WordPress File Permissions: When and How to Lock Them for Maximum Security

WordPress File Permissions: When and How to Lock Them for Maximum Security

WordPress File Permissions means that some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly on WordPress sites with pending security updates.

Blocking the WordPress filesystem via File Permissions will help you increase the security of your WordPress. Learn when its recommended and how to do it.

Table of Contents

WordPress Filesystem lock

Reducing the file and dir permissions to lock the WordPress filesystem, is one of the most secure measures for your WordPress.

The idea behind the filesystem lock is to modify the ownership and file permissions of all your WordPress files reducing to the minimum the write-access of this web content manager.

The downsides of a WordPress Filesystem lock

Blocking the write permissions for your web server implies a “Freeze” for your WordPress setup and content.

If you lock your WordPress filesystem, the core, plugins, and theme updates won’t work.

Every time you want to add or modify your WordPress site you will have to unlock your WordPress file system.

Removing write-access makes WordPress harder to update for administrators, but it will prevent a lot of typical WordPress hacks from happening.

We recommend locking the WordPress filesystem in any of these circumstances:

  • You want to stop an intrusion. Your WordPress does have malware and you want to freeze your website files to prevent further damage.
  • Your WordPress has permanent pending updates. One of the reasons to update WordPress core, plugins, and themes is to solve security issues. If for any reason, you can not maintain your WordPress updated, then removing the write-access will help you to reduce the malware infection risk.
  • You don’t need to constantly add content with new Media, so everything is stored in your database.

How to manage the WordPress filesystem security with Wetopi

At Wetopi, you can lock and unlock your WordPress file permissions with a single click.

You can find this option in your WordPress server Menu, inside the advanced options section:

Filesystem lock in Wetopi advanced option Menu

How to lock the filesystem on the command line

If your WordPress is not hosted at Wetopi, here you have all the steps to lock your WordPress files and directories.

In short; the idea is to replace the web server user (we replace our web server www-data user by root) and almost remove any write permission.

1. Set root as owner

NOTE: replace the WordPress root path /var/www/html for the one used in your WordPress install.

# Set root as owner
chown -R root /var/www/html

2. Remove write permission on directories

# Set perms r-xr-xr-x on dirs
find /var/www/html/ -type d -exec chmod 555 {} \;

3. Set read only permissions on files

# Set perms r--r--r-- on files
find /var/www/html/ -type f -exec chmod 444 {} \;

4. Allow write on cache directories

We only give write permissions to the cache dirs. In this case the directories used by WP Super Cache.

# Set perms rwxrwxr-x on cache dirs
find /var/www/html/wp-content/cache -type d -exec chmod 775 {} \; &>/dev/null

# Set perms rw-rw-r-- on cache files
find /var/www/html/wp-content/cache -type f -exec chmod 664 {} \; &>/dev/null

chmod -f 664 /var/www/html/wp-content/wp-cache-config.php

One single shell script to control the WordPress filesystem security

Let’s save all this previous commands in a single shell script to simplify the process of locking and unlocking the WordPress filesystem.

#!/bin/bash

if [ "$1" == "on" ]; then

    echo "[set-wp-filesystem-lock] info: set root as owner"
    chown -R root /var/www/html

    echo "[set-wp-filesystem-lock] info: set perms r-xr-xr-x on dirs"
    find /var/www/html/ -type d -exec chmod 555 {} \;

    echo "[set-wp-filesystem-lock] info: set perms r--r--r-- on files"
    find /var/www/html/ -type f -exec chmod 444 {} \;

    echo "[set-wp-filesystem-lock] info: set perms rwxrwxr-x on cache dirs"
    find /var/www/html/wp-content/cache -type d -exec chmod 775 {} \; &>/dev/null

    echo "[set-wp-filesystem-lock] info: set perms rw-rw-r-- on cache files"
    find /var/www/html/wp-content/cache -type f -exec chmod 664 {} \; &>/dev/null
    chmod -f 664 /var/www/html/wp-content/wp-cache-config.php

    echo "[set-wp-filesystem-lock] info: wp locked"

elif [ "$1" == "off" ]; then

    echo "[set-wp-filesystem-lock] info: set www-data as owner"
    chown -R www-data /var/www/html

    echo "[set-wp-filesystem-lock] info: set dir. perms to rwxr-xr-x"
    find /var/www/html/ -type d -exec chmod 755 {} \;

    echo "[set-wp-filesystem-lock] info: set file perms to rw-r--r--"
    find /var/www/html/ -type f -exec chmod 644 {} \;

    echo "[set-wp-filesystem-lock] info: wp unlocked"

else
  echo "# lock wp filesystem with on, unlock wp with off"
  echo "/set-wp-filesystem-lock.sh on"
  echo "/set-wp-filesystem-lock.sh off"

fi

If you want to know more about security for WordPress, check all articles on security features in our blog.

We are techies passionate about WordPress. With wetopi, a Managed WordPress Hosting, we want to minimize the friction that every professional faces when working and hosting WordPress projects.

Not a wetopi user?

Free full performance servers for your development and test.
No credit card required.

See how Wetopi stacks up against your current hosting

Migrating sites to us is free and completely effortless on your part.

No hidden small text.
No commitments.
No credit card.

Try before you buy.