Setting proper file permissions
Video: Setting proper file permissionsMost web hosts do a good job at setting up default permissions for files and directories, but it's a good idea to check that everything is configured for optimal security. In this screencast, we'll see how to check for proper file permissions for your WordPress-powered site. Let's look at files included with a default installation of WordPress. Here we are in our demo site's server control panel looking at a list of files in the WordPress installation directory. For directories, the permissions are here, and then they change for files.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Setting proper file permissions
Most web hosts do a good job at setting up default permissions for files and directories, but it's a good idea to check that everything is configured for optimal security. In this screencast, we'll see how to check for proper file permissions for your WordPress-powered site. Let's look at files included with a default installation of WordPress. Here we are in our demo site's server control panel looking at a list of files in the WordPress installation directory. For directories, the permissions are here, and then they change for files.
Everything beneath here is a permission for a corresponding file. We want to translate this rwx r- whatever into an actual chmod value, like 644 and 755, which we can do using this tool. Let's check the directories first, which look like this. We have read and execute privileges for everyone, owner, group, and others. And we have write privileges for the owner.
So let's return to the Online Conversion tool and replicate that pattern. Read, Write and Execute for the owner, Read for everyone and Execute for everyone. This gives us a chmod value of 755, which is ideal for directories. Now let's return to the file listing by clicking Cancel and scrolling down a bit, we look at the permissions for our files and pick one, click it, and we see that we have Read privileges for every one and Write privileges for the owner.
Nobody has Execute privileges for our files. So returning to our Online Conversion tool, we enter those values into the form and we get a chmod value of 644, which is also ideal. According to the WordPress Codex, all core WordPress files should be writable only by the server's user account, which is indeed the case for our demo site, as we've seen here. Just remember that the default settings for all WordPress files is 644, and the default settings for all WordPress directories is 755.
These settings ensure that WordPress has proper access to everything it needs for proper functionality. Now, if you don't have access to your server control panel, which looks something like this, you may also check your file permissions by using a handy plug-in called WordPress Security Scan. We have the plug-in installed here at our demo site, and it's activated, so let's navigate to the Scanner menu and take a look. This takes you to a page where key files and directories are scanned by the plug-in for proper file permissions.
Here we see that everything is in green and good to go. Any items with insufficient permissions will be shown in red and should be dealt with accordingly. We cover the WP Security Scan plug-in in more depth in a later screencast in this series. Chances are high that if you're using a decent host, you are already set with the optimal permissions settings for your site. But if that's not the case and you need to change something, consult with your host for the best way forward. The default permissions settings are normally just fine, but you should not take this for granted.
Verifying them is an easy process, and it could save you a lot of grief later on.
There are currently no FAQs about WordPress 3: Developing Secure Sites.