It’s sensible to ensure that your WordPress files and directories have the appropriate permissions, and no more. For this guide, I’ll assume you have full SSH root/sudo access to your dedicated server or VPS. Shared hosting specific permissions are not considered in this guide.
SSH into your server.
Your user should be part of the web service group (i.e. the one Apache uses), such as groupwww-data. Check what groups your user already belongs to:
And to see what group the web server is using, enter this inside one of the PHP scripts (likefooter.php and visit your website):
If your user isn’t yet part of this group, add them to it:
In any case, choose the commonly shared group between you and the server, and add it into the following command, whilst also making sure your user is the owner of everything. In my case, the common group is www-data:
Sometimes, in order to enable automatic WordPress updates through the admin area, I’ve needed to change file ownership to the apache2 group (www-data) as well. This WordPress update guide actually specifies this as criteria. You can always change the file permissions back if you’re feeling paranoid after the update. So run this if you’re having problems updating:
Next up, set non-permissive permissions for all files and directories:
If you’ve got multiple users uploading and changing files, you’ll probably find that file permissions 664 is much more practical, as this will give read/write access for group ownership, as well as for the file/directory owner, which can alleviate some frustrating system admin support:
If WordPress is having difficulties uploading media to the library, allow writable group ownership to the wp-content/uploads directory, and all sub-directories:
New files & directories will keep the group ownership as www-data. Remember to also add g+s on /var/www/wp-site, so any files or directories added inside the WordPress root directory also inherit the group ownership.
If you’ve got time, and want to have more control and improve the security of your WordPress files, read on.
You might find that wp-config.php needs to be set back to 644, if 600 doesn’t play nice. Give it a try first.
If you’re using the built in WordPress file editor from the dashboard, all files might need to be group writable. This is obviously a security risk, as malware could take advantage of this privilege. Consider whether or not editing files through the WordPress backend is really necessary.
Some plugins, or WordPress itself might require the following directories to be group writable (they should let you know, and you can adjust as and when necessary):
Create the bash script, using our suggested permission settings from above:
Save & exit the file, and finish off by making this script executable:
Now you can run the script (you’ll probably need to run this as the root user, so su to root first or sudo bash ./wp-permissions.sh):
I’m going to run this cron task everyday at 3AM, when website traffic is not so busy. Add this line:
Your automatic file permission rules will be ensured every day, soon after 3AM.
1 |
sshmyuser@IP_Address
|
1 |
groups
|
1 |
echoexec('groups');
|
1 |
sudousermod-a -G www-data myuser
|
1 |
sudochown-R myuser:www-data/var/www/wp-site
|
1 |
sudochown-R www-data:www-data/var/www/wp-site
|
1
2 |
find/var/www/wp-site-typed -execchmod755 {} +
find/var/www/wp-site-typef -execchmod644 {} +
|
1 |
find/var/www/wp-site-typef -execchmod664 {} +
|
1 |
find/var/www/wp-site/wp-content/uploads-typed -execchmod775 {} +
|
New files & folders to inherit group permissions
As default, when files are created or transferred to the server by a user, they’ll likely be under a group ownership other than www-data as default. We don’t want that, we want the new files and directories to also be group owned by www-data. Rather than manually updating the group ownership of new files or directories, we can set inheritance up, by adding the setgid on all directories as the group:
1 |
sudofind/var/www/wp-site-typed -execchmodg+s {} +
|
Fine tuned settings for security
Your own hosting environment will differ, and the plugins and theme you’re running will be different to my setup. All these variables may require you update your file and directories permissions appropriately as you go, and they could well be different to the suggested levels, as per this guide. The only file specific alternation will be made to wp-config.php:
1 |
chmod600/var/www/wp-site/wp-config.php
|
- wp-content
- /cache
- /uploads
Automate permissions with a bash script
To make your life easier, why not create a reusable bash script to run whenever you setup a new WP site on your server? cd into your user’s home directory and create a new bash script, called wp-permissions.sh
1
2 |
cd/home/myuser
nano wp-permissions.sh
|
1
2
3
4
5
6
7 |
#!/bin/bash
find/var/www/wp-site-execchownmyuser:www-data {} \;
find/var/www/wp-site-typed -execchmod755 {} \;
find/var/www/wp-site/wp-content/uploads-typed -execchmod775 {} \;
find/var/www/wp-site-typef -execchmod644 {} \;
find/var/www/wp-site/wp-config.php -execchmod600 {} \;
find/var/www/wp-site-typed -execchmodg+s {} \;
|
1 |
chmod+x wp-permissions.sh
|
1 |
./wp-permissions.sh
|
Add to the crontab
For bonus points, you could add this bash script to the root crontab for periodic running. Then if any permissions ever unintentionally or otherwise change, it’ll automatically revert them back to their intended state. Open up the root crontab:
1 |
sudocrontab-e
|
1 |
0 3 * * * /home/myuser/wp-permissions.sh
|
分类: web
标签:
搜索
标签
study
ab
amap
apache
apahe
awk
aws
bat
centos
CFS
chrome
cmd
cnpm
composer
consul
crontab
css
curl
cygwin
devops
di
docker
docker,docker-compose
ethereum
excel
fiddler
fluentd
framework
front-end
git
gitgui
github
glide
go
golang
gorm
grafana
gzip
ioc
item2
iterm2
javascript
jenkins
jsonp
kafka
laradock
laravel
larval
linux
liunux
log
mac
mac, wi-fi
macos
magento
mariaDB
minikube
mongoDB
msp
mysql
netbeans
nginx
nodejs
nohup
npm
nsq
oracle
php
php-fpm
php7
phpstorm
php扩展
Protobuf
python
redis
scp
server
shell
soap
socket
socket5
sql
sre
ssdb
ssh
ssl
study
sublime
swift
system
td-agent
uml
v2ray
vagrant
vagrnat
vim
vpn
vue
vue.js
webpack
webrtc
websocket
webtatic
windows
windows7
word
wps
xdebug
yarn
yii2
yum
zookeeper
世界国家
互联网
以太坊
分类
前端
小程序
打印机
排序算法
搞笑
权限
粤语
缓存
网络
虚拟机
视频
设计模式
项目管理
热门文章
友情链接