Hello Jesper,
in an ideal world file/directory permissions would be set to 750. So only your user can write them, the group (e.g webserver) can read them and nobody else can do anything with the resources.
Of course sometimes it depends on whether you want to be able to change files from within the WordPress admin interface in which case you could need 770 permissions.
But, depending on the way user/groups are configured on your server this might not be possible and that’s when suddenly 775 is needed, because e.g the webserver is not in the group and can’t access the files unless everybody gets read access to it.
So the next question would be, do you own the server and are able to make arbitrary changes, or is this a precondition that you can’t change?
Another thing to consider is whether the server is shared, or if it is a server that only you have access to. Obviously on shared servers giving everybody read rights to your wp-content folder could have severe security implications.
Either way check out what WordPress has to say regarding file permissions at the WordPress Security Codex.
Thanks for clarifying! Unfortunately I’m not hosting the specific page myself (my own hosting environment uses IIS and here it is no problem for me to limit the permissions).
I will have to get in contact with the host and see if there are any way I could lower the permission setting without conflicting with the upload functionality. Hopefully they have experience of wordpress-using-clients. Otherwise perhaps they could set the permission for the specific user on the folder or similar!?
Otherwise I will have to leave the upload folder 777 and set the other folders to 750 when not updating themes or plugins.
Thanks for your informative answer!
/Jesper
Quick response from my great hosting company… Ilait.com! Well, they told me that 777 will not give public write permissions to “the whole world” but only to the users on the server. Due to the “sandboxed” setup the users on the server getting this access is only the ftp-user (vweb) and the appache user (www-data) and, of course the root account.
Setting the www-data as a member in the group vweb and setting chmod to 770 would apparently not be less of a security hazard since the root already has full access anyway…
/Jesper Wilfing
Hello experts,
I am WordPress developer having 3 years of experience. I currently set up multi site WordPress. I am facing the problem regarding file permissions. When I gave 755 permissions to uploads folder than in Media file uploading error occur. Its working fine with 777 permission but its a big security whole.
Please help me to solve this issue.
Aryan
