We help IT Professionals succeed at work.

Safe and productive ownership settings for a Wordpress installation

172 Views
1 Endorsement
Last Modified: 2019-01-25
So, I have been reading about this for a long time and there's never a conclusive answer to be found anywhere.

I have a Centos 6 LAMP web server which mostly hosts websites created by yours truly and the occasional website created by someone else.

Which is the most secure way to configure Wordpress folders ownership AND keep all the automatic features (updating, uploading and so on) without the need to insert ftp or sftp credentials each time?

Aside from permissions (which I always set to 755 for folder, 644 for files and 600 for special files, as suggested everywhere), there's a lot of different ideas about ownership.

Somebody says apache should be the owner of the whole folder. Somebody says that the owner should be your server user (root for instance, or a dedicated user) and never apache.

But if the owner is not apache, you have to use your ftp credentials to upload, update and so on.

So is there a way to actually have it all? What's the safest and smartest way to configure ownership for Wordpress?

Thanks guys.
Comment
Watch Question

Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
Thanks a lot.

Believe it or not, that is almost exactly what I've been doing up until now.

I have been using setfacl to allow users to write to apache owned directories, and it works great.

I have a whole bunch of websites on this server, most built and managed only by me, and maybe 3 built and managed by other people.

One of said people has been a pain, so I started verifying if I was doing things right or not, permission and ownership wise.

While researching, I stumbled upon some discussion which seemed to underline how wrong my ownership settings were, most of all this one:

https://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress

Then I read Wordpress' own page on the matter, and that added to the confusion:

Typically, all files should be owned by your user (ftp) account on your web server, and should be writable by that account. On shared hosts, files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody user).

https://codex.wordpress.org/Changing_File_Permissions

That's the whole reason I started this thread.
Prabhin MPDevOps Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
The default permission scheme should be:

Folders - 750
Files - 640


Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;
For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;



Check this link to learn more about wordpress security
Owen RubinConsultant

Commented:
Nicely done David. I’m copying that down as a template next time I need to set up a system like this.

Prabhin, why do you specify 750 instead of 755, and 640 rather than 644? Curious to your reasoning, as I have always used the other.

Thankd
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
I think 755 and 644 are fine. I have a script running overnight which saves to text files all folders and files with wrong permissions. I only keep wp-config.php to 600 if I remember correctly. The script also checks that and fixes permissions for wp-config.php and renames all install.php to .bak.
Owen RubinConsultant

Commented:
Thanks. That script is great idea BTW.
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
Thanks for the help. I'm happy I was already using good settings. Still trying to understand why some people are so against giving ownership to Apache though.
Daniele BrunengoIT Consultant, Web Designer

Author

Commented:
Oh if anyone wants to have a look at the WP scripts I run on the server, just ask.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions