exec chmod 755       find   -type f -exec chmod 644         Where ftp-user is what user you are using to upload the files  chown -R ftp-user www-data wp-content chmod -R 775 wp-content

User · Answer

For those who have their wordpress root folder under their home folder      Ubuntu apache   Add your user to www-data group    CREDIT Granting write permissions to www-data group  You want to call usermod on your user  So that would be   sudo usermod -aG www-data yourUserName      Assuming www-data group exists   Check your user is in www-data group   groups yourUserName   You should get something like   youUserName   youUserGroupName www-data      youUserGroupName is usually similar to you user name   Recursively change group ownership of the wp-content folder keeping your user ownership  chown yourUserName www-data -R youWebSiteFolder wp-content   Change directory to youWebSiteFolder wp-content   cd youWebSiteFolder wp-content Recursively change group permissions of the folders and sub-folders to enable write permissions   find   -type d -exec chmod -R 775            mode of   home yourUserName youWebSiteFolder wp-content   changed from 0755  rwxr-xr-x  to 0775  rwxrwxr-x    Recursively change group permissions of the files and sub-files to enable write permissions   find   -type f -exec chmod -R 664         The result should look something like   WAS  -rw-r--r--  1 yourUserName www-data  7192 Oct  4 00 03 filename html CHANGED TO  -rw-rw-r--  1 yourUserName www-data  7192 Oct  4 00 03 filename html   Equivalent to   chmod -R ug rw foldername  Permissions will be like 664 for files or 775 for directories   P s  if anyone encounters error  could not create directory  when updating a plugin  do  server user   domainame com  sudo chown username www-data -R wp-content when you are at the root of your domain  Assuming  wp-config php has FTP credentials on LocalHost define  FS METHOD   direct

User · Answer

Giving the full access to all wp files to www-data user  which is in this case the web server user  can be dangerous   So rather do NOT do this   chown www-data www-data -R     It can be useful however in the moment when you re installing or upgrading WordPress and its plug-ins  But when you finished it s no longer a good idea to keep wp files owned by the web server   It basically allows the web server to put or overwrite any file in your website  This means that there is a possibility to take over your site if someone manage to use the web server  or a security hole in some  php script  to put some files in your website   To protect your site against such an attack you should to the following      All files should be owned by your user account  and should be writable   by you  Any file that needs write access from WordPress should be   writable by the web server  if your hosting set up requires it  that   may mean those files need to be group-owned by the user account used   by the web server process              The root WordPress directory  all files should be writable only by your user account  except  htaccess if you want WordPress to   automatically generate rewrite rules for you        wp-admin       The WordPress administration area  all files should be writable only by your user account         wp-includes       The bulk of WordPress application logic  all files should be writable only by your user account          wp-content       User-supplied content  intended to be writable by your user account and the web server process        Within  wp-content  you will find        wp-content themes       Theme files  If you want to use the built-in theme editor  all files need to be writable by the web server process  If you do not   want to use the built-in theme editor  all files can be writable only   by your user account          wp-content plugins       Plugin files  all files should be writable only by your user account        Other directories that may be present with  wp-content  should be   documented by whichever plugin or theme requires them  Permissions may   vary    Source and additional information  http   codex wordpress org Hardening WordPress

User · Answer

To absolutely make sure that your website is secure and you are using correct permissions for your folders  use a security plugin like these   https   en-ca wordpress org plugins all-in-one-wp-security-and-firewall   https   en-ca wordpress org plugins wordfence   These plugins will scan your Wordpress installation and notify you about any potential issues  These will also warn you about any insecure folder permissions  In addition to that  these plugins will recommend you what permissions should be assigned to the folders

User · Answer

Best to read the wordpress documentation on this https   wordpress org support article changing-file-permissions         All files should be owned by the actual user s account  not the user account used for the httpd process   Group ownership is irrelevant  unless there s specific group requirements for the web-server process permissions checking  This is not usually the case     All directories should be 755 or 750    All files should be 644 or 640  Exception  wp-config php should be 440 or 400 to prevent other users on the server from reading it    No directories should ever be given 777  even upload directories  Since the php process is running as the owner of the files  it gets the owners permissions and can write to even a 755 directory

User · Answer

I set permissions to         Set all files and directories user and group to wp-user     chown wp-user wp-user -R          Set uploads folder user and group to www-data     chown www-data www-data -R wp-content uploads         Set all directories permissions to 755     find   -type d -exec chmod 755              Set all files permissions to 644     find   -type f -exec chmod 644         In my case I created a specific user for WordPress which is different from the apache default user that prevent access from the web to those files owned by that user   Then it gives permission to apache user to handle the upload folder and finally set secure enough file and folder permissions   EDITED  If you re using W3C Total Cache you should do the next also   rm -rf wp-content cache config rm -rf wp-content cache object rm -rf wp-content cache db rm -rf wp-content cache minify rm -rf wp-content cache page enhanced   Then it ll work   EDITED  After a while developing WordPress sites I d recommend different file permissions per environment   In production  I wouldn t give access to users to modify the filesystem  I ll only allow them to upload resources and give access to some plugins specific folders to do backups  etc  But managing projects under Git and using deploy keys on the server  it isn t good update plugins on staging nor production  I leave here the production file setup     Set uploads folder user and group to www-data chown www-data www-data -R wp-content uploads    www-data www-data   apache or nginx user and group  Staging will share the same production permissions as it should be a clone of it   Finally  development environment will have access to update plugins  translations  everything       Set uploads folder user and group to www-data chown www-data www-data -R wp-content     Set uploads folder user and group to www-data chown your-user root-group -R wp-content themes    Set uploads folder user and group to www-data chown your-user root-group -R wp-content plugins your-plugin   www-data www-data   apache or nginx user and group your-user root-group   your current user and the root group  These permissions will give you access to develop under themes and your-plugin folder without asking permission  The rest of the content will be owned by the Apache or Nginx user to allow WP to manage the filesystem   Before creating a git repo first run these commands     Set all directories permissions to 755 find   -type d -exec chmod 755          Set all files permissions to 644 find   -type f -exec chmod 644

User · Answer

Based on all the reading and agonizing on my own sites and after having been hacked I have come up with the above list that includes permissions for a security plugin for Wordpress called Wordfence   Not affiliated with it   In our example  the wordpress document root is       var www html example com public html  Open up the permissions so that www-data can write to the document root as follows   cd  var www html example com sudo chown -R www-data www-data public html    Now from the dashboard in your site  as an admin you can perform updates   Secure Site after Updates are finished by following these steps   sudo chown -R wp-user wp-user public html    The above command changes permissions of everything in the wordpress install to the wordpress FTP user   cd public html wp-content sudo chown -R www-data wp-user wflogs sudo chown -R www-data wp-user uploads   The above command ensures that the security plugin Wordfence has access to its logs  The uploads directory is also writeable by www-data   cd plugins sudo chown -R www-data wp-user wordfence    The above command also ensures that the security plugin has required read write access for its proper function   Directory and Files Permissions    Set all directories permissions to 755 find   -type d -exec chmod 755          Set all files permissions to 644 find   -type f -exec chmod 644         Set the permissions for wp-config php to 640 so that only wp-user can read this file and no one else  Permissions of 440 didn t work for me with above file ownership   sudo chmod 640 wp-config php   Wordpress automatic updates using SSH were working with fine with PHP5 but broke with PHP7 0 due to problems with php7 0-ssh2 bundeld with Ubuntu 16 04 and I couldn t find how to install the right version and make it work  Fortunately a very reliable plugin called ssh-sftp-updater-support  free  makes automatic updates using SFTP possible without need for libssh2  So the above permissions never have to be loosened except in rare cases as needed

[php] Correct file permissions for WordPress

Examples related to php

Examples related to wordpress

Examples related to chmod