Everyone who wants to make his WordPress web site more secure should definitely spend at least one hour of his life reading the Hardening WordPress chapter of the WP official guide: this is an extremely long list of security countermeasures that any good Webmaster should implement (or ask its System Administrator to implement) not only to strengthen his WordPress installation, yet also to increase his overall knowledge of the WP platform.
In this post we'll deal with one of the most important aspects of that chapter: File Permissions. Choosing those guidelines will grealy reduce the chances for our web site to get hacked, because we will prevent our attackers from the chance to "accidentally" download some reserved file, execute a script or even inject some pesky commands using a zero-day exploit.
Manually set these permissions can be troublesome, expecially on Linux, where most GUI interfaces don't allow to do that in a structured way. At the same time, doing it manually will also be highly unefficient, other than prone to human error: there's simply no chace that we won't risk to lose something - be it a file or an entire folder - here and there, expecially if we do have a lot of WP plugins, media files, themes, skins and disk data of any sort.
In an attempt to ease up such task we came out with this bash script that can be used to automatically set the required amount of permissions throughout the whole WordPress-based website. Cut the content, then paste it to a new file, save it as set-wordpress-permissions.sh in a folder of your choice (such as /var/www/ ) and execute it in the following way:
1 |
bash set-wordpress-permissions.sh /var/www/<your_website_file_root> |
By using this script anyone will be able to perform the proper amount of ACL changes in few seconds: on top of that, he will be able to repeat the exact same task to any other website, thus ensuring that every one of them will adopt the same permission set.
Without further ado, here's the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/bin/bash # # This script configures WordPress file permissions based on recommendations # from http://codex.wordpress.org/Hardening_WordPress#File_permissions # # execute it with the following command: # bash set-wordpress-permissions.sh /var/www/<site_folder> # OWNER=apache # <-- wordpress owner GROUP=www # <-- wordpress group ROOT=$1 # <-- wordpress root directory # reset to safe defaults find ${ROOT} -exec chown ${OWNER}:${GROUP} {} \; find ${ROOT} -type d -exec chmod 755 {} \; find ${ROOT} -type f -exec chmod 644 {} \; # allow wordpress to manage wp-config.php (but prevent world access) chgrp ${GROUP} ${ROOT}/wp-config.php chmod 660 ${ROOT}/wp-config.php # allow wordpress to manage wp-content find ${ROOT}/wp-content -exec chgrp ${GROUP} {} \; find ${ROOT}/wp-content -type d -exec chmod 775 {} \; find ${ROOT}/wp-content -type f -exec chmod 664 {} \; |
Feel free to change it to better suit your specific scenario.
To execute it, write the following:
1 |
bash set-wordpress-permissions.sh <site_folder> |
The script will need some minutes to do the job: have patience and let it finish.
That's about it, at least for now: enjoy your server!
The script Solved my issues
That’s great to hear: we’re glad you got it done!
Awesome script!
One question though. My wp-config actually resides outside the WordPress directory, so the setup is…
so the base install is in the folder “WordPress” but the wp-config actually resides one directory up
how would I modify it then?
wp-config.php
public files
Well, replace wp-config.php with your_folder/wp-config.php