Safe and productive ownership settings for a Wordpress installation

Daniele Brunengo
Daniele Brunengo used Ask the Experts™
So, I have been reading about this for a long time and there's never a conclusive answer to be found anywhere.

I have a Centos 6 LAMP web server which mostly hosts websites created by yours truly and the occasional website created by someone else.

Which is the most secure way to configure Wordpress folders ownership AND keep all the automatic features (updating, uploading and so on) without the need to insert ftp or sftp credentials each time?

Aside from permissions (which I always set to 755 for folder, 644 for files and 600 for special files, as suggested everywhere), there's a lot of different ideas about ownership.

Somebody says apache should be the owner of the whole folder. Somebody says that the owner should be your server user (root for instance, or a dedicated user) and never apache.

But if the owner is not apache, you have to use your ftp credentials to upload, update and so on.

So is there a way to actually have it all? What's the safest and smartest way to configure ownership for Wordpress?

Thanks guys.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
1) Correct: 755 on directories.

2) Correct: 644 on files.

3) Correct: Ownership of all files + directories must be user/group matching your Apache instance. This might be httpd, or apache, or www-data, or nobody.

Do a ps to figure out what runtime user/group of your Apache instance.

4) What you'll have at this point...

Aside: Likely best to switch to running Ubuntu Bionic (5 years updates), if you have problems getting the following working.

Steps 1-3 are required so your Apache instance can serve files. Do yourself a favor + leave this as-is with no funny ownership/perms tricks.

Here's an example directory hierarchy of the form /sites/davidfavor/ will be up to this point.

# ll /sites
total 4.0K
drwxr-xr-x 5 root root 4.0K Jan 19 10:37 david-favor/

# ll /sites/david-favor
total 12K
drwxr-xr-x 4 root root 4.0K Jan 19 18:21

# ll /sites/david-favor/
total 8.0K
drwxr-xr-x 2 www-data www-data 4.0K Jan 21 06:25 logs/
drwxr-xr-x 5 www-data www-data 4.0K Jan 19 18:42 wordpress/

Open in new window

Do yourself a favor + place your logs directory (for WordPress debug log) outside your WordPress install for security + to reduce backup size.

5) Now for the tricky part. To setup any number of SFTP users to...

a) Access your Apache (existing) owned files/directories.

b) Ensure any SFTP newly created files/directories are accessible by both Apache + all SFTP users.

Note: This scenario imagines all SFTP users have access to entire WordPress file hierarchy. This is a bad idea. In real life, you should block anyone mucking about with any WordPress core/theme/plugin files via SFTP. To keep this example simple. All files are accessible.

Rest of steps relate to getting SFTP users setup correctly.

6) ACLs must be working correctly for your system. This means...

a) Your Kernel is recent + built correctly (ACL support enabled).

b) Your Filesystem (stick with ext4) in use is recent + built correctly (ACL support enabled) + mount options are correct (default or manual).

c) You must install the ACL tools - setfacl + getfacl.

Note: All items related to #6 are handled automatically in Ubuntu + have been for years. For CentOS, likely part or all of this is broken. To complete this step in CentOS (depending on many factors) may require a massive amount of time to get working.

7) You must have a sensible SFTP server running.

The only sensible SFTP server I've found (I've been hosting client sites since 1994) is MySecureShell.

This SFTP server is a zero config server (at least on Ubuntu).

a) Install the package.

b) run sftp-verif + answer yes to any suggested repairs.

8) Now setup a default ACL for the Apache user/group, so any new files will be accessible by Apache.

Ubuntu uses www-root + CentOS use many different variations, so you'll have to figure out the correct command line conjuration for your Apache instance.

# Ensure Apache can access any newly created directories/files.
setfacl -Rm d:u:www-data:rwX,u:www-data:rwX /sites/*/*/{wordpress,htdocs}

Open in new window

9) Now create a user to access the site using the above file hierarchy...

# Create a normal user, with home pointing to the WordPress root install
useradd --user-group -G www-data --shell=/usr/bin/mysecureshell --home=/sites/david-favor/ david

# Set a random/strong password
echo david:yF8auTQQ5OpK2DlsYIprVCE79ZK8eP23 | chpasswd

# Now add an ACL for the new david user...
# Which allows access to all existing directories/files.
# Automagically adds the david ACL to any files created by Apache or any other SFTP user.
setfacl -Rm d:u:david:rwX,u:david:rwX /sites/david-favor/

Open in new window

10) At this point, you can create any other new user + all their ACLs will allow file sharing between Apache + all SFTP users.
Daniele BrunengoIT Consultant, Web Designer


Thanks a lot.

Believe it or not, that is almost exactly what I've been doing up until now.

I have been using setfacl to allow users to write to apache owned directories, and it works great.

I have a whole bunch of websites on this server, most built and managed only by me, and maybe 3 built and managed by other people.

One of said people has been a pain, so I started verifying if I was doing things right or not, permission and ownership wise.

While researching, I stumbled upon some discussion which seemed to underline how wrong my ownership settings were, most of all this one:

Then I read Wordpress' own page on the matter, and that added to the confusion:

Typically, all files should be owned by your user (ftp) account on your web server, and should be writable by that account. On shared hosts, files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody user).

That's the whole reason I started this thread.
Prabhin MPDevOps Engineer
Distinguished Expert 2018

The default permission scheme should be:

Folders - 750
Files - 640

Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} \;
For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;

Check this link to learn more about wordpress security
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Nicely done David. I’m copying that down as a template next time I need to set up a system like this.

Prabhin, why do you specify 750 instead of 755, and 640 rather than 644? Curious to your reasoning, as I have always used the other.

Daniele BrunengoIT Consultant, Web Designer


I think 755 and 644 are fine. I have a script running overnight which saves to text files all folders and files with wrong permissions. I only keep wp-config.php to 600 if I remember correctly. The script also checks that and fixes permissions for wp-config.php and renames all install.php to .bak.

Thanks. That script is great idea BTW.
Daniele BrunengoIT Consultant, Web Designer


Thanks for the help. I'm happy I was already using good settings. Still trying to understand why some people are so against giving ownership to Apache though.
Daniele BrunengoIT Consultant, Web Designer


Oh if anyone wants to have a look at the WP scripts I run on the server, just ask.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial