Title: WordPress directory ownership Last modified: August 20, 2016 --- # WordPress directory ownership * [teejmonster](https://wordpress.org/support/users/teejmonster/) * (@teejmonster) * [14 years, 5 months ago](https://wordpress.org/support/topic/wordpress-directory-ownership/) * Let me preface this by saying that I have attempted to find an answer to my question in the forums. I swear I’m not trying to “noob” here. * I have an interest in WordPress hardening. I found the the following script that claims to simplify setting permissions and ownership: * ``` #!/bin/bash # # This script configures WordPress file permissions based on recommendations # from http://codex.wordpress.org/Hardening_WordPress#File_permissions # # Author: Michael Conigliaro # WP_OWNER=root # <-- wordpress owner WP_GROUP=root # <-- wordpress group WP_ROOT=$1 # <-- wordpress root directory WS_GROUP=www-data # <-- webserver group # reset to safe defaults find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \; find ${WP_ROOT} -type d -exec chmod 755 {} \; find ${WP_ROOT} -type f -exec chmod 644 {} \; # allow wordpress to manage wp-config.php (but prevent world access) chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php chmod 660 ${WP_ROOT}/wp-config.php # allow wordpress to manage .htaccess touch ${WP_ROOT}/.htaccess chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess chmod 664 ${WP_ROOT}/.htaccess # allow wordpress to manage wp-content find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \; find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \; find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \; ``` * The script modifies WordPress installs to look like this: * ``` drwxr-xr-x 0755 root root . -rw-r--r-- 0644 root root index.php -rw-r--r-- 0644 root root readme.html -rw-r--r-- 0644 root root wp-activate.php drwxr-xr-x 0755 root root wp-admin drwxr-xr-x 0755 root root wp-admin\js -rw-r--r-- 0644 root root wp-admin\index.php -rw-r--r-- 0644 root root wp-app.php -rw-r--r-- 0644 root root wp-atom.php -rw-r--r-- 0644 root root wp-blog-header.php -rw-r--r-- 0644 root root wp-comments-post.php -rw-r--r-- 0644 root root wp-commentsrss2.php -rw-rw---- 0660 root www-data wp-config.php drwxrwxr-x 0775 root www-data wp-content -rw-rw-r-- 0664 root www-data wp-content\index.php drwxr-xr-x 0755 root www-data wp-content\plugins drwxr-xr-x 0755 root www-data wp-content\themes -rw-r--r-- 0644 root root wp-cron.php -rw-r--r-- 0644 root root wp-feed.php drwxr-xr-x 0755 root root wp-includes -rw-r--r-- 0644 root root wp-links-opml.php -rw-r--r-- 0644 root root wp-load.php -rw-r--r-- 0644 root root wp-login.php -rw-r--r-- 0644 root root wp-mail.php -rw-r--r-- 0644 root root wp-pass.php -rw-r--r-- 0644 root root wp-rdf.php -rw-r--r-- 0644 root root wp-register.php -rw-r--r-- 0644 root root wp-rss2.php -rw-r--r-- 0644 root root wp-rss.php -rw-r--r-- 0644 root root wp-settings.php -rw-r--r-- 0644 root root wp-signup.php -rw-r--r-- 0644 root root wp-trackback.php -rw-r--r-- 0644 root root xmlrpc.php ``` * With these permissions, WordPress fails to install plugins and updates. I believe that much of the issue is because “root” owns most of the directory, rather than“ www-data”. * Is there any reason for me **not** to “_chown www-data:www-data_” the entire directory? Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years, 5 months ago](https://wordpress.org/support/topic/wordpress-directory-ownership/#post-2408980) * > With these permissions, WordPress fails to install plugins and updates. * It’s tricky. WordPress doesn’t really need full ownership of everything for plugin and theme updates but I’m sure it needs that for WordPress version upgrades. * > Is there any reason for me not to “chown www-data:www-data” the entire directory? * Doing it that would be for convenience. That way every file and directory would be manageable by the web server user and wholesale upgrades would be a snap. * The only reason you would not do it that ways for added security. It’s more secure to have the files readable by www-data but not writable except for what’s needed. Making the non-essential files and directories own by root and set to 644 (files) and 755 (directories) accomplishes that. * Unless you plan on having WordPress modify `wp-config.php` there really isn’t a need for that either. * Thread Starter [teejmonster](https://wordpress.org/support/users/teejmonster/) * (@teejmonster) * [14 years, 5 months ago](https://wordpress.org/support/topic/wordpress-directory-ownership/#post-2409091) * I executed: * `sudo chown -R www-data:www-data wp-content` * but plug-in installs still don’t work right. * Only changing ownership on the site root does the trick. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years, 5 months ago](https://wordpress.org/support/topic/wordpress-directory-ownership/#post-2409109) * Try also doing that to `wp-admin` and `wp-includes` as well. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘WordPress directory ownership’ is closed to new replies. ## Tags * [chmod](https://wordpress.org/support/topic-tag/chmod/) * [ownership](https://wordpress.org/support/topic-tag/ownership/) * [permission](https://wordpress.org/support/topic-tag/permission/) * [permissions](https://wordpress.org/support/topic-tag/permissions/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * Last activity: [14 years, 5 months ago](https://wordpress.org/support/topic/wordpress-directory-ownership/#post-2409109) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics