Setting Up Correct File Permissions and Ownership to Enhance WordPress Security

We often come to hear a lot about WordPress security, but quite less often hear people talking about WordPress file permissions and ownership. In fact, most of the people running WP sites look forward to installing security plugins into the site. No doubt, using WP plugins is a great idea and does work for every WordPress powered site. However, it must be noted that if the permissions of your file-system are set-up in a wrong manner, intruders can easily circumvent your website security measures.
Apart from security concerns, there are several other issues that can pop up from setting up permissions and ownership of your WP site inaccurately. For instance, you can get error messages when uploading some image in your site’s ‘Media Library’ and so on. So, in order to fix the issues it becomes essential to set-up the file permissions and ownership of the site in the accurate manner.
This post will help you understand about WordPress filesystem permissions and ownership – what, why and how they can be set-up. Aside from this, you’ll come to know about the most common WP server configurations. Most importantly, you’ll learn how to set correct file permissions and ownership for each of the configurations.

File Permissions and Ownership to Enhance WordPress Security
File Permissions and Ownership to Enhance WordPress Security

Understanding about Users And Groups

In order to get started we’ll have to gain insight about users and groups, as they’re closely associated with permissions. A user is an account that you create to access a system, while the group is an identifier that tells where does the users belong to. This means that you make use of a user account on your server when you transfer files using the FTP. Whether you’ll belong to a single or multiple user groups will depend on how your web host server has set up your account.
What makes ‘users and groups’ important underlies in the fact that they help to determine privileges (also called as permissions) for all of our WordPress files and folders. While site owners have full privileges on files and folders; other users belonging to the same group would have restricted privileges on it; and there might be users who won’t have any privileges on it.
What Are File Permissions and Their Difference?
Permissions defines what a user can do with a file or folder. A permission is generally represented using a set of numbers – such as 644 or 777 (that are referred to as a permission mode). In case you’ve used a WP plugin before, then you would have been asked by some of the plugins – to change the file or directory permissions. Doing so, will allow web server to gain access to that file or folder. Each digit in the permission mode has certain meaning to it:

  • First digit determines what the owner of the file can do.
  • Second digit represents what other users in the owner’s group can do
  • Third digit represents what rest of the users (including website visitors) can do.

Next, the numbers in the permission mode is a sum of a combination of any of the following digits:

  • 4: This digit denotes that you can read the names or contents of the files given in a folder.
  • 2: It denotes that you can write as well as modify a file, or modify the folder contents.
  • 1: It means you can execute or run a file, or simply access the files from a folder.

What does 644 and 777 mean?

The permission mode 644 can be broken down in:

  • The first digit “6” signifies that owner of the file can read and modify the WordPress scripts;
  • The second digit “4” signifies the users in the owner’s group may only read the scripts.
  • The third digit “4” signifies that everyone else may read the file.

The permission mode 777 means:

  • The first digit “7” denotes that the owner has the privileges to read, write and execute the content of folder.
  • The second digit “7” signifies that users in the owner’s group can also read, write as well as execute the contents present in the folder.
  • The third digit “7” denotes that everyone else’s has read, write and execution privileges.

It’s pretty clear that 777 is a bad permission mode to be used on any WordPress site, as even the visitors would have the ability add files or delete WordPress scripts. In the worst case scenario, anyone can easily add malicious code and compromise your site’s security.

Understanding the Significance of WordPress File Permissions

Standard Server Configuration and Their Proper Permission
Standard Server Configuration and Their Proper Permission

It’s very important for you to use the correct permission mode. To illustrate the importance of file permissions, let’s consider defining users and roles in WordPress. On a WP site, both contributors and site admins holds different sets of abilities to perform. While the contributors may create new blog entries, they may lack the ability to add plugins. In contrast, website admins may have the ability to add plugins and can even create blog posts. As a matter of fact, administrators most likely will have control over changing the look and feel of the site. So, this helps to separate what users (defined in different roles) can do. Likewise, when it comes to setting up permission modes, the only difference is that rather than dealing with blog posts and theme options, we’re managing files and folders on the web server.
To put it simply, changing the file permissions of our files and folders saved on the server allows website owners to restrict access of data and elements of a site. And this eventually increases the security of the website content.

How to Change Permission Modes?

In order to change the permission modes you’ll need to have access to the server’s terminal. Once you’ve the access, you can use the ‘chmod’ command as mentioned below to make the required modifications to permission modes of a single file or folder:

$ sudo chmod 644 /path/to/file

In order to change the permission modes of all the WordPress files or folders, use chmod along with the find command.

$ sudo find . -type f -exec chmod 644 {} +

Unleashing WordPress Server Configurations

Before proceeding further and changing all of our files and folders permissions, it’s imperative to understand how our server is set up. There are different type of server configurations that requires setting up different permission modes for your WP site to make it work in a secured manner. Here we’ll discuss about the two most common configurations and setting up proper permissions for each of them:

Standard Server Configuration and Their Proper Permission

Standard WordPress configurations demands more work compared to shared server configurations. Prior to setting up files permission for the standard WordPress server configuration, we’ll have to first alter the ownership of WordPress files and folders. This requires you to ensure:

  • Your user account tends to be the owner of all files and folders.
  • Your user account and the server’s user account appear to be a part of the same group.

In order to identify the groups to which your user account belongs, you’ll have to use the ‘groups’ command in your server’s terminal. And to determine the groups to which your server belongs, insert the following PHP snippet in any one of your WP scripts:

$ echo exec( 'groups' );

In case your user account and the web server doesn’t belong to the same group, then add the following command in your terminal:

$ sudo usermod -a -G mygroup

Finally, to make certain that everything in the WordPress folder belongs to our user account and has the shared group (the one that is added as above), perform the following command in your WordPress folder:

$ sudo find . -exec chown mygroup:a-the-group-name {} +

After making use of the above mentioned commands all of our files and folders will have correct ownership. Next, you’ll need to adjust the permission modes. For this purpose, just remember the following:

  • All files ought to have 664 permission mode.
  • All folders ought to have 775 permission mode.
  • wp-config.php permission mode should be 660.

You can either use your FTP client to tweak the permission modes, or use the following commands in your WP directory to change the permissions of all of your files and folders:

$ sudo find . -type f -exec chmod 664 {} +
$ sudo find . -type d -exec chmod 775 {} +
$ sudo chmod 660 wp-config.php

Permissions For A Shared Server Configuration Or SuEXEC Configuration

In comparison to standard server configuration, you can easily implement the permissions for the shared WordPress server configurations. What’s more, you don’t have to set up ownership, as the web server acts as the owner of your files and folders. Now, as the user account and the server have the same permissions (that is both are owners), you can start changing the permission modes:

  • Make sure that all files should be 644.
  • Ensure that all your folders should be 755.
  • Lastly, make certain that wp-config.php permission mode should be 600.

Once again, use an FTP client to modify the permission modes, or simply add the following commands in your WordPress site’s directory to change the permissions of all of your files and folders:

$ sudo find . -type f -exec chmod 644 {} +
$ sudo find . -type d -exec chmod 755 {} +
$ sudo chmod 600 wp-config.php

Conclusion

Hopefully, now you’ll have come to know about what are proper permissions and file ownership and how to set them up in your WordPress website. Aside from this, you would have learned that you should avoid 777 permission mode as as it can prove to be a threat to the web server security. Just remember to follow the above mentioned guidelines in setting up permissions and ownership of all your WordPress files and folders, and you’ll be able to keep them safe from intruders.

2 Comments

  1. and 664? is it safe?

    • Yes, it’s safe with normal user but it’s insecure with advanced user.


Add a Comment

Your email address will not be published. Required fields are marked *

Comment *
Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.