Correct WordPress Filesystem Permissions And Ownerships

Permissions For A Standard WordPress Server Configuration Link

Standard WordPress configurations require a bit more work than shared server configurations because the Web server has no relationship to our user account.

FILE AND FOLDER OWNERSHIP FOR WORDPRESS LINK

First, we need to adjust the file and folder ownerships of our WordPress files. We’ll have to make sure of the following:

  • that your user account is the owner of all WordPress files and folders,
  • that your user account and the Web server’s user account belong to the same group.

To find out the groups that your user account belongs to, you can use this command in your server’s terminal:

groups

Then, to find out the groups that your Web server belongs to, you can temporarily insert this PHP snippet in one of your WordPress scripts:

echo exec( 'groups' );

If your user and the Web server don’t belong to the same group, you can use the following command in the terminal to add your user to one of your Web server’s groups:

sudo usermod -a -G <a-common-group-name> myuser

Lastly, to ensure that everything in our WordPress folder belongs to our user account and has the shared group that we just added, perform this command in your WordPress folder:

sudo find . -exec chown myuser:a-common-group-name {} +

PERMISSIONS FOR WORDPRESS LINK

All of our files and folders should now have the correct ownership. Now it’s time to adjust the permission modes. To make things simpler, you’ll only need to remember the following:

  • All files should be 664.
  • All folders should be 775.
  • wp-config.php should be 660.

Here’s what we’re trying to achieve with this set of permission modes:

  • Our user account may read and modify our files.
  • WordPress (via our Web server) may read and modify our scripts.
  • WordPress may create, modify or delete files and folders.
  • Other people may not see our database credentials in wp-config.php.

You might be thinking that allowing WordPress full privileges with our folders is not secure. Don’t worry — we’re doing this because WordPress needs certain features to create and modify files. WordPress allows us to upload and remove themes and plugins and even edit scripts and styles from the administrative back end. Without this type of permission, we would have to manually upload themes and plugins every time using FTP.

You can use your FTP client to change the permission modes, or you can use the following commands in your WordPress directory to quickly adjust the permissions of all of your files and folders:

sudo find . -type f -exec chmod 664 {} +
sudo find . -type d -exec chmod 775 {} +
sudo chmod 660 wp-config.php

Note that some Web servers are stricter than others. If yours is strict, then setting your wp-config.php to 660 might stop your website from working. In this case, just leave it as 664.

Permissions For A Shared Server Configuration Or SuEXECConfiguration

Permissions for shared server configurations are easier to implement. We won’t dwell on ownership because the Web server runs as the owner of our files and folders. Because our user account and the Web server share the same permissions (both are owners), we can dive right into modifying the permission modes:

  • All files should be 644.
  • All folders should be 755.
  • wp-config.php should be 600.

Similar to the previous set of permission modes, these break down as follows:

  • Our user account may read and modify our files.
  • WordPress (via our Web server and as the account owner) may read and modify our scripts.
  • WordPress may create, modify or delete files or folders.
  • Other people may not see our database credentials in wp-config.php.

Again, you can use an FTP client to change the permission modes, or you can use the following commands in your WordPress directory to quickly adjust the permissions of all of your files and folders:

sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
sudo chmod 600 wp-config.php

Similar to the standard WordPress server configuration, your server might be stricter than others and might not allow wp-config.php to be 600. In this case, you can adjust it to a more lenient 640; if that still doesn’t work, then use 644.

Always follow these guidelines and your WordPress files should be kept safe from intruders.

Common Pitfalls Link

A common mistake people make is to set the uploads folder to 777. Some do this because they get an error when trying to upload an image to their website, and 777 quickly fixes this problem. But never give unlimited access to everyone, or else you’ll make the Web server vulnerable to attack. If you follow the guidelines covered in this article, then you should have no problems uploading files to your website.

At times, though, a plugin will request that you set a file to 777. On these occasions, you can temporarily set it to 777, but make sure to set it back to its original permission mode when you’re done.

 
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Déplacer un site wordpress

Change site URL and home URL (Siteurl et Homeurl) UPDATE wp_options SET option_value =...

4 Easy tips to protect your WordPress Website

Discover 4 easy and critical tips you can use to dramatically increase security around your...

WordPress Developer Super Cheat Sheet

Theme Files These are the basic files that every theme should include: style.css – This is...

Powered by WHMCompleteSolution