Correct file permissions for WordPress
I've had a look over here but didn't find any details on the best file permissions. I also took a look at some of WordPress's form's questions over here too but anybody that suggests 777 obviously needs a little lesson in security.
In short my question is this. What permissions should I have for the following:
- root folder storing all the WordPress content
- wp-admin
- wp-content
- wp-includes
and then all the files in each of those folders?
Answer
When you setup WP you (the webserver) may need write access to the files. So the access rights may need to be loose.
chown www-data:www-data -R * # Let Apache be owner
find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--
After the setup you should tighten the access rights, according to Hardening WordPress all files except for wp-content should be writable by your user account only. wp-content must be writable by www-data too.
chown <username>:<username> -R * # Let your useraccount be owner
chown www-data:www-data wp-content # Let apache be owner of wp-content
Maybe you want to change the contents in wp-content later on. In this case you could
- temporarily change to the user to www-data with
su, - give wp-content group write access 775 and join the group www-data or
- give your user the access rights to the folder using ACLs.
Whatever you do, make sure the files have rw permissions for www-data.