Read this post so your site doesn’t get hacked.
File permissions demystified
Have you ever seen file permissions listed as 755 or 644? Do you realize how different and important those numbers are?
The WordPress Codex has a great primer on file permissions settings. Here’s a screenshot for quick reference:
By studying the information in the screenshot above, you’d understand that anyone could access (and do whatever they want to) your site if you gave them permission to. For instance, you definitely don’t want a 7 for the last number of any of your configuration or control files, like wp-config.php. 777, the most permissive (least secure) settings, is dangerous.
What should my permissions be?
Firstly, we need to know what our permissions are. Secondly, we need to know if they’re correct and, if not, how to apply the proper permissions to secure our site while leaving it usable to our beloved visitors.
Thankfully, a WordPress plugin provides both the recommended settings and the current settings for each file. It’s called WP File Permissions & Size Check.
The plugin states:
General rule of thumb: Folders set to 755 or 750. Files set to 644 or 640. Important files (wp-config.php) should have more strict permissions like 600.
Once installed (only works for Linux-based servers, not Windows-based servers), you can navigate to Settings -> File Permission Checker. After a few minutes, your results will appear. They will be grouped by WordPress folders (/, /wp-admin, /wp-content, and /wp-includes), as displayed below.
Here are some screenshots of the plugin in action on a for-testing-purposes-only website (i.e. don’t copy these settings; they’re just screenshots, not recommendations). Each line shows a folder’s or file’s permissions and, for your convenience, size on disk:
Another security plugin, Bulletproof Security, limits its scan to your most important files and directories. It also provides a comparison of recommended and current permissions:
How to Change File Permissions
The WordPress Codex page provides a solid walk-through of changing a file’s permissions using an FTP program or command line editor.
Here are the key points from this post:
- Giving the world, yes the world, full access will likely result in a hacked site.
- Permissions should be set at the most restricted level at which the site still functions. Permissions of 000 is ultra-secure but unusable.
- The recommended settings for folders/directories and files may change from web host to web host, but keep the general guidelines in mind.
- This post and the referenced plugins only apply to Linux-based servers, not Microsoft-based servers, because of the different permissions models.
I hope you take some time to review your current permissions and make the recommended changes, keeping permissions in a limited but usable balance.
Credit: Burglar Alarm image by ellenm1