November 5, 2016 - No Comments!

How to protect WordPress adding file permissions

Do you want to make secure your website, protect WordPress and complicate the lives of bad guys?

In this post I will explain how and which permissions apply to your website to protect WordPress

If you are reading this guide, you're probably in my same situation. A few months ago one of my websites was constantly hacked and I was losing hours in continuous clean-up operations... Boring, isn't it?

After many wasted hours I decided to find a lasting solution that would allow me to fix the problem permanently, protecting my website.

First of all, this guide assumes that your site is hosted on Linux and that you can access through shell.

Why you should use Linux? Windows does not fit for WordPress?

Windows may be fine to host WordPress, but you've to be ready to make settings that are not really affordable for everyone. If you are interested in a good hosting for WordPress I recommend you Siteground. Here you can find my review about this wonderful hosting company.

Let's go back to the main topic, what should we do to protect WordPress? As already mentioned a good solution would be to apply specific permissions to files and folders.

protect_wordpress-themelovin

If you're wondering why it's so important you'll explain it to you and you'll see that you will agree with me, but before proceeding what do you think to share this article?

 

The hackers may edit your website's files adding some scripts in them or even uploading unwanted files, this will ensure that your site to be totally in their hands and it will not take long before Google will report it as a compromise.

Obviously a compromise website will be penalized in the search results, thus causing even evident damage.

It's important to apply permissions to files and folders to prevent the site from being compromised before it's too late.

But let's not waste more time and see the permissions we're talking about; first of all access to your website folder connecting by SSH to the server, ex:

ssh [email protected]
cd /var/www/yoursite/public/

Now add the proper permissions reported below:

find . -type f -exec chmod 440 {} \;

find . -type d -exec chmod 550 {} \; find wp-content/uploads/ -type f -exec chmod 640 {} \; find wp-content/uploads/ -type d -exec chmod 750 {} \;

Let's analyze what we have just written; the first line will add read permission to the owner and the group for all the WordPress, plugins and themes files.

find . -type f -exec chmod 440 {} \;

The second line grant read and execute permissions on folders to owner and his group and no permissions for all other users.

find . -type d -exec chmod 550 {} \;

The third line add read and write permissions to all files in wp-content/uploads folder for the owner, only read permission to his group and no permissions for all other users.

find wp-content/uploads/ -type f -exec chmod 640 {} \;

The last one add write, read and execute permissions on folders in wp-content/uploads for the owner, read and execute for his group and no permissions for all other users.

find wp-content/uploads/ -type d -exec chmod 750 {} \;

That's it, now all your files and folders have the right permissions, and your WordPress is safe.

Please note that from this moment you can't update WordPress 'cause now files and folders are blocked. To restore the previous permissions you can use the following commands:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

Well, all is ok, what do you think?

Published by: Themelovin in Code, Security
Tags: ,

Leave a Reply