Why Need Permission?
Foundation Why Permissions Matter for WordPress Security**
Prerequisites
- **Access Level:
sudouser or root access. - **Software: SSH client (e.g., PuTTY for Windows, Terminal for macOS/Linux).
- **Knowledge: Basic navigation (
ls,cd) and file handling (cp,mv,rm).
5W + 1H Framework
| Question | Answer |
|---|---|
| What | Permissions control who can read, write, or execute files and directories. |
| Why | Incorrect permissions allow attackers to modify or upload malicious files into WordPress. |
| When | Always after installing/migrating WordPress, before going live, and during audits. |
| Where | Key directories: /var/www/, wp-content/, uploads/, and critical files like wp-config.php. |
| Who | System administrators, WordPress developers, VPS managers. |
| How | By using commands like ls -l, chmod, chown, and following WordPress security best practices. |
Permission Basics
| Component | Symbol | Meaning |
|---|---|---|
| Owner | First set of rwx | Permissions for the file creator. |
| Group | Second set of rwx | Permissions for users in the same group. |
| Others | Third set of rwx | Permissions for all other users. |
| Read (r) | 4 | Can view file contents or list directory. |
| Write (w) | 2 | Can modify file or create/remove files in a directory. |
| Execute (x) | 1 | Can run a file (script) or enter a directory. |
Core Commands with Expected Outputs
ls -l View Permissions
ls -l wp-config.php
Output:
-rw-r--r-- 1 www-data www-data 4201 Sep 23 10:00 wp-config.php
Explanation:
rw-r--r--owner can read/write, group can read, others can read.www-dataowner and group.
**Use Case: Verify WordPress file security.
stat Detailed Metadata
stat wp-config.php
Output:
File: wp-config.php
Size: 4201 Blocks: 8 IO Block: 4096 regular file
Access: (0644/-rw-r--r--) Uid: ( 33/www-data) Gid: ( 33/www-data)
Access: 2025-09-23 10:01:55
Modify: 2025-09-22 14:13:20
Change: 2025-09-22 14:13:20
**Use Case: Detect unauthorized changes in sensitive WordPress files.
Common Permission Codes
| Code | Meaning | Typical Use |
|---|---|---|
600 | Owner read/write only | wp-config.php |
644 | Owner read/write, others read | WordPress core files |
755 | Owner full, others read/execute | Directories (wp-content, plugins) |
700 | Owner full only | Private scripts/backups |
WordPress-Specific Benefits
| Area | Correct Permissions | Benefit |
|---|---|---|
wp-config.php | 600 | Protects DB credentials from other users. |
/var/www/html/ | 755 | Ensures WordPress runs but prevents public modification. |
uploads/ | 755 | Allows media upload but prevents execution of scripts. |
themes/ & plugins/ | 755 | Usable by WordPress, not writable by outsiders. |
Implementation Steps
-
Audit current permissions:
find /var/www/ -type f -exec ls -l {} ; | head -
Fix WordPress file permissions:
find /var/www/html/ -type f -exec chmod 644 {} ; -
Fix WordPress directory permissions:
find /var/www/html/ -type d -exec chmod 755 {} ; -
Harden
wp-config.php:chmod 600 /var/www/html/wp-config.php
Use Case Scenarios
| Scenario | Action | Outcome |
|---|---|---|
| New WordPress Install | Apply 644 to files, 755 to directories | Prevents accidental file editing by other users. |
| Shared VPS Hosting | Harden wp-config.php to 600 | Stops neighboring accounts from reading DB credentials. |
| Post-Hack Recovery | Audit permissions with find + ls -l | Identifies files changed to 777 by attackers. |
| Plugin Upload | Ensure uploads/ is 755 but not 777 | Allows uploads but blocks malicious scripts. |
Best Practices
- Never use
777on WordPress files or folders. - Keep
wp-config.phpwith **minimum permissions (typically600). - Regularly audit permissions with
find+stat. - Match file ownership to the web server user (usually
www-data). - Apply stricter permissions for staging or development servers.
Quick Lab
cd /var/www/html
ls -l wp-config.php
chmod 600 wp-config.php
ls -l wp-config.php
find . -type d -exec chmod 755 {} ;
find . -type f -exec chmod 644 {} ;
Expected Results:
wp-config.phpnow hasrw-------(600).- All directories show
drwxr-xr-x(755). - All files show
rw-r--r--(644).
Cheat Sheet
| Command | Purpose |
|---|---|
ls -l | View file permissions and ownership. |
stat file | Show detailed file metadata. |
chmod 644 file | Secure WordPress files. |
chmod 755 dir | Secure directories. |
chmod 600 wp-config.php | Lock down sensitive credentials. |
find /path -type f -exec chmod 644 {} | Apply permissions recursively. |
find /path -type d -exec chmod 755 {} | Apply directory permissions recursively. |
Mini Quiz
- What does each section (owner, group, others) in
rw-r--r--mean? - Why should
wp-config.phphave600permissions instead of644? - Which is safer for
uploads/``755or777? Why? - What command would you use to reset all WordPress directories to
755? - How can
stathelp you detect tampered WordPress files?
Do you want me to continue next with **2.b (chmod, chown, chgrp) in the same structure?