Securing File Permissions and Server Settings on WordPress

To secure file permissions and server settings on a WordPress site, follow these best practices:

• Set directory permissions to 755 (rwxr-xr-x) so the owner can read, write, and execute, while group and others can read and execute only. This allows the web server to access directories properly without granting excessive rights.

• Set file permissions to 644 (rw-r--r--) for most files, allowing the owner to read and write, and others only to read. This prevents unauthorized modification while enabling the server to serve files.

• Restrict sensitive files further, especially wp-config.php and .htaccess:

  • wp-config.php should be set to 600 or 640 (read/write only by owner, no access for others) to protect database credentials and configuration.
  • .htaccess typically uses 644, but can be tightened depending on hosting environment.

• Never use 777 permissions (full read/write/execute for everyone) as it allows any user or process to modify files, creating a major security risk.

• Ensure proper file ownership: Files should be owned by your user account, not the web server user, to maintain control and reduce risk of unauthorized changes. Group ownership may be configured to allow the web server access where necessary.

• Limit write permissions only to directories where WordPress needs to modify files, such as the wp-content/uploads folder for media uploads. Other directories and files should be read-only for the web server.

• Disable PHP execution in upload directories (e.g., /wp-content/uploads/) using server rules (.htaccess or NGINX config) to prevent execution of malicious scripts uploaded there.

• Block direct access to sensitive files like wp-config.php and .htaccess at the server level using Apache or NGINX directives to prevent unauthorized viewing or downloading.

• Use security plugins or managed hosting features that provide real-time file integrity monitoring, automatic patching, and firewall protection to detect and prevent unauthorized changes or attacks.

• Regularly audit file permissions and ownership to ensure they have not been altered unexpectedly, especially after FTP uploads or plugin/theme installations.

• Follow hosting provider guidelines as some environments may require specific permission settings or ownership configurations.

In summary, the recommended permission scheme is:

Implementing these settings alongside server-level restrictions and security monitoring significantly reduces the attack surface of your WordPress site and protects against common exploits targeting file permissions and server configuration.