WordPress Security, Part 2: Files Protection

MillaN — Thu, 16 Dec 2010 13:00:21 +0000

First step to ensure that your WordPress website is secure, is to set proper file permissions rights. Wrong file permissions can easily lead to hackers gaining access to your website. So, after you first install WordPress, no matter what method you used, you must check those rights and set them properly.

When you first install WordPress, you can do it manually or you can use some sort of install script that is usually offered by the shared hosting companies. In my experience, those scripts usually do a good job in setting at least initial file permissions to all files and folders. But, on the other hand that may not always be the case, and you can end up in problems.

Main issue is to allow WordPress to access files and folders it needs to be able to work properly, and in the same time not to set permissions too loose so that it can be exploited. To change the file permissions, Linux uses CHMOD command. Permissions for files and folders are represented by three values controlling access for file owner, for owner group and for everyone else (world). And each of these controls 3 rights: read, write and execute. There are different ways to display file permissions, and most common is to use 3 numbers: first for owner, second for group and third for world. File system and file permissions can be very complex, and more info on how all that is working can be found on URL’s at the bottom of this articles.

Since we are talking about file system on your server, referring to users and groups has nothing to do with WordPress. User or owner is your account on the server not in WordPress.

Recommended permissions

Before you check and set CHMOD for files and folders, it’s recommended that owner for all files and folder is your user account on the server. If, when you copy new files or add new files, this is not the case, and if server is setting someone else as an owner, then, there is something wrong with your server settings. In my experience, this usually happens if you are installing and setting server on your own (VPS hosting) and you missed configuring file system ownership, that depending on OS you use, can be set to Apache process or something else. Make sure that all files and folders in your WP installation are owned by your user. All other recommendations are based on this one, so make sure it’s set as it should be.

FTP View of Permissions

For all folder in the WordPress installation, recommended permission is 755. This means that owner (first number, 7) can read, write folder and execute content in it. Group and world can’t write. This makes folders safe from anyone beside your main user adding new files, or deleting existing files. Files should be set to 644, the same as 755, but with no execute set. For folders you need owner, group and world to be able to at least read from the folders, or your website will not be publicly accessible, so that’s why 5 is set for group and world.

If you are using FTP or command line tools, you will usually see permissions displayed like on the image on the right with string with 10 characters. First is telling if it’s file or folder, and 9 are flags for all 3 groups, 3 rights each. Here you can also see owner and group. While they are named, here are codes representing the names on your server.

Specific files permissions

For some files and folders you can use different permissions to make sure that they are extra secure. So, for wp-config.php, recommended permissions is 640 or even 600. Same goes for .htaccess files. In shared environments, you can also have PHP files present (php.ini and/or php.cgi). For these files you can set even more restrictive permissions: 100, and only owner can execute these files, nothing else.

File Permissions in GD Press Tools Pro

GD Press Tools Pro

To do all this, you can use command line on your server, FTP access or file manager you have in the control panel for your hosting account. But, you can do it from WordPress also. GD Press Tools Pro on the Security panel shows most important files and folders in your WP installation, their files permissions and options to change those that are not restrictive as recommended values are.

Also, on the Security panel, tab General you can set default CHMOD values WordPress can use to set on newly created files and folders (uploads mostly).

Conclusion

Permissions described in this article will be enough to make all critical areas of your website secure. But, you can take this further and experiment with more restrictive rules for some folders, or some more files.

Resources