400
400 Permission Code**
Permission Code: 400 Owner Read-Only (Lockdown Mode)
400 grants **read-only access to the **owner and **no access to group or others.
r--------
This mode is highly restrictive and typically used to lock critical files from any modifications, even by accident. In WordPress VPS environments, it is used for **temporary hardening or immutable protection during maintenance or audits.
Technical Structure
| No | Role | Bits | Access | Allowed? |
|---|---|---|---|---|
| 1 | Owner | r-- | read only | ✅ |
| 2 | Group | --- | no access | ✅ |
| 3 | Others | --- | no access | ✅ |
Behavior
- Owner can read the file contents
- Owner cannot write/edit
- Group and others cannot read or modify
- File becomes effectively locked
- Must be changed back before editing
WordPress Use Cases
| No | File / Location | Suitability | Reason |
|---|---|---|---|
| 1 | wp-config.php (temporary lock) | ✅ | protect during audit/incident |
| 2 | Deployment “freeze” files | ✅ | prevent accidental editing |
| 3 | Emergency response situations | ✅ | freeze config during breach |
| 4 | Permanent config lock | ❌ | difficult to maintain |
| 5 | Any WP theme/plugin files | ❌ | editing impossible |
400 is often used as a temporary security state, not a long-term default.
Typical Workflow Scenarios
Scenario: Post-deployment hardening
Temporarily prevent config edits after pushing live changes:
chmod 400 wp-config.php
Scenario: Forensic freeze during suspected compromise
chmod 400 wp-config.php
Then investigate without config tampering risk.
After finishing, restore to 600 or 640.
chmod 600 wp-config.php
Comparison With Other Secure Modes
| No | Mode | Owner | Group | Others | Use |
|---|---|---|---|---|---|
| 1 | 600 | rw- | --- | --- | standard secure config |
| 2 | 640 | rw- | r-- | --- | shared access group |
| 3 | 400 | r-- | --- | --- | read-only lockdown |
600 is normal security
400 is lockdown
Commands
Apply Lock
chmod 400 wp-config.php
Revert after maintenance
chmod 600 wp-config.php
Or hardened group-aware:
chmod 640 wp-config.php
Ownership Requirements
Owner must be correct user:
chown wpuser:www-data wp-config.php
If ownership is wrong, even the admin might be blocked from modifying file.
Troubleshooting
| No | Symptom | Cause | Fix |
|---|---|---|---|
| 1 | Cannot update WP config | file is locked read-only | chmod 600 wp-config.php |
| 2 | Cannot modify env keys | locked | revert permissions |
| 3 | CLI scripts fail to adjust config | read-only | temporary lift |
| 4 | Site breaks on some stacks | server user needs read | ensure correct owner/group |
Verification
stat wp-config.php
Expected:
Access: (0400/-r--------)
Exercise
-
Lock config
chmod 400 wp-config.php -
Attempt config modification (should fail)
-
Attempt WP CLI with wrong user (fail)
-
Restore edit state
chmod 600 wp-config.php
Key Takeaways
| No | Statement | Status |
|---|---|---|
| 1 | 400 is read-only for owner | ✅ |
| 2 | Used for temporary config lockdown | ✅ |
| 3 | Must revert before editing | ✅ |
| 4 | Not for general WP files | ✅ |
| 5 | Works in breach response/maintenance mode | ✅ |
Summary:
Use 400 to temporarily lock critical config files from modification.
Return to 600 or 640 when editing is needed.