WordPress.org

Ready to get started?Download WordPress

Forums

What permission do you suggest for wp-config? (13 posts)

  1. John Hoff
    Member
    Posted 3 years ago #

    I've been running my wp-config.php file at 644 file permission figuring the lower the number the more secure.

    But then I saw the WordPress Codex page here where it said to make it 750.
    http://codex.wordpress.org/Hardening_WordPress

    Would you say the 750 is better and does the 644 allow people to read the database?

    Thanks

  2. ClaytonJames
    Member
    Posted 3 years ago #

    The lower number is more secure. General rule of thumb:

    Directories 755, files 644, (sometimes, the upload directory will require an exception) permissions any lower that still permit functionality on your particular server setup is fine.

    "Note that if you are on a shared-server the permissions of your wp-config.php should be 750."

    I wonder if it should read "wp-config.php should be 750 or less" ?

    I think the reasoning behind those instructions, is that if you are in a shared hosting environment, and leave wp-config permissions above 750, it could be possible for other users on the same host to read your wp-config file.

  3. John Hoff
    Member
    Posted 3 years ago #

    Hi ClaytonJames.

    Yep... that's the rule of thumb I go by and preach. But then one of my customers brought that WordPress note in the Codex to my attention and I had to question it.

    The notable difference is that 644 has World Read while 750 does not and in the Codex WordPress says:

    It means that no other user will be able to read your database username and password.

    Just wondering if there's a relation there.

  4. ClaytonJames
    Member
    Posted 3 years ago #

    Changing permissions to 750 effectively removes both the "read" and the "execute" options for "others" or world. That seems to be prudent in a shared hosting environment. 640 will do the same thing, but sometimes is too restrictive to function. 644 seems to be fine for anything not requiring write access, but 750 effectively removes read write and execute from other, so I guess I don't really see any reason why it should be a problem. Seems to make sense.

    Not really a whole lot of help, am I? :-)

  5. John Hoff
    Member
    Posted 3 years ago #

    It's all good. Thanks for trying to figure it out with me.

  6. John Hoff
    Member
    Posted 3 years ago #

    Just curious if anyone else might know which permission is better for the wp-config file.

    Thanks.

  7. Curtiss Grymala
    Member
    Posted 3 years ago #

    Since wp-config.php will never need to be executed as a program file, there is no need to set it to 750. The 7 and the 5 indicate that it is executable for the owner and the group that owns the file.

    If the website works with wp-config.php set to 600 (most restrictive - will only work if the file is "owned" by the same Unix user that runs apache), try that. If not, set it to 640 (still fairly restrictive; only the owner is allowed to modify the file, but any users - specifically the apache user - that might be in the group that owns the file can still read it). If that still doesn't work, set it to 644 (still, only the owner can modify the file, but all users with server-level access can read the contents).

  8. John Hoff
    Member
    Posted 3 years ago #

    Thank you Curtiss for such a detailed response.

    Curious that why WordPress suggests the 750 setting?

  9. Curtiss Grymala
    Member
    Posted 3 years ago #

    The only reason I can think for anyone suggesting a permission of 750 would be if you were trying to adjust permissions on folders and files at the same time.

    Since folders use permission slightly differently than files, you would need to set them to 750 in order to allow the owner and the group to enter the directory. If you were trying to adjust permissions on folders and files at the same time, you'd have to set them to something like 750 instead of 640 (since 640 would stop even the file owner from being able to open the directory).

  10. ClaytonJames
    Member
    Posted 3 years ago #

    set it to 644 (still, only the owner can modify the file, but all users with server-level access can read the contents).

    That probably hits the issue pretty squarely on the head.

    Just to keep it in context, the suggestion for setting the wp-config file to 750, was in reference to accounts hosted on shared servers, and for just that reason, I would think. :-)

    "Note that if you are on a shared-server the permissions of your wp-config.php should be 750. It means that no other user will be able to read your database username and password."

  11. Curtiss Grymala
    Member
    Posted 3 years ago #

    Clayton - As I said, though, the only difference between setting a file to 750 and setting a file to 640 is the fact that the file with 750 is "executable". Since wp-config.php is not a file that ever needs to be executable for any reason, I can't understand the rationale of setting the permissions to 750 instead of 640.

    The reason I suggested 644 as the last resort is that, simply, some shared hosts are configured extremely poorly. On some accounts, the apache user is not the same as the FTP user, nor is it in the same usergroup as the FTP user; meaning that the file has to be readable by all in order for apache to be able to read it. It sounds stupid, I know, but there are more shared hosts configured like that than you'd expect.

  12. ClaytonJames
    Member
    Posted 3 years ago #

    I can't understand the rationale of setting the permissions to 750 instead of 640.

    I think it's because 640 permissions, in what appears to be a large number of shared hosting environments, may be too restrictive and result in failure.

    I think we're both probably saying the same thing, but from different approaches. The issue with the shared server seems to be (as I interpret it) "who can read my wp-config file" - because the database info is stored in wp-config. If you examine the read permissions for 750, then examine the read permissions for 644, you can draw your own conclusions about the "read" bit. Looking at 644 and 750 from a "who has read permissions" perspective only, seems to be quite suggestive of a permissions scheme for the wp-config file on shared hosting.

    Something else to consider: Shared Hosting with suexec
    "All files should be 644 or 640. Exception: wp-config.php should be 600 to prevent other users on the server from reading it."

    Some interesting reading, with some good links;
    Who’s Right? Network Solutions Or Matt
    More great reading:
    shared server permissions wp-config 750 755

    If you didn't happen to follow the Godaddy and Network Solutions issues in 2010, you can add "network solutions" or godaddy to that search string for some additional in depth discussions surrounding that, and other shared hosting issues and topics.

  13. KatyDigg
    Member
    Posted 2 years ago #

    Shared server - then should be 600 to prevent other users on the server from reading it.

Topic Closed

This topic has been closed to new replies.

About this Topic