WordPress File Permissions means that some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly on WordPress sites with pending security updates.
Blocking the WordPress filesystem via File Permissions will help you increase the security of your WordPress. Learn when its recommended and how to do it.
Table of Contents
- WordPress Filesystem lock
- The downsides of a WordPress Filesystem lock
- When is it recommended to lock the WordPress File write-access?
- How to manage the WordPress filesystem security with Wetopi
- How to lock the filesystem on the command line
- One single shell script to control the WordPress filesystem security
WordPress Filesystem lock
Reducing the file and dir permissions to lock the WordPress filesystem, is one of the most secure measures for your WordPress.
The idea behind the filesystem lock is to modify the ownership and file permissions of all your WordPress files reducing to the minimum the write-access of this web content manager.
The downsides of a WordPress Filesystem lock
Blocking the write permissions for your web server implies a “Freeze” for your WordPress setup and content.
If you lock your WordPress filesystem, the core, plugins, and theme updates won’t work.
Every time you want to add or modify your WordPress site you will have to unlock your WordPress file system.
Removing write-access makes WordPress harder to update for administrators, but it will prevent a lot of typical WordPress hacks from happening.
When is it recommended to lock the WordPress File write-access?
We recommend locking the WordPress filesystem in any of these circumstances:
- You want to stop an intrusion. Your WordPress does have malware and you want to freeze your website files to prevent further damage.
- Your WordPress has permanent pending updates. One of the reasons to update WordPress core, plugins, and themes is to solve security issues. If for any reason, you can not maintain your WordPress updated, then removing the write-access will help you to reduce the malware infection risk.
- You don’t need to constantly add content with new Media, so everything is stored in your database.
How to manage the WordPress filesystem security with Wetopi
At Wetopi, you can lock and unlock your WordPress file permissions with a single click.
You can find this option in your WordPress server Menu, inside the advanced options section:
How to lock the filesystem on the command line
If your WordPress is not hosted at Wetopi, here you have all the steps to lock your WordPress files and directories.
In short; the idea is to replace the web server user (we replace our web server www-data user by root) and almost remove any write permission.
1. Set root as owner
NOTE: replace the WordPress root path /var/www/html for the one used in your WordPress install.
# Set root as owner
chown -R root /var/www/html2. Remove write permission on directories
# Set perms r-xr-xr-x on dirs
find /var/www/html/ -type d -exec chmod 555 {} \;3. Set read only permissions on files
# Set perms r--r--r-- on files
find /var/www/html/ -type f -exec chmod 444 {} \;4. Allow write on cache directories
We only give write permissions to the cache dirs. In this case the directories used by WP Super Cache.
# Set perms rwxrwxr-x on cache dirs
find /var/www/html/wp-content/cache -type d -exec chmod 775 {} \; &>/dev/null
# Set perms rw-rw-r-- on cache files
find /var/www/html/wp-content/cache -type f -exec chmod 664 {} \; &>/dev/null
chmod -f 664 /var/www/html/wp-content/wp-cache-config.phpOne single shell script to control the WordPress filesystem security
Let’s save all this previous commands in a single shell script to simplify the process of locking and unlocking the WordPress filesystem.
#!/bin/bash
if [ "$1" == "on" ]; then
echo "[set-wp-filesystem-lock] info: set root as owner"
chown -R root /var/www/html
echo "[set-wp-filesystem-lock] info: set perms r-xr-xr-x on dirs"
find /var/www/html/ -type d -exec chmod 555 {} \;
echo "[set-wp-filesystem-lock] info: set perms r--r--r-- on files"
find /var/www/html/ -type f -exec chmod 444 {} \;
echo "[set-wp-filesystem-lock] info: set perms rwxrwxr-x on cache dirs"
find /var/www/html/wp-content/cache -type d -exec chmod 775 {} \; &>/dev/null
echo "[set-wp-filesystem-lock] info: set perms rw-rw-r-- on cache files"
find /var/www/html/wp-content/cache -type f -exec chmod 664 {} \; &>/dev/null
chmod -f 664 /var/www/html/wp-content/wp-cache-config.php
echo "[set-wp-filesystem-lock] info: wp locked"
elif [ "$1" == "off" ]; then
echo "[set-wp-filesystem-lock] info: set www-data as owner"
chown -R www-data /var/www/html
echo "[set-wp-filesystem-lock] info: set dir. perms to rwxr-xr-x"
find /var/www/html/ -type d -exec chmod 755 {} \;
echo "[set-wp-filesystem-lock] info: set file perms to rw-r--r--"
find /var/www/html/ -type f -exec chmod 644 {} \;
echo "[set-wp-filesystem-lock] info: wp unlocked"
else
echo "# lock wp filesystem with on, unlock wp with off"
echo "/set-wp-filesystem-lock.sh on"
echo "/set-wp-filesystem-lock.sh off"
fi
If you want to know more about security for WordPress, check all articles on security features in our blog.
Don’t you have an account on Wetopi?
Free full performance servers for your development and test.
No credit card required.