Installing security plugins is a good practice and a must for every WordPress website. However, if your file-system permissions aren’t set up correctly, most of your security measures could be easily bypassed by intruders.

Permissions and ownership are quite important in WordPress installations. Setting these up properly on your Web server should be the first thing you do after installing WordPress. Having the wrong set of permissions could cause fatal errors that stop your website dead. Wrong permissions can also compromise your website and make it prone to attacks.

Users and groups are important because they help to identify privileges for all of our files and folders. Owners of a file normally would have full privileges on it; other users who belong to the same group would have fewer privileges on it; while everyone else might have no privileges on it. These privileges are what we call permissions.

Permissions dictate what users can do with a file. A permission is represented by a set of numbers, such as 644 or 777, referred to as a permission mode. If you have used plugins in WordPress before, then you’ve most likely been asked by some of them to change the permissions of a file or directory because the plugin can’t write to it. By changing the file’s permissions, you are allowing the Web server to gain access to that file or folder.

Think of a permission mode as a set of “who can do what” statements, in which each digit corresponds to the “who” part of the statement:

First digit. What the user of the account that owns the file can do

Second digit. What other user accounts in the owner’s group can do

Third digit. What the user accounts of everyone else (including website visitors) can do

Sum of a combination of any these digits:

4 Read a file, or read the names of the files in a folder

2 Write or modify a file, or modify the contents of a folder

1 Execute or run a file, or access the files in a folder

Using the correct permission mode is very important.

If you have access to your server’s terminal, you can also use the chmod command to change the permission mode of a file or folder:

sudo chmod 644 <file_name>

644 :is a good permission mode for our PHP script(files). We can make changes to it, and our Web server can read it.

 

The owner’s privileges are “read” (4) + “write” (2) = 6

The owner’s group privileges are “read” (4) = 4

Everyone else’s privileges are “read” (4) = 4

 

If we own the script, we may read and modify it;

everyone else may only read it.

777 :  is a bad permission mode for anything on our WordPress website because any visitor would be able to add files to our directory or even delete scripts.

Worse, anyone would be able to put in malicious code and compromise our website.

 

The owner’s privileges are “read” (4) + “write” (2) + “execute” (1) = 7

The owner’s group privileges are “read” (4) + “write” (2) + “execute” (1) = 7

Everyone else’s privileges are “read” (4) + “write” (2) + “execute” (1) = 7

 

anyone may get a list of file names in our folder;

anyone may create, modify and delete any file in our folder;

anyone may access the files in our folder.

 

First, we need to adjust the file and folder ownerships of our WordPress files. We’ll have to make sure of the following:

That your user account is the owner of all WordPress files and folders,

that your user account and the Web server’s user account belong to the same group.

Then, to find out the groups that your Web server belongs to, you can temporarily insert this PHP snippet in one of your WordPress scripts:

echo exec( ‘groups’ );

 

PERMISSIONS FOR WORDPRESS

All of our files and folders should now have the correct ownership. Now it’s time to adjust the permission modes. To make things simpler, you’ll only need to remember the following:

All files should be 664.

All folders should be 775.

wp-config.php should be 660.

 

Our user account may read and modify our files.

WordPress (via our Web server) may read and modify our scripts.

WordPress may create, modify or delete files and folders.

Other people may not see our database credentials in wp-config.php.

 

WordPress needs certain features to create and modify files. WordPress allows us to upload and remove themes and plugins and even edit scripts and styles from the administrative back end.

Without this type of permission, we would have to manually upload themes and plugins every time using FTP.

Your wp-config.php to 660 might stop your website from working. In this case, just leave it as 664.

 

A common mistake people make is to set the uploads folder to 777. Some do this because they get an error when trying to upload an image to their website, and 777 quickly fixes this problem. But never give unlimited access to everyone, or else you’ll make the Web server vulnerable to attack.

Hope this blog help you improve your WordPress security.