BetBonanza app download.Claim Your Free 999 Pesos Bonus Today

(@teejmonster)

Let me preface this by saying that I have attempted to find an answer to my question in the forums. I swear I’m not trying to “noob” here.

I have an interest in WordPress hardening. I found the the following script that claims to simplify setting permissions and ownership:

#!/bin/bash
#
# This script configures WordPress file permissions based on recommendations
# from https://codex.www.ads-software.com/Hardening_WordPress#File_permissions
#
# Author: Michael Conigliaro <mike [at] conigliaro [dot] org>
#
WP_OWNER=root # <-- wordpress owner
WP_GROUP=root # <-- wordpress group
WP_ROOT=$1 # <-- wordpress root directory
WS_GROUP=www-data # <-- webserver group

# reset to safe defaults
find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;

# allow wordpress to manage wp-config.php (but prevent world access)
chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
chmod 660 ${WP_ROOT}/wp-config.php

# allow wordpress to manage .htaccess
touch ${WP_ROOT}/.htaccess
chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
chmod 664 ${WP_ROOT}/.htaccess

# allow wordpress to manage wp-content
find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;

The script modifies WordPress installs to look like this:

drwxr-xr-x  0755  root  root     .
-rw-r--r--  0644  root  root     index.php
-rw-r--r--  0644  root  root     readme.html
-rw-r--r--  0644  root  root     wp-activate.php
drwxr-xr-x  0755  root  root     wp-admin
drwxr-xr-x  0755  root  root     wp-admin\js
-rw-r--r--  0644  root  root     wp-admin\index.php
-rw-r--r--  0644  root  root     wp-app.php
-rw-r--r--  0644  root  root     wp-atom.php
-rw-r--r--  0644  root  root     wp-blog-header.php
-rw-r--r--  0644  root  root     wp-comments-post.php
-rw-r--r--  0644  root  root     wp-commentsrss2.php
-rw-rw----  0660  root  www-data wp-config.php
drwxrwxr-x  0775  root  www-data wp-content
-rw-rw-r--  0664  root  www-data wp-content\index.php
drwxr-xr-x  0755  root  www-data wp-content\plugins
drwxr-xr-x  0755  root  www-data wp-content\themes
-rw-r--r--  0644  root  root     wp-cron.php
-rw-r--r--  0644  root  root     wp-feed.php
drwxr-xr-x  0755  root  root     wp-includes
-rw-r--r--  0644  root  root     wp-links-opml.php
-rw-r--r--  0644  root  root     wp-load.php
-rw-r--r--  0644  root  root     wp-login.php
-rw-r--r--  0644  root  root     wp-mail.php
-rw-r--r--  0644  root  root     wp-pass.php
-rw-r--r--  0644  root  root     wp-rdf.php
-rw-r--r--  0644  root  root     wp-register.php
-rw-r--r--  0644  root  root     wp-rss2.php
-rw-r--r--  0644  root  root     wp-rss.php
-rw-r--r--  0644  root  root     wp-settings.php
-rw-r--r--  0644  root  root     wp-signup.php
-rw-r--r--  0644  root  root     wp-trackback.php
-rw-r--r--  0644  root  root     xmlrpc.php

With these permissions, WordPress fails to install plugins and updates. I believe that much of the issue is because “root” owns most of the directory, rather than “www-data”.

Is there any reason for me not to “chown www-data:www-data” the entire directory?

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

13 years, 4 months ago

With these permissions, WordPress fails to install plugins and updates.

It’s tricky. WordPress doesn’t really need full ownership of everything for plugin and theme updates but I’m sure it needs that for WordPress version upgrades.

Is there any reason for me not to “chown www-data:www-data” the entire directory?

Doing it that would be for convenience. That way every file and directory would be manageable by the web server user and wholesale upgrades would be a snap.

The only reason you would not do it that ways for added security. It’s more secure to have the files readable by www-data but not writable except for what’s needed. Making the non-essential files and directories own by root and set to 644 (files)and 755 (directories) accomplishes that.

Unless you plan on having WordPress modify wp-config.php there really isn’t a need for that either.

Thread Starter teejmonster
(@teejmonster)

13 years, 4 months ago

I executed:

sudo chown -R www-data:www-data wp-content

but plug-in installs still don’t work right.

Only changing ownership on the site root does the trick.

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

13 years, 4 months ago

Try also doing that to wp-admin and wp-includes as well.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘WordPress directory ownership’ is closed to new replies.

WordPress directory ownership

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics