Secure WordPress file & directory permission settings

It’s sensible to ensure that your WordPress files and directories have the appropriate permissions, and no more. For this guide, I’ll assume you have full SSH root/sudo access to your dedicated server or VPS. Shared hosting specific permissions are not considered in this guide. SSH into your server.

sshmyuser@IP_Address

Your user should be part of the web service group (i.e. the one Apache uses), such as groupwww-data. Check what groups your user already belongs to:

groups

And to see what group the web server is using, enter this inside one of the PHP scripts (likefooter.php and visit your website):

echoexec('groups');

If your user isn’t yet part of this group, add them to it:

sudousermod-a -G www-data myuser

In any case, choose the commonly shared group between you and the server, and add it into the following command, whilst also making sure your user is the owner of everything. In my case, the common group is www-data:

sudochown-R myuser:www-data/var/www/wp-site

Sometimes, in order to enable automatic WordPress updates through the admin area, I’ve needed to change file ownership to the apache2 group (www-data) as well. This WordPress update guide actually specifies this as criteria. You can always change the file permissions back if you’re feeling paranoid after the update. So run this if you’re having problems updating:

sudochown-R www-data:www-data/var/www/wp-site

Next up, set non-permissive permissions for all files and directories:

find/var/www/wp-site-typed -execchmod755 {} +
find/var/www/wp-site-typef -execchmod644 {} +

If you’ve got multiple users uploading and changing files, you’ll probably find that file permissions 664 is much more practical, as this will give read/write access for group ownership, as well as for the file/directory owner, which can alleviate some frustrating system admin support:

find/var/www/wp-site-typef -execchmod664 {} +

If WordPress is having difficulties uploading media to the library, allow writable group ownership to the wp-content/uploads directory, and all sub-directories:

find/var/www/wp-site/wp-content/uploads-typed -execchmod775 {} +

New files & folders to inherit group permissions

As default, when files are created or transferred to the server by a user, they’ll likely be under a group ownership other than www-data as default. We don’t want that, we want the new files and directories to also be group owned by www-data. Rather than manually updating the group ownership of new files or directories, we can set inheritance up, by adding the setgid on all directories as the group:

sudofind/var/www/wp-site-typed -execchmodg+s {} +

New files & directories will keep the group ownership as www-data. Remember to also add g+s on /var/www/wp-site, so any files or directories added inside the WordPress root directory also inherit the group ownership. If you’ve got time, and want to have more control and improve the security of your WordPress files, read on.

Fine tuned settings for security

Your own hosting environment will differ, and the plugins and theme you’re running will be different to my setup. All these variables may require you update your file and directories permissions appropriately as you go, and they could well be different to the suggested levels, as per this guide. The only file specific alternation will be made to wp-config.php:

chmod600/var/www/wp-site/wp-config.php

You might find that wp-config.php needs to be set back to 644, if 600 doesn’t play nice. Give it a try first. If you’re using the built in WordPress file editor from the dashboard, all files might need to be group writable. This is obviously a security risk, as malware could take advantage of this privilege. Consider whether or not editing files through the WordPress backend is really necessary. Some plugins, or WordPress itself might require the following directories to be group writable (they should let you know, and you can adjust as and when necessary):

wp-content
- /cache
- /uploads

If you’re utilising Apache mod_rewrite and making use of permalinks, then the .htaccess file may need to be group writable if you’d like WordPress and other plugins to automatically update it for you. For extra security, install a third party plugin such as iThemes Security, which offers many extra layers of protection than just file & directory permissions. I strongly recommend installing this on any WordPress site you manage.

Automate permissions with a bash script

To make your life easier, why not create a reusable bash script to run whenever you setup a new WP site on your server? cd into your user’s home directory and create a new bash script, called wp-permissions.sh

cd/home/myuser
nano wp-permissions.sh

Create the bash script, using our suggested permission settings from above:

#!/bin/bash
find/var/www/wp-site-execchownmyuser:www-data {} \;
find/var/www/wp-site-typed -execchmod755 {} \;
find/var/www/wp-site/wp-content/uploads-typed -execchmod775 {} \;
find/var/www/wp-site-typef -execchmod644 {} \;
find/var/www/wp-site/wp-config.php -execchmod600 {} \;
find/var/www/wp-site-typed -execchmodg+s {} \;

Save & exit the file, and finish off by making this script executable:

chmod+x wp-permissions.sh

Now you can run the script (you’ll probably need to run this as the root user, so su to root first or sudo bash ./wp-permissions.sh):

./wp-permissions.sh

Add to the crontab

For bonus points, you could add this bash script to the root crontab for periodic running. Then if any permissions ever unintentionally or otherwise change, it’ll automatically revert them back to their intended state. Open up the root crontab:

sudocrontab-e

I’m going to run this cron task everyday at 3AM, when website traffic is not so busy. Add this line:

0 3 * * * /home/myuser/wp-permissions.sh

Your automatic file permission rules will be ensured every day, soon after 3AM.