View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions File permission questions related to my wordpress install
Log in to Ask a Question

File permission questions related to my wordpress install

development

I haven't been able to completely wrap my brain around file permissions and owner rights.

I have several websites installed in my user home directory using the structure

~/public_html/website/public/…

Wordpress recommends setting the wp-config.php and .htaccess to 0640

But if I try to set either file to 0640 then no one can view my site.

So I have to use 0644

But from what I read, it sounds like I'm leaving myself very vulnerable by doing so.

Could anyone help me understand this?

Thanks

4 Replies

0644 is fine it translates to

owner can write, group can read, others can read.

Since your files are not owned by your web server or in your web server's group you need to have them readable by others.

Thanks obs, I appreciate the reply

So am I assuming correctly then that having a critical file with my database passwords in it and such - set world readable - is ok because I am the only one with access to my VPS?

That a 0644 is really a setting that has to do with a more open environment like shared hosting or multiple users?

Just want to make sure I understand why it is ok in my case.

Also, is it possible to add the web server group to my group so that I could make it 640?

(edit: or perhaps it is either root or user in my case… possibly adding root to my user group?)

Sorry for the noob questions -- I just want to be able to understand the why.

Thanks!

It's not you that needs read permissions it's your web server, so web server would have to be in the group for the file or use chgrp to change the file group to the web server's group.

It's normal for all files to be readable by "others" on vps since normally you have users uploading files so files will be created 0644 with the user and group of the uploader, while the server runs as www-data or nobody (or some other user).

In a shared environment if it's configured poorly then in theory a 0644 file can be read via ssh/ftp/a system call from a script i.e. someone could do and pull up your database settings, and then access your database from their account. VPS don't have that problem (assuming everyone that has access to your vps is allowed to view the settings.php file).

There are other ways to deal with this for example if running PHP as FCGI then you can set php to run as the user of the files uploaded that way the permissions can be as restrictive as 0600.

If you're the only one on your server just leave it as 0644 you'll be fine.

I always change permissions to those kind of files. If they are in my public_html:

chown www-data:mynormaluser config.php
chmod 0660 config.php

If they are in /var/www, I set group to "root" in the above chown command.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct