Avatar of Daniele Brunengo
Daniele Brunengo
Flag for Italy asked on

Safe and productive ownership settings for a Wordpress installation

So, I have been reading about this for a long time and there's never a conclusive answer to be found anywhere.

I have a Centos 6 LAMP web server which mostly hosts websites created by yours truly and the occasional website created by someone else.

Which is the most secure way to configure Wordpress folders ownership AND keep all the automatic features (updating, uploading and so on) without the need to insert ftp or sftp credentials each time?

Aside from permissions (which I always set to 755 for folder, 644 for files and 600 for special files, as suggested everywhere), there's a lot of different ideas about ownership.

Somebody says apache should be the owner of the whole folder. Somebody says that the owner should be your server user (root for instance, or a dedicated user) and never apache.

But if the owner is not apache, you have to use your ftp credentials to upload, update and so on.

So is there a way to actually have it all? What's the safest and smartest way to configure ownership for Wordpress?

Thanks guys.
Linux* HostingWordPress* LAMPApache Web Server

Avatar of undefined
Last Comment
Daniele Brunengo

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
David Favor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Daniele Brunengo

ASKER
Thanks a lot.

Believe it or not, that is almost exactly what I've been doing up until now.

I have been using setfacl to allow users to write to apache owned directories, and it works great.

I have a whole bunch of websites on this server, most built and managed only by me, and maybe 3 built and managed by other people.

One of said people has been a pain, so I started verifying if I was doing things right or not, permission and ownership wise.

While researching, I stumbled upon some discussion which seemed to underline how wrong my ownership settings were, most of all this one:

https://stackoverflow.com/questions/18352682/correct-file-permissions-for-wordpress

Then I read Wordpress' own page on the matter, and that added to the confusion:

Typically, all files should be owned by your user (ftp) account on your web server, and should be writable by that account. On shared hosts, files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody user).

https://codex.wordpress.org/Changing_File_Permissions

That's the whole reason I started this thread.
Prabhin MP

The default permission scheme should be:

Folders - 750
Files - 640


Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;
For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;



Check this link to learn more about wordpress security
Owen Rubin

Nicely done David. I’m copying that down as a template next time I need to set up a system like this.

Prabhin, why do you specify 750 instead of 755, and 640 rather than 644? Curious to your reasoning, as I have always used the other.

Thankd
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Daniele Brunengo

ASKER
I think 755 and 644 are fine. I have a script running overnight which saves to text files all folders and files with wrong permissions. I only keep wp-config.php to 600 if I remember correctly. The script also checks that and fixes permissions for wp-config.php and renames all install.php to .bak.
Owen Rubin

Thanks. That script is great idea BTW.
Daniele Brunengo

ASKER
Thanks for the help. I'm happy I was already using good settings. Still trying to understand why some people are so against giving ownership to Apache though.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Daniele Brunengo

ASKER
Oh if anyone wants to have a look at the WP scripts I run on the server, just ask.