640
640 Permission Code**
Permission Code: 640 Owner Read/Write, Group Read, Public No Access
640 grants read/write to the owner, read-only to the group, and **no access to others.
rw-r-----
This is a **hardened file permission used when you want the web server group to read files but prevent any access from the public. Its a common choice for sensitive, non-executable files on a WordPress VPS when the web server runs in the same group as the site user.
Technical Structure
| No | Role | Bits | Access | Allowed? |
|---|---|---|---|---|
| 1 | Owner | rw- | read/write | ✅ |
| 2 | Group | r-- | read-only | ✅ |
| 3 | Others | --- | no access | ✅ |
Behavior
- Owner can edit files.
- Web server (if in the group) can read files to serve PHP/HTML.
- Public users on the system have no read or list access to these files.
- Useful for **configs, logs, caches, and private content that must be server-readable but not world-readable.
WordPress Use Cases
| No | Location/Type | Suitability | Reason |
|---|---|---|---|
| 1 | wp-config.php (with group = webserver) | ✅ | server reads, others blocked |
| 2 | .env or private app configs | ✅ | sensitive values, server-only read |
| 3 | Cache manifests and generated configs | ✅ | server must read; public blocked |
| 4 | PHP files in public tree | ✅ | safer than 644 if group is correct |
| 5 | Public assets (images, css, js) | ❌ | may need world-read on some stacks |
If your web server user isnt in the files group, 640 may break reads. Align ownership.
Comparison With Neighbor Modes
| No | Mode | Owner | Group | Others | Typical Use | Notes |
|---|---|---|---|---|---|---|
| 1 | 644 | rw- | r-- | r-- | standard WP files | simpler, world-readable |
| 2 | 640 | rw- | r-- | --- | hardened WP files | requires correct group |
| 3 | 600 | rw- | --- | --- | secrets/configs | maximum restriction |
Ownership & Group Model (Critical)
To use 640, set the **group to the web server (e.g., www-data for OLS/NGINX/Apache):
chown -R wpuser:www-data /var/www/your-site
This ensures the web server can read files that are 640.
Commands for Applying 640 Safely
Harden specific sensitive files
chmod 640 wp-config.php
chmod 640 .env
Apply broadly to files (only if group is correct)
find . -type f -exec chmod 640 {} ;
Keep directories traversable
find . -type d -exec chmod 750 {} ;
Minimum secure alternative (if group not aligned)
find . -type f -exec chmod 644 {} ;
find . -type d -exec chmod 755 {} ;
Practical Patterns
- **Hardened baseline for private sites or controlled VPS:
- Directories:
750 - Files:
640 wp-config.php:600- **Standard baseline for widest compatibility:
- Directories:
755 - Files:
644 wp-config.php:600
Troubleshooting
| No | Symptom | Likely Cause | Fix |
|---|---|---|---|
| 1 | Blank pages / 403 | web server not in group | add server user to group or chown to :www-data |
| 2 | WP CLI read errors | CLI user not owner/group | run as site user or adjust group |
| 3 | Static assets not served | asset files at 640 on strict stack | use 644 for public assets, keep configs at 640 |
| 4 | Plugin cannot read config | plugin runs under different user/group | align ownership; avoid world-read |
Verification Steps
stat wp-config.php
# Expect: Access: (0640/-rw-r-----) Uid: (wpuser) Gid: (www-data)
ps aux | grep -E 'nginx|lshttpd|apache'
# Confirm which user/group serves the site
id www-data
# Confirm group memberships
Exercise (Safe Environment)
-
Align ownership and group:
chown -R wpuser:www-data /var/www/your-site -
Apply hardened set:
find . -type d -exec chmod 750 {} ;find . -type f -exec chmod 640 {} ;chmod 600 wp-config.php -
Test site access and WP-CLI usage as
wpuser. -
If static assets fail, revert assets to
644while keeping configs at640/600.
Key Takeaways
| No | Statement | Status |
|---|---|---|
| 1 | 640 blocks public read while allowing group read | ✅ |
| 2 | Requires correct group ownership (:www-data) | ✅ |
| 3 | Good for configs, caches, private files | ✅ |
| 4 | May break static assets on some stacks | ✅ |
| 5 | Combine with 750 directories and 600 for wp-config.php | ✅ |