WordPress.org

Support

Support » How-To and Troubleshooting » WordPress directory ownership

WordPress directory ownership

  • teejmonster

    @teejmonster

    Let me preface this by saying that I have attempted to find an answer to my question in the forums. I swear I’m not trying to “noob” here.

    I have an interest in WordPress hardening. I found the the following script that claims to simplify setting permissions and ownership:

    #!/bin/bash
    #
    # This script configures WordPress file permissions based on recommendations
    # from http://codex.wordpress.org/Hardening_WordPress#File_permissions
    #
    # Author: Michael Conigliaro <mike [at] conigliaro [dot] org>
    #
    WP_OWNER=root # <-- wordpress owner
    WP_GROUP=root # <-- wordpress group
    WP_ROOT=$1 # <-- wordpress root directory
    WS_GROUP=www-data # <-- webserver group
    
    # reset to safe defaults
    find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
    find ${WP_ROOT} -type d -exec chmod 755 {} \;
    find ${WP_ROOT} -type f -exec chmod 644 {} \;
    
    # allow wordpress to manage wp-config.php (but prevent world access)
    chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
    chmod 660 ${WP_ROOT}/wp-config.php
    
    # allow wordpress to manage .htaccess
    touch ${WP_ROOT}/.htaccess
    chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
    chmod 664 ${WP_ROOT}/.htaccess
    
    # allow wordpress to manage wp-content
    find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
    find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
    find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;

    The script modifies WordPress installs to look like this:

    drwxr-xr-x  0755  root  root     .
    -rw-r--r--  0644  root  root     index.php
    -rw-r--r--  0644  root  root     readme.html
    -rw-r--r--  0644  root  root     wp-activate.php
    drwxr-xr-x  0755  root  root     wp-admin
    drwxr-xr-x  0755  root  root     wp-admin\js
    -rw-r--r--  0644  root  root     wp-admin\index.php
    -rw-r--r--  0644  root  root     wp-app.php
    -rw-r--r--  0644  root  root     wp-atom.php
    -rw-r--r--  0644  root  root     wp-blog-header.php
    -rw-r--r--  0644  root  root     wp-comments-post.php
    -rw-r--r--  0644  root  root     wp-commentsrss2.php
    -rw-rw----  0660  root  www-data wp-config.php
    drwxrwxr-x  0775  root  www-data wp-content
    -rw-rw-r--  0664  root  www-data wp-content\index.php
    drwxr-xr-x  0755  root  www-data wp-content\plugins
    drwxr-xr-x  0755  root  www-data wp-content\themes
    -rw-r--r--  0644  root  root     wp-cron.php
    -rw-r--r--  0644  root  root     wp-feed.php
    drwxr-xr-x  0755  root  root     wp-includes
    -rw-r--r--  0644  root  root     wp-links-opml.php
    -rw-r--r--  0644  root  root     wp-load.php
    -rw-r--r--  0644  root  root     wp-login.php
    -rw-r--r--  0644  root  root     wp-mail.php
    -rw-r--r--  0644  root  root     wp-pass.php
    -rw-r--r--  0644  root  root     wp-rdf.php
    -rw-r--r--  0644  root  root     wp-register.php
    -rw-r--r--  0644  root  root     wp-rss2.php
    -rw-r--r--  0644  root  root     wp-rss.php
    -rw-r--r--  0644  root  root     wp-settings.php
    -rw-r--r--  0644  root  root     wp-signup.php
    -rw-r--r--  0644  root  root     wp-trackback.php
    -rw-r--r--  0644  root  root     xmlrpc.php

    With these permissions, WordPress fails to install plugins and updates. I believe that much of the issue is because “root” owns most of the directory, rather than “www-data”.

    Is there any reason for me not to “chown www-data:www-data” the entire directory?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    @jdembowski

    Brute Squad and Volunteer Moderator

    With these permissions, WordPress fails to install plugins and updates.

    It’s tricky. WordPress doesn’t really need full ownership of everything for plugin and theme updates but I’m sure it needs that for WordPress version upgrades.

    Is there any reason for me not to “chown www-data:www-data” the entire directory?

    Doing it that would be for convenience. That way every file and directory would be manageable by the web server user and wholesale upgrades would be a snap.

    The only reason you would not do it that ways for added security. It’s more secure to have the files readable by www-data but not writable except for what’s needed. Making the non-essential files and directories own by root and set to 644 (files)and 755 (directories) accomplishes that.

    Unless you plan on having WordPress modify wp-config.php there really isn’t a need for that either.

    teejmonster

    @teejmonster

    I executed:

    sudo chown -R www-data:www-data wp-content

    but plug-in installs still don’t work right.

    Only changing ownership on the site root does the trick.

    Moderator Jan Dembowski

    @jdembowski

    Brute Squad and Volunteer Moderator

    Try also doing that to wp-admin and wp-includes as well.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WordPress directory ownership’ is closed to new replies.
Skip to toolbar