Link to home
Start Free TrialLog in
Avatar of Daniele Brunengo
Daniele BrunengoFlag for Italy

asked on

Safe and productive ownership settings for a Wordpress installation

So, I have been reading about this for a long time and there's never a conclusive answer to be found anywhere.

I have a Centos 6 LAMP web server which mostly hosts websites created by yours truly and the occasional website created by someone else.

Which is the most secure way to configure Wordpress folders ownership AND keep all the automatic features (updating, uploading and so on) without the need to insert ftp or sftp credentials each time?

Aside from permissions (which I always set to 755 for folder, 644 for files and 600 for special files, as suggested everywhere), there's a lot of different ideas about ownership.

Somebody says apache should be the owner of the whole folder. Somebody says that the owner should be your server user (root for instance, or a dedicated user) and never apache.

But if the owner is not apache, you have to use your ftp credentials to upload, update and so on.

So is there a way to actually have it all? What's the safest and smartest way to configure ownership for Wordpress?

Thanks guys.
Avatar of David Favor
David Favor
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Daniele Brunengo


Thanks a lot.

Believe it or not, that is almost exactly what I've been doing up until now.

I have been using setfacl to allow users to write to apache owned directories, and it works great.

I have a whole bunch of websites on this server, most built and managed only by me, and maybe 3 built and managed by other people.

One of said people has been a pain, so I started verifying if I was doing things right or not, permission and ownership wise.

While researching, I stumbled upon some discussion which seemed to underline how wrong my ownership settings were, most of all this one:

Then I read Wordpress' own page on the matter, and that added to the confusion:

Typically, all files should be owned by your user (ftp) account on your web server, and should be writable by that account. On shared hosts, files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody user).

That's the whole reason I started this thread.
The default permission scheme should be:

Folders - 750
Files - 640

Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;
For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;

Check this link to learn more about wordpress security
Nicely done David. I’m copying that down as a template next time I need to set up a system like this.

Prabhin, why do you specify 750 instead of 755, and 640 rather than 644? Curious to your reasoning, as I have always used the other.

I think 755 and 644 are fine. I have a script running overnight which saves to text files all folders and files with wrong permissions. I only keep wp-config.php to 600 if I remember correctly. The script also checks that and fixes permissions for wp-config.php and renames all install.php to .bak.
Thanks. That script is great idea BTW.
Thanks for the help. I'm happy I was already using good settings. Still trying to understand why some people are so against giving ownership to Apache though.
Oh if anyone wants to have a look at the WP scripts I run on the server, just ask.