Support » Fixing WordPress » chmod/server permissions security issue (theme files trashed)

  • The theme files of my sites ( and ) were trashed and I had to restore them from my hard drive. The database wasn’t touched, just the theme files. This was a deliberate action: whoever it was had inserted a spam link to a spam site into the homepage’s theme files, only in the process they apparently wrecked theme so that it wouldn’t show (I think they hit one of the calls to one of the plugins).

    Anyway, I’m assuming this was because I was too liberal with the server permissions. I need the themes to be server-writable for the theme editor. So what is the precise chmod profile I should use for the theme files? I have checked the codex but never found anything.

Viewing 15 replies - 1 through 15 (of 15 total)
  • Mark (podz)


    Support Maven

    Directories 755
    Files 644
    that’s unless you need to write to files…. which are usually theme files at 666 or above – and that’s the main risk.

    Edit your theme and chmod down to 644 each time.

    Oh yes…

    “Dear Webhosting company,
    Do you take security seriously ?




    ya know.. I take issue with how you are tending to blame these sorts of issues on the host(s), podz .. No RESPONSIBLE WEB MASTER leaves WORLD-writable files on a server — no matter how secure ANY host is.


    OK, maybe I didn’t make it clear…WordPress comes with a ThemeEditor and a PluginEditor. These require that the files be writable. What folders need what permissions? Surely they don’t all need to be 666’d for those things to work? Wouldn’t *that* be a security issue? Yet when I’ve tried it with the server-permissions anything less than world-writable, the built-in admin editors didn’t work.

    By the way, I signed up with a new host that’s dedicated to WP, and they set everything to 777 by default!


    I’ve got a gripe with this too. It’s kinda annoying to have to chmod the theme directory that I’m editing and then remember to chmod it back when I’m done.

    Surely there is a better way to do this, no?

    Mark (podz)


    Support Maven

    @whooami – I do lay into hosts don’t I 🙂

    Site5, who I am with. My directories are all 755. My files are all 644. I can edit then however I want and not have to change permissions at all. So Site5 are taking the responsible view that as a host they know more about security than me. And because my site ‘just works’ in this secure state I’ve never had to ask about permissions so have never had to change any.
    However, I have installed into hosts where every single file has had to be 777 for WP to work. Honestly. That is an incredibly bad host – and their slack behaviour means that a user will automatically change permissions and reduce security because they know no other way.

    While it is the user’s responsibility if you know what you are doing and you screw up, I don’t think it’s the fault of a user whose host has not made their hosting environment as secure as possible. Users don’t need CHMOD, Permissions, -rw-r–r– and “If this file were writable you could edit it” – they will simply see ‘777 works’ and use that. I really don’t blame them – because a host can make it so very much better.

    A host should be thinking of a whole server many gigs in size with many websites on – setting security properly should be #1. So I do get what you are saying, but that’s why I say Yell at the host 🙂

    Mark (podz)


    Support Maven

    suziwon – if the Theme directory is 755, and the theme files are 666 that should be good enough.

    I’m sorry if I´m posting in the wrong thread, but maybe you could give me some tips. WordPress is installed in the root of my website and the past weekend I found out that it was hacked. I removed the index page the hackers inserted and added the default index page. But inside the wp-content folder, they put a folder called cache containing the users and passwords for my wordpress. I already contacted my webhosting but didn´t get any response. everytime I go to that folder, bam… Cache is back there, no matter how many times I delete it. I love wordpress too much and wouldn´t like to change my blogging tool. What should I do ?
    Thanks in advance

    I’ve just moved to A Small Orange – on a shared server – and it appears that if I don’t have the images folder set to 777, not only can I not upload images, but my visitors can’t even see them. This is ridiculous, no?

    Given that the ASO support forum is full of people moaning that folders they left set at 777 were hit by malware, and ASO themselves say do not set to less than 755, I don’t know what the solution is? (currently set to 755, with no pictures)

    Doh! I had a bit of .htaccess code in there which I had forgotten to personalise so that my own domain could use my pictures. So that should mean people can see my pictures.

    But the uploading question still remains.

    I heard nothing but good things about A Small Orange before I signed up, but now I’m here, if I can’t use image upload and theme editor without temporarily changing the CHMOD settings to 777 and then back again to 755 afterwards, it’s a real pain….

    Edited: Nevermind lol..

    I don’t understand it myself sometimes either, alot of people tell you not to set permissions to 777 ever, except for certain things, and yet on certain servers, it almost has to be set that way for certain things to work period. :/


    Paranoia rules OK. In this case, it’s probably a good thing having read all the hacks lately….

    I’ve just finished a perl program to chmod an entire branch working down from the current directory. You supply two arguments: directory permissions and file permissions. It doesn’t do any fancy tests for sockets, symbolic links, blocks etc. So it is simple and very fast.

    It’s saved me a lot of work… and if you need to guarantee going offline, you can zap your public_html to private permissions (with care) or any sub-branch that needs maintenance.

    If interested:
    f u r r t r a p A T f i r e f l y u k . n e t

    What should the permissions be for wp-config.php so that someone from the outside can’t read the name and password of the database?

    Mark (podz)


    Support Maven

    wp-config.php and indeed all core files should be 644

    podz, I just left a message at your website about a possible backdoor that may mean WP 2.0.2 is vulnerable to being hacked. I didn’t want to leave the code here.

    You may want to drop a note to the security contact from this page:

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘chmod/server permissions security issue (theme files trashed)’ is closed to new replies.