When we talk about WordPress security, we usually look out for WordPress security plugins and install them on our sites. However, even after installing security plugins, most of your website security measures can be bypassed by malicious users if the file permissions are not configured correctly. Unfortunately, setting up file permissions is the last thing on most of WordPress users' mind. Setting up permissions should be the first thing you do on a new WordPress powered website or blog. Having the wrong set of file and directory permissions could be damaging to your website and its functionality, and make your site prone to malicious hacker attacks.
In this post, I'll explain what are file and directory permissions and walk you through the process of setting the correct WordPress file permissions to keep it secure.
What Are File Permissions?
Computer system are built on file systems, in which you can find different files and directories having certain permissions that determine who can “read”, “write” and “execute” these files and directories. Likewise, users may want to access and perform read and write operations in a WordPress website, let's say, in the wp-content directory.
Just like files, directories too have read, write and execute permissions. However, the only difference between file permissions and directory permissions lies in the executable bit.
File Permissions
- Read: Determines if the user can read the file.
- Write: Determines if the user can write, or modify files.
- Execute: Determines if the user can read, write, and modify a file. A file is not given delete permission.
Directories
- Read: Determines whether the user can access directory contents.
- Write: Determines whether the user can add, or delete files within the directory.
- Execute: Determines whether the user can access the directory. We can delete the data within the directory.
Users and Groups
Before discussing the process of setting files and directories permissions for WordPress, it is very important to know about what users and groups are, because they both work together when we're defining permissions.
A user is an account having access to a computer system (or server) while a group denotes a certain set of users. For instance, you require a user account on your web server to transfer files via FTP. And on the basis of how your account has set up, you (the user) will belong to a particular group.
Ownership
Before proceeding further, you should also have a basic understanding about ownership. There are three different types of people who could access your files:
User who is the owner of the file (that is the one who created it).
User(s) in the group to whom the file belongs.
User who is neither an owner nor belongs to a group (others).
Owner have full privileges on a file. While the users belonging to a group have fewer access privileges. And everyone else doesn't have any privileges on the file. Let's get a perspective on this in the following para:
Setting Permission Mode for WordPress
Now that you are familiar with what users and groups means, and have an idea about ownership, let's talk about the process of setting file permissions. Generally, the permission is represented by a set of numbers “644” or “777” (these numbers are also referred to as permissions mode).
Directories should have 755 permission mode. In order to perform write operations to a directory the permission mode can change to 777. In contrast, files should have 644 permission mode.
A WordPress file with a permission mode of 644 is broken-down as follows:
The owner can “read” (4) + “write” (2) = 6 The owner’s group can only “read” (4) = 4 Everyone can only “read” (4) = 4
In nutshell, this means that:
Owners of the PHP script can read as well as modify it;
The owner's group and everyone else can only read the script.
Any WordPress folder with a permission mode of 777 is broken as:
The owner’s can “read” (4) + “write” (2) + “execute” (1) = 7 The owner’s group can “read” (4) + “write” (2) + “execute” (1) = 7 Every other user can “read” (4) + “write” (2) + “execute” (1) = 7
In essence, the above statements means that:
Anyone can access a list of file names stored in our folder; Anyone can create, modify and even delete our folder file(s); Anyone can access all the files stored in the folder.
This clearly suggests that 777 is a bad permission mode. That's because, any visitor would become capable of adding files to our site's directory or might even delete the scripts. In the worst case scenario, they may even put faulty code and compromise our site security. And so, all your WordPress website files must be owned by a user having an FTP account on your server, and make sure that those files are writable by that account. Keep in mind, on shared hosts your website files must not be owned by the server itself.
What's more?
In order to gain write access to WordPress files, user needs to be the owner of the files, or must be a part of a group having write access. So, make sure to adjust your site permission mode to: all files should be 644, and choose 775 instead of 755 for folders. For example, to change all files to the permission mode 644 use the following line of code:
sudo find . -type f -exec chmod 644 {} +
And to change all of your folders permission mode to 755 use:
sudo find . -type d -exec chmod 755 {} +
Changing File Permissions Using an FTP Client
In order to change the permissions for your website files and directories on your remote web server, you'll need to use an FTP client (or program). Your FTP program will let you set file permissions, by right-clicking on the file and selecting “chmod” or “set permissions” from a menu option.
After selecting the right menu option, a pop screen similar to the following will appear:
In order to alter file permissions simply delete the “Numeric value” and enter the value of your choice, in our case it's 666. Lastly, click on the OK button to change the permissions.
Changing File Permissions Using the Command Line
In case, you've SSH access to your hosting account, then you can change the file permissions using the chmod method (this is an ideal method for experienced users). Before using this method make sure to go through some tutorials online and get familiar with what all you can achieve with the chmod method. That's because, setting up wrong permissions can cause your site to go offline.
In order to make every single file and folder in your wp-content directory writable, make sure to try safer alternatives first. For instance, you can just alter the directory. Substitute DIR with the folder, in which you wish to write:
chmod -v 746 DIR chmod -v 747 DIR chmod -v 756 DIR chmod -v 757 DIR chmod -v 764 DIR chmod -v 765 DIR chmod -v 766 DIR chmod -v 767 DIR
In case any of the above listed command doesn't allow you to write, then try all the commands once again except that this time substitute “-v” with “-R”. This will recursively modify each file stored in the folder. And even after performing this step, you still can't write, only then you can try setting up the file permission to 777.
Conclusion
Reading this post will give you a basic understanding of setting up proper file permissions of a WordPress site, and how it can keep your WP website secure. Also, you'll learn about avoiding 777 permission mode, as it endangers website security. Most importantly, you will learn about changing file permissions using an FTP program or the command line.
About the Author-
As a certified developer at OSSMedia Ltd, Edward Jones has an impressive expertise in Wordpress & he provide concrete information on wordpress related tips & trends. If you need to hire wordpress programmer then simply get in touch with him via his Twitter and Google+ handle. Having gathered a total of 5 years of experience in WordPress Development, Edward has delivered numerous projects within the allotted time-frame.