Support » Plugin: All In One WP Security & Firewall » Permission for wp-config.php

  • What´s the correct setting for this file?
    All In One WP Security wants to change current port 0600 to 0644.

    My host (with Plesk) has this info:
    The security check should verify that the permissions for the wp-config file are set to 600, for other files to 644, and for directories to 755. If the security check failed and you choose to secure the WordPress installation, permissions for files and directories will be changed in accordance with WordPress security policy: permissions for the wp-config file will be set to 600, for other files, to 644, and for directories, to 755.
    (If I run their check this option change)

    Who is not following the “WordPress security policy”? Both can´t be right 🙂

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor mbrsolution


    Hi our plugin follows the file permissions set out by WordPress. You can read the following documentation.

    Kind regards

    Link P


    The page you linked to explicitly warns *NOT* to leave wp-config.php permissions set to 644, yet the AIOWPS plugin suggests changing to that vulnerable state.

    644 makes the file world readable which will potentially expose the database credentials to any user on the host.

    Depending on the group assigned to the file 640 or 600 offer adequate protection.

    Would it be possible to update AIOWPS so that it does not encourage the user to expose database credentials?

    Plugin Contributor mbrsolution


    @link-p, I have submitted a message to the developers to investigate further your suggestion.

    Kind regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.