Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Keep your WordPress installation secure

Saturday, July 12th, 2014 by Servage

Altering File Permission for SecurityWordPress security is a prime concern for any WordPress programmer hence they are taking various measures to tackle it with utmost care. There are many security plugins available in the market to manage them, but not sufficient to do all jobs at all levels. In due course, a WordPress developer has to learn various direct coding techniques to manage security aspects successfully.

At coding level, file system and its permissions and ownership, in particular, are playing crucial role to leave serious vulnerability if handled without the necessary care. Therefore, for a WordPress programmer security measures begin right up at installations. If you don’t have adequate knowledge of how to set the right kind of permissions for the access of your files and folders hence your critical data, you might end up with fatal errors or a dead website. Thus, I have decided to address this issue today in this post.

User, Groups, and World

If you have basic knowledge of programming, you surely know how we set up access to the different kinds of users for our website data including all files and folders on the server. If we look at the roles of the various users, we can categorize them by following ways by-and-large.

The first and foremost user is yourself, who has to do everything from A to Z on your website source on the server so you are the super admin. However, server or server operator may need somewhat equal permissions or access level that you have, but not always and not for all files and folders.

Therefore, you can set them in a separate group as admin and grant a bit less permissions or access level than the super admin. This is true for standard/dedicated servers in particular, but not at all for shared hosting. In shared hosting, you need to give full access to the server of your WordPress.

For other users like contributors in case of blogs and managing or marketing staff in case of e-commerce WordPress website are groups that need limited access in compare to admin and super admin. Therefore, you can grant them only read and write permissions for files and folders of your WordPress site, but not need to have execution permissions.

Finally, general public and miscellaneous groups, who want to use WordPress website in only read mode and have to do so in dynamic interaction according to the nature and business of the website. Therefore, we can term them as the world in by-and-large sense.

Permission mode

For sake of simplicity in coding, these permissions levels have given numbers and they have written it in three digits:

  • First digit consists of permission level for the owner (admin/super admin)
  • Second digit consists of permission level for the user group or admin group if super admin role is differing.
  • Third digit consists of permission level for the public who see and use website, mostly need read only mode.

If we want to allocate numbers to these permission levels, generally it is done in following ways:

  • Number 4 is set for the read only mode for the WordPress website files and folders
  • Number 2 is set for the write mode along with the read mode in general in order to modify the content of the files and folders
  • Number 1 is set for the execution permission level so it allows addition and deletion as well as modification of the files and folders and the code of WordPress core itself. Thus, it is dangerous to allocate this level of permission to anyone or any unreliable authority.

Correct permission mode in different contexts

Now if you are setting permission for super admin you naturally allocate read (4), write (2), and execute (1) permissions. Thus, their sum would be 7 (=4+2+1).

When you are going to set permission for your blog author who has to upload content regularly, her account would have read (4) and write (2) level of permission as she don’t want to change the menu in appearance tab or configure and file in source code so she don’t need execute (0) permission here. Thus, her code would be 6 (=4+2+0).

Now, your users or website visitors who either read content of the website accessing it on their devices and sometime fill forms or write reviews or comments in the blog they need only reading permission level if they are signed in with you. Thus, their permission code would be 4 (=4+0+0) or 6 (=4+2+0) if they open account with you.

In short, your permission code would be 764 or 766 in most cases. This way you can keep safety or your website tight and only grant full access (777) to other users including your server for temporary and short time base. Otherwise, 644 is the best permission mode for every conditions.
References & More Reading
Proper WordPress Filesystem Permissions And Ownerships
Changing File Permissions

Keep your WordPress installation secure, 4.7 out of 5 based on 3 ratings
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.