WordPress empowers a lot of websites. That is because it is a flexible and easy to use CMS. However, this popularity also makes it a target for malicious attacks. One of the essential ways to improve your WordPress website’s security is by setting proper file permissions. This article will guide you through securing your WordPress installation using the chmod command, following best practices.
Understanding chmod file permissions
In Unix-like systems, the chmod command is used to change the permissions of files and directories. Permissions define who can read, write, or execute the files; and in case of directories, who can list their contents or traverse the directory structure. They are essential for basic security. The main permissions are:
- Read (
r): View the contents of the file or list the contents of the directory. - Write (
w): Modify the contents of the file or add/remove files from the directory. - Execute (
x): Run the file as a program or enter the directory and access its contents.
An actual permission can be a combination of the three permissions mentioned. For example:
- read and write (
rw) means that a resource is allowed for read and write operations, but not for execution becausexis missing for it; rxwould if set on a file would mean that it is allowed to be read and executed as a program, but not being written to, becausewis missing from the permission.
Permissions are set for three types of users. In this order: the file owner, the group, and others.
So a full chmod permission consists of three permissions for each type of users, e.g.: rwx rw r. Would mean allow the owner any operation, the user group to read and write, and any other users to read the file.
The rwx permissions have corresponding numeric representation. Some quick shortcuts to memorize are:
rwxis 7 (read, write and execute)rwis 6 (read and write)rxis 5 (read and execute)ris 4 (read only)
The rwx (is the most insecure permissions. And you should strive to reduce its usage. This is why 777 is the most insecure, primarily because it allows any user on the system to do anything to the file which has such permission.
Recommended WordPress permissions
The WordPress Codex and security experts recommend the following chmod settings:
- Directories: 755 or 750
- Files: 644 or 640
- wp-config.php: 600
These settings ensure that only authorized users can modify files and directories, reducing the risk of unauthorized changes or security breaches.
It is crucial to run your web server with the correction permissions setup, before adjusting WordPress file permissions.
For details, read our guide: NGINX and PHP-FPM. What my permissions should be?
Setting Secure Permissions with chmod
Secure Directories:
find /path/to/wordpress -type d -exec chmod 750 {} \;
This sets directory permissions to 750, allowing the owner to read, write, and execute, while others cannot read.
Secure Files:
find /path/to/wordpress -type f -exec chmod 640 {} \;
This sets file permissions to 640, allowing the owner to read and write, while others cannot read.
Secure wp-config.php:
chmod 600 /path/to/wordpress/wp-config.php
This restricts the wp-config.php file, a critical WordPress configuration file, to be readable and writable only by the owner.
Excluding .git Directories
When setting permissions, it’s essential to exclude .git directories to preserve their integrity and prevent unauthorized access. Use the -not -path '*/.git*' option with find to exclude these directories.
Automating with Bash Scripts
For convenience, you can automate the permission-setting process with a bash script. This script would use the find command to set the recommended permissions and exclude .git directories.
Monitoring and Maintenance
Regularly check and correct file permissions, especially after installing new plugins or themes. Tools and scripts are available that can monitor your file permissions and alert you to any changes.
Conclusion
Setting the correct file permissions is a fundamental step in securing your WordPress site. By understanding and implementing the recommended permissions using the chmod command, you can protect your site from many common vulnerabilities. Remember, security is an ongoing process, and regularly reviewing and updating your permissions should be part of your routine maintenance.
By following these best practices, you can significantly enhance the security posture of your WordPress site, protecting it against unauthorized access and potential exploits.