I’ve already read http://codex.wordpress.org/Hardening_WordPress but I can’t get my head around it. What are the permissions that shall be set and by who shall it be owned by? Right now I have set as the result of the following commands:
# reset to safe defaults
find /usr/share/wordpress -exec chown www-data:www-data {} ;
find /usr/share/wordpress -type d -exec chmod 755 {} ;
find /usr/share/wordpress -type f -exec chmod 644 {} ;
# allow wordpress to manage wp-config.php (but prevent world access)
chgrp www-data /usr/share/wordpress/wp-config.php
chmod 660 /usr/share/wordpress/wp-config.php
# allow wordpress to manage .htaccess
chgrp www-data /usr/share/wordpress/.htaccess
chmod 664 /usr/share/wordpress/.htaccess
# allow wordpress to manage wp-content
find /usr/share/wordpress/wp-content -exec chgrp www-data {} ;
find /usr/share/wordpress/wp-content -type d -exec chmod 775 {} ;
find /usr/share/wordpress/wp-content -type f -exec chmod 664 {} ;
After this configuration the installation is unusable. Any tips?
Here’s a quick recap of how I manage permissions on my servers:
So it doesn’t matter who owns the .php files, as long as the apache user can read them. Allowing the apache user to modify these files is a risk, even .htaccess. The downside of all of this is that you’ll need to provide WordPress with FTP credentials to do things like install or delete a plugin, update a theme or core, etc. That’s something I can live with.