hosting-handbook
hosting-handbook copied to clipboard
WordPress
Security page changes (4): Updating File system
The actual File system section IMO is over explaining things for hosters. We should simplify a little and focus on recommendations but not a full explanation.
Also, for the explanation we have an Article called Changing File Permissions. We may link to that and don't duplicate information.
ACTUAL TEXT:
File System
The setup of your hosting account's file system can have a large impact on the security of WordPress. Setting proper file permissions and ownership is important for ensuring unauthorized users cannot access or modify WordPress's files.
File Permissions
This section on file permissions focuses entirely on file permissions on Linux servers. If you are using a Windows server, please consult with your hosting provider or a Windows server administrator for help setting the proper permissions.
Linux file permissions consist primarily of three components -- the permissions the owner of the file or folder has, the permissions members of the group that owns the file or folder have, and the permissions that anyone else has for accessing or modifying the file and folder. The three permission components are usually represented using three numbers in order of the owner's permission level, the group's permission level, and everyone's permission level. There is technically a fourth component, but that is beyond what we need to know to secure WordPress. It will not be discussed here.
There are three kinds of access each for the user, the group, and everyone else. They are read access, write access, and execute access. Read access lets you read the contents of the file or the directory. Write access lets you modify the file or the directory. And execute access lets you run the file like a program or a script.
Numeric Representation of File Permissions
Linux stores these different kinds of access internally as bits (i.e. in binary form). They are commonly represented in human-readable form as the numbers 4 (read access), 2 (write access), and 1 (execute access). These numbers are added together to represent different combinations of the three kinds of access you can have.
Symbolic Representation of File Permissions
Some programs will represent the different kinds of access using letters instead of numbers. When using symbols, the kinds of access are still read access, write access, and execute access. Instead of numbers, the kinds of access are represented using "r" (read access), "w" (write access), "x" (execute access). These three letters are combined together (e.g. "rwx", "rw", "wx", etc.) to represent the different combinations of the three kinds of access you can have.
Examples of Linux File Permissions
| Symbolic | Numeric | Permissions |
|---|---|---|
| ---------- | 000 | no permissions |
| -r-------- | 400 | read only for user |
| -rw------- | 600 | read & write only for user |
| -rwx------ | 700 | read, write, & execute only for user |
| -rwxr-xr-x | 755 | read, write, & execute for user, only read & execute for group and everyone else |
| -rw-r--r-- | 644 | read & write for user, only read for group and everyone else |
| -rwxrwxrwx | 777 | read, write, and execute for user, group, and everyone else. Do not use. Security Risk. |
Recommended Default Linux File Permissions
File permissions are going to be different based on needs and server setup. Keep file permissions as restricted as possible, avoiding giving permissions that are not needed. Keep in mind WordPress needs the ability to write to its own files for updates, including automatic security updates.
User Accounts
WordPress websites should be run as non-privileged users. If possible, separate WordPress websites should be run as separate users in order to isolate WordPress websites from one another. In addition, the web server used to process PHP scripts and requests for WordPress websites should be configured to handle requests as a non-privileged user. The exact configuration of your users and web server will vary depending on your server environment, choice of web server, and the installed web server modules.
Core and Upload Write Permissions
For automatic security updates to function, PHP must be able to overwrite WordPress' core files. If you do not handle automated updates at the infrastructure level, this is the recommended practice.
Additionally, WordPress stores assets and user uploaded files in a special uploads directory located in /wp-content/uploads, by default, within the WordPress root. The uploads directory must be web-accessible in order for user content and uploaded assets to be loaded by a browser. PHP will also need to be able to write to the user's uploads folder for WordPress to handle uploading user content.
NEW PROPOSAL:
File system
Your hosting account file system settings can have a big impact on the security of WordPress. It is important to set proper file ownership and permissions to ensure that WordPress files cannot be accessed or modified by unauthorized users.
File Permissions
NOTE: This section on file permissions focuses entirely on permissions on Linux servers.
File and folder permissions in Linux have 2 main elements: the owner and the actions allowed.
When we talk about the owner we have 3 parts, the owner itself, the group it belongs to, and the rest. Depending on the configuration of your web server you will have to take into account and give the necessary permissions accordingly. In this case we are going to deal with the owner (necessary for WordPress actions) and the group and the rest (necessary for users to be able to visit the website).
When we talk about the allowed actions we're checking if they can be read, written or executed.
If we put this combination together, as a rule, we'll give read/write/execute permissions to the owners in folders, read/write permissions to the owners in files. On the other hand, we will give read/execute permissions to the folders and read permissions to the files. This is summarized in:
- Folders: 755
- Files: 644
Can we be restrictive on some elements, for safety's sake? Yes, for example, the file that contains keys and more data is wp-config.php; in this case, this file is only accessible by the owner of the site, but it does not have to be accessible from outside. This is why, this particular file, could be given 600 permissions.
Still, check with your provider about these settings, as they may vary depending on the web server, operating system and other factors.
User accounts
Operating systems allow you to create users. Each user has the possibility to access one or another place depending on whether they are allowed to or not.
In the case of WordPress, a user can be the owner of one or many sites, but in case there is an undue access, the fact that a user has many WordPress can jeopardize the rest. This is why it usually happens that when they hack one, they usually hack all of them.
If possible, it is highly recommended that WordPress installations be done with different users who only have access to one WordPress.
Core and Media Writing Permissions
For WordPress to work properly, it is necessary that PHP allows access to files and can write, especially if you have automatic updates or want WordPress itself to manage everything possible.
In addition, installations usually have the /wp-content/uploads/ folder configured by default as a storage for files uploaded through the Media area of the system. For the system to work, PHP must be able to write to this folder.
Execution permissions for PHP
To increase the security, and taking into account that by default in the "uploads" folder there are no PHP files, we can state that it is the folder that has more possibility of attacks, since plugins and other systems upload elements there. If by any chance you manage to upload some kind of script there that could be executed from the outside, you could block its execution.
In this case, for example, you can add in that folder /wp-content/uploads/ a .htaccess file with the following content:
<Files ~ ".+\.php">
Deny from All
</Files>
Also, we may explain something for Windows users (at least some minimal security recommendations).
Moved to: https://github.com/WordPress/Advanced-administration-handbook/issues/154