Life of a Server Admin

Where I go for Geek

WordPress Best Practices

  • Secure WordPress File Permissions: A Developer’s Guide to Hardening Your Site

    Secure WordPress File Permissions: A Developer’s Guide to Hardening Your Site

    Table Of Contents
    1. Overview
    2. Recommended File Permission Practices
    3. Modifying File Permissions
    4. Automatic Updates and File Permissions
    5. Official Documentation

    Overview

    As web developers, we know that the flexibility of WordPress is partly due to its ability to allow certain files to be writable by the web server. This functionality is a double-edged sword because while it enables dynamic features, it also opens up security risks, especially on shared hosting platforms.

    To safeguard your WordPress site, it’s crucial to implement stringent file permissions and only relax them temporarily when necessary—for instance, when the site requires write access for certain operations or when handling file uploads.

    Recommended File Permission Practices

    • Ownership: All files should be owned by your web directory user account, with write permissions set for the same web directory user. Files that require WordPress to write should be accessible by the web server. On some hosting setups, this may mean the files need to be group-owned by the web server’s user account.
    • Root Directory (/): All files here should be writable by you alone, except for .htaccess if you allow WordPress to generate rewrite rules automatically.
    • WordPress Administration Area (/wp-admin/): All files should be writable by the web directory user account alone.
    • WordPress Core Libraries (/wp-includes/): All files should be writable by the web directory user account alone.
    • User Content Area (/wp-content/): This directory is meant to be writable by both the web directory user account and the web server process.
    • Themes (/wp-content/themes/): If using the theme editor, these files need to be writable by the web server process. Otherwise, they should be writable by the web directory user account alone.
    • Plugins (/wp-content/plugins/): All plugin files should be writable by the web directory user account alone.

    Any additional directories within /wp-content/ should follow the guidelines provided by the respective plugin or theme.

    Modifying File Permissions

    For those with shell access, file permissions can be adjusted recursively with these commands:

    • Directories: find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
    • Files: find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
    Secure WordPress File Permissions Screenshot

    Automatic Updates and File Permissions

    When WordPress is instructed to perform an automatic update, it carries out file operations under the file owner’s user account, not the web server’s. All files default to 0644 and directories to 0755, making them writable by the owner and readable by others, including the web server.

    Official Documentation

    https://wordpress.org/documentation/article/hardening-wordpress/#file-permissions