Security
is a key concern of every owner
of WordPress
website. Thanks to the incredible collection of plugins which make it
feasible for every WordPress site/blog to secure his/her website/blog
against all sorts of security breaches. File permissions and
ownership are perhaps two of the commonly overlooked WordPress
security features. Well, through this post, I intend to throw some
light on the critical of WordPress file system permissions and ownerships.
Understanding
the need for setting permissions and ownerships; post WordPress
installation
Well,
there can be major consequences of not setting up the file-system
permissions and ownerships for your WordPress site/blog. Here is a
listing of few:
- A majority of your security measures would be easily bypassed by intruders
- A blank white screen when the user tries loading the website for the very first time.
- An error message when the user tries uploading images using the WordPress default media uploader.
Understanding
users and groups
While
on one hand, user denotes a particular account which has an easy
access to the computer, group refers to the identifier for a specific
set of users. To put it simply, every time you opt for transferring
files via FTP, you'll have to use a user account on the server. Plus,
depending on how the host has set up this user account, you'll belong
to a single or multiple groups. Both, users and groups play a vital
role in identifying files and folders for individual privileges.
For instance, the owner of a file will have the full privileges,
followed by users belonging to the same group who would have fewer
privileges on the file and finally there's everyone else who wouldn't
have any privileges on the file under focus. These privileges are
termed as “permissions'.
Unleashing
File-system Permissions
Permission
basically dictates as to what a user can do with a particular file.
It is represented by a set of numbers such as 744
or 888
which is called a permission mode. For instance, while installing a
specific plugin in WordPress, you might have been asked to change the
file permission. The reason for this is simply because the chosen
plugin isn't able to write to the respective file or directory. By
modifying the file permissions, you are in a way permitting your web
server to gain an instant access to the file or folder under focus.
Permission
mode can be regarded as a set of “who can do what” statements
wherein each digit corresponds to “who” part of the statement as
explained below:
- First digit would denote as to what the user of the account which owns the file is able to do
- Second digit denotes what the other user accounts registered under the file owner's group can do
- Third digit would denote what the user account of all the other users(this includes the un-registered website visitors as well) can do
Additionally,
there's a number which corresponds to “what” part of statement
and is basically the total of combination of any of the digits as
explained below:
- 4- this denotes that the users will be able to read a file or names of files within a folder
- 2- this denotes that the users will be able to modify a file or the contents of a file folder
- 1- this denotes that the users will be able to run a file or access the files stored in a folder
A
look at changing file permission modes in WordPress
FTP
clients serve you with an intuitive interface which can be used for
changing the permission mode of different files and folders. Here's a
screen-shot for such an interface:
You can use the
chmod command for changing your file or folder's permission mode:
sudo chmod 744 <file>
The above method is
applicable only in case you have an access to the server's terminal.
Getting to
know everything about File and Folder Ownership for WordPress
In order to be
adjust the file and folder ownerships for varied WordPress files,
you'll have to ensure the following:
- your user account is itself the owner of all WordPress files and folders.
- your user account along with the web server's user account, both belong to the same user group.
You can run the
following command in your server terminal for determining the groups
that the user account belongs to:
groupsOnce you're done with finding the groups, your web server belongs to, you can opt for including(only temporarily) the below PHP snippet in any one of your WordPress scripts:
echo exec( 'groups' );However, if the user and web server belong to groups of different user, you can simply run the following command for adding the user to one of the web server's groups:
sudo usermod -a -G <a-shared-group-name> customuserLast, but definitely not the least, if you want to ensure that everything in your WordPress folder belongs to the user account and also has a shared group, just run the following command in the WordPress folder:sudo find . -exec chown customuser:a-shared-group-name {} +That's it!
ConclusionHere is hoping the post above would have helped you gather useful insights on file permissions and ownerships applicable for a WordPress powered website. You have to take care of the website where you will update any security feature because while moving from PSD to WordPress the security features of this process becomes different but when you move completely then you will have all access.