WordPress directory ownership (4 posts)

  1. teejmonster
    Posted 4 years ago #

    Let me preface this by saying that I have attempted to find an answer to my question in the forums. I swear I'm not trying to "noob" here.

    I have an interest in WordPress hardening. I found the the following script that claims to simplify setting permissions and ownership:

    # This script configures WordPress file permissions based on recommendations
    # from http://codex.wordpress.org/Hardening_WordPress#File_permissions
    # Author: Michael Conigliaro <mike [at] conigliaro [dot] org>
    WP_OWNER=root # <-- wordpress owner
    WP_GROUP=root # <-- wordpress group
    WP_ROOT=$1 # <-- wordpress root directory
    WS_GROUP=www-data # <-- webserver group
    # reset to safe defaults
    find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
    find ${WP_ROOT} -type d -exec chmod 755 {} \;
    find ${WP_ROOT} -type f -exec chmod 644 {} \;
    # allow wordpress to manage wp-config.php (but prevent world access)
    chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
    chmod 660 ${WP_ROOT}/wp-config.php
    # allow wordpress to manage .htaccess
    touch ${WP_ROOT}/.htaccess
    chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
    chmod 664 ${WP_ROOT}/.htaccess
    # allow wordpress to manage wp-content
    find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
    find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
    find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;

    The script modifies WordPress installs to look like this:

    drwxr-xr-x  0755  root  root     .
    -rw-r--r--  0644  root  root     index.php
    -rw-r--r--  0644  root  root     readme.html
    -rw-r--r--  0644  root  root     wp-activate.php
    drwxr-xr-x  0755  root  root     wp-admin
    drwxr-xr-x  0755  root  root     wp-admin\js
    -rw-r--r--  0644  root  root     wp-admin\index.php
    -rw-r--r--  0644  root  root     wp-app.php
    -rw-r--r--  0644  root  root     wp-atom.php
    -rw-r--r--  0644  root  root     wp-blog-header.php
    -rw-r--r--  0644  root  root     wp-comments-post.php
    -rw-r--r--  0644  root  root     wp-commentsrss2.php
    -rw-rw----  0660  root  www-data wp-config.php
    drwxrwxr-x  0775  root  www-data wp-content
    -rw-rw-r--  0664  root  www-data wp-content\index.php
    drwxr-xr-x  0755  root  www-data wp-content\plugins
    drwxr-xr-x  0755  root  www-data wp-content\themes
    -rw-r--r--  0644  root  root     wp-cron.php
    -rw-r--r--  0644  root  root     wp-feed.php
    drwxr-xr-x  0755  root  root     wp-includes
    -rw-r--r--  0644  root  root     wp-links-opml.php
    -rw-r--r--  0644  root  root     wp-load.php
    -rw-r--r--  0644  root  root     wp-login.php
    -rw-r--r--  0644  root  root     wp-mail.php
    -rw-r--r--  0644  root  root     wp-pass.php
    -rw-r--r--  0644  root  root     wp-rdf.php
    -rw-r--r--  0644  root  root     wp-register.php
    -rw-r--r--  0644  root  root     wp-rss2.php
    -rw-r--r--  0644  root  root     wp-rss.php
    -rw-r--r--  0644  root  root     wp-settings.php
    -rw-r--r--  0644  root  root     wp-signup.php
    -rw-r--r--  0644  root  root     wp-trackback.php
    -rw-r--r--  0644  root  root     xmlrpc.php

    With these permissions, WordPress fails to install plugins and updates. I believe that much of the issue is because "root" owns most of the directory, rather than "www-data".

    Is there any reason for me not to "chown www-data:www-data" the entire directory?

  2. With these permissions, WordPress fails to install plugins and updates.

    It's tricky. WordPress doesn't really need full ownership of everything for plugin and theme updates but I'm sure it needs that for WordPress version upgrades.

    Is there any reason for me not to "chown www-data:www-data" the entire directory?

    Doing it that would be for convenience. That way every file and directory would be manageable by the web server user and wholesale upgrades would be a snap.

    The only reason you would not do it that ways for added security. It's more secure to have the files readable by www-data but not writable except for what's needed. Making the non-essential files and directories own by root and set to 644 (files)and 755 (directories) accomplishes that.

    Unless you plan on having WordPress modify wp-config.php there really isn't a need for that either.

  3. teejmonster
    Posted 4 years ago #

    I executed:

    sudo chown -R www-data:www-data wp-content

    but plug-in installs still don't work right.

    Only changing ownership on the site root does the trick.

  4. Try also doing that to wp-admin and wp-includes as well.

Topic Closed

This topic has been closed to new replies.

About this Topic