Change WordPress file permissions

Protection Requirement:

OPTIONAL

Skills/Resources:

>Advanced Webmaster
>File manager or FTP Software

THE THREAT
File permissions may not be set correctly allowing hackers to access sensitive files.

THE OBJECTIVE
Change the file permissions

PROPOSED SOLUTION
WordPress allows various files to be writable by the web server, but allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

The solution is to lock down your file permissions as much as possible and then to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

Recommend permission scheme:

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

/
The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/
The WordPress administration area: all files should be writable only by your user account.

/wp-includes/
The bulk of WordPress application logic: all files should be writable only by your user account.

/wp-content/
User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:

/wp-content/themes/
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

/wp-content/plugins/
Plugin files: all files should be writable only by your user account.
Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

How to change file permissions

1. Use File Manager provided with hosting control panel (if available)

2. Use an Secure FTP program

3. Enter commands manually

If you have shell access to your server, you can change file permissions recursively with the following command:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Regarding Automatic Updates

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

MORE ADVANCED
none

NEED HELP?
If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services

RESOURCES
This page explains WordPress file permissions:

http://premium.wpmudev.org/blog/understanding-file-permissions/