Wordpress permissions folders

Hello ,

I just installed hestiacp on my server and then i moved my wordpress site on it (ftp and mysql) .

The problem comes when i want to update / install plugins and upload files / images , no permissions to do that .

I have try chmod 755 / 777 from ssh with root user for folders and no results . Can anyone help me ?thx

Can you please share a screenshot? We need to know what is complaining about permissions and how.

If you have done that, then it might be something else. With that permissions the user www-data should read and write and therefore it should work…

“Folder can not be created”
“The file can’t be uploaded”

Correct permissions for wordpress eg for user bob and site mysite.com

cd /home/bob/web/mysite.com/public_html 
# double check you're in the right directory! 
chown -R bob:bob * 
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

Thanks , solved . :beer:

Use permissions to harden WP security

To avoid infections maybe we could have an option in the panel to toggle (activate/deactivate) write permissions on files and directories

#set read only
find /home/bob/web/mysite.com/public_html -type d -exec chmod -w {} ;
find /home/bob/web/mysite.com/public_html -type f -exec chmod -w {} ;

#normal permissions
find /home/bob/web/mysite.com/public_html -type d -exec chmod +w {} ;
find /home/bob/web/mysite.com/public_html -type f -exec chmod +w {} ;

We could exclude cache folders and wordpress uploads maybe or only change permissions for php files.
#read-only permissions
find /home/bob/web/mysite.com/public_html -type f -name "*.php" -exec chmod -w {} \;

#normal permissions
find /home/bob/web/mysite.com/public_html -type f -name "*.php" -exec chmod +w {} \;

99,99999999% Off hack / security issues with Wordpress are poorly writen plugins. Maybe we should ban the use of plugins?

Changing the permissions to read mode will also make it impossible for unattended upgrade and make sure you Wordpress is at least up to date and the possibility to update the plugins.

It make more sense to block direct execution of *.php. It has been allready done in nginx for 1.4

1 Like

Thank you for your sarcasm. Was it really necessary?

That’s true, I understand that and maybe other sysadmins would prefer to have permissions changed and sacrifice the autoupdate feature that by de way can break the page.

Great news. Maybe this is enough.

True but If I have 50 clients that don’t know to update Wordpress and every they enable this “option” and ask why update doesn’t work it doesn’t make sense.

Most hacks I have seen are with outdated software or just bad written plugins. The first one is just simple keep your website up to date and the second option it harder to solve as it requires basic knowledge of php / wordpress.

Is currently only for Nginx+PHP-FPM for Nginx+Apache2 it makes probally sense to use modrewrite or we have to use an new proxy template or make a new apache2 template that blocks them.

Oh then… I use apache2.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.