Permissions on WordPress files as well as security best practices

  • Resolved lbon

    (@lbon)


    11 years, 5 months ago

    New to WordPress, so please forgive me if my question is to easy.

    Been sitting and messing with updating a WordPress testinstallation. I constantly got prompted to supply FTP-login for the updates. The WP-box is not running FTP, and there are no purpose for it to run it, so I would rather not enable it.

    I googled the net and found many with similar problems, and I was around messing with editing WP config php-files… and I ended up giving 777 access to everything. Even that did not solve it.

    The, I actually read the documentation on this side (yes, I know… it is always a good thing to do), and it seems that the problem was, that the apache user was not the owner of the file. 777 is simply not enough.

    Which leads me to: Where can you find an official document describing which permissions are an absolute minimum for a WP installation to work? I would like to know before I put the site public. Any other security enhancement documents and best practices would be nice to know.

    Regards, Lars.

Viewing 8 replies - 1 through 8 (of 8 total)
  • secconsult

    (@mvis)

    11 years, 5 months ago

    Hello lbon,

    to install updates/plugins without ftp you should add the following line to your wp-config.php:

    define(‘FS_METHOD’,’direct’);

    somewhere where other define() are written as well.

    For security best practices read: http://codex.wordpress.org/Hardening_WordPress
    I have written a plugin that can help you identify violations of the security best practices, you can give it a try (MVIS Security Center).

    Stefan

    Thread Starter lbon

    (@lbon)

    11 years, 5 months ago

    Yup – fs-direct was one of the things I found out by googling, but it was not enough.

    Great link about security and you plugin! I will give it a go.

    Reg. the link. It says:

    “The WordPress administration area: all files should be writable only by your user account.”

    What is “your user account” here. The account that the webserver is running under or the account that I use to logon to the console?

    Regards, Lars.

    secconsult

    (@mvis)

    11 years, 5 months ago

    Hello Lars,

    Are you on a shared host or is it your own box?
    Normally, you will have a dedicated (linux) user account and the group ownership belongs to the webserver. When only allowing your dedicated user has write permissions then no other user on the shared host that uses the same webserver group can write your files.

    Let me know if this helped to clarify, or if you have any other questions.

    Stefan

    Thread Starter lbon

    (@lbon)

    11 years, 5 months ago

    It is running on my own OpenBSD box and will still be running on this when it goes live.

    www is owner on all files and as it is now, chmod is 777 everywhere… I would like to correct this before going “live” (-;

    Therefor I would like to have some knowledge about minimum required permissions for WP to run correctly.

    Regards, Lars.

    esmi

    (@esmi)

    11 years, 5 months ago

    Have you reviewed Hardening_WordPress?

    Thread Starter lbon

    (@lbon)

    11 years, 5 months ago

    Yup, secconsult send that link to me too.

    Even before reading this, I have done my own hardening. For instance… instead of accessing /wp-admin directly on port 80, you will have to access it through VPN and similar things.

    The only point where I am a bit unclear is how to optimally set chown and chmod for the WP files. Even after reading the document both of you provided.

    Regards, Lars.

    secconsult

    (@mvis)

    11 years, 5 months ago

    Hello Lars,

    in this case things will be considerably easier for you, because you got the power 🙂
    Add another user that owns all files and give the webserver user read and execute permissions for the group. This way, if someone were to hack you they would only be getting the rights of the webserver user (which can only read files) and

    so basically let’s say your user is called lars and your webserver is called www-data then you might want to do:
    chown -R lars /var/www/wordpress/
    chgrp -R www-data /var/www/wordpress/
    chmod -R 750 /var/www/wordpress/ (assuming wordpress is installed in that directory.
    This gives your user “lars” full permissions, your webserver all necessary permissions to make WordPress function properly.

    If you have problems with automatic updating read this passage here: http://codex.wordpress.org/Hardening_WordPress#Regarding_Automatic_Updates

    Stefan

    Thread Starter lbon

    (@lbon)

    11 years, 5 months ago

    I have got the power since 2001 (-;

    In the above case, I have to be authenticated as lars on the wordpress server. I do not use basicauth on the server, but I limit “dangorous” files only to be access through VPN or a certain RFC1918 net.

    Mayby I can put authenticate just when doing the updates…

    Will think of it…

    Thanks!

    Regards, Lars.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Permissions on WordPress files as well as security best practices’ is closed to new replies.