Wordpress permissions folders

middo · May 25, 2021, 7:30pm

Hello ,

I just installed hestiacp on my server and then i moved my wordpress site on it (ftp and mysql) .

The problem comes when i want to update / install plugins and upload files / images , no permissions to do that .

I have try chmod 755 / 777 from ssh with root user for folders and no results . Can anyone help me ?thx

jlguerrero · May 25, 2021, 7:35pm

Can you please share a screenshot? We need to know what is complaining about permissions and how.

If you have done that, then it might be something else. With that permissions the user www-data should read and write and therefore it should work…

middo · May 25, 2021, 8:22pm

“Folder can not be created”
Or
“The file can’t be uploaded”

middo · May 25, 2021, 8:22pm

pluto · May 26, 2021, 4:06am

Correct permissions for wordpress eg for user bob and site mysite.com

cd /home/bob/web/mysite.com/public_html 
# double check you're in the right directory! 
chown -R bob:bob * 
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

middo · May 26, 2021, 9:39am

Thanks , solved .

jlguerrero · May 26, 2021, 10:29am

Use permissions to harden WP security

To avoid infections maybe we could have an option in the panel to toggle (activate/deactivate) write permissions on files and directories

#set read only
find /home/bob/web/mysite.com/public_html -type d -exec chmod -w {} ;
find /home/bob/web/mysite.com/public_html -type f -exec chmod -w {} ;

#normal permissions
find /home/bob/web/mysite.com/public_html -type d -exec chmod +w {} ;
find /home/bob/web/mysite.com/public_html -type f -exec chmod +w {} ;

We could exclude cache folders and wordpress uploads maybe or only change permissions for php files.
#read-only permissions
find /home/bob/web/mysite.com/public_html -type f -name "*.php" -exec chmod -w {} \;

#normal permissions
find /home/bob/web/mysite.com/public_html -type f -name "*.php" -exec chmod +w {} \;

eris · May 26, 2021, 11:23am

99,99999999% Off hack / security issues with Wordpress are poorly writen plugins. Maybe we should ban the use of plugins?

Changing the permissions to read mode will also make it impossible for unattended upgrade and make sure you Wordpress is at least up to date and the possibility to update the plugins.

It make more sense to block direct execution of *.php. It has been allready done in nginx for 1.4

github.com

hestiacp/hestiacp/blob/88bc0a93fb85831e1540e54e0be05c308e2a5142/install/deb/templates/web/nginx/php-fpm/wordpress.tpl#L33-L36

    
      
          location ~* /(?:uploads|files)/.*.php$ {
              deny all;
              return 404;
          }

jlguerrero · May 26, 2021, 11:31am

Thank you for your sarcasm. Was it really necessary?

That’s true, I understand that and maybe other sysadmins would prefer to have permissions changed and sacrifice the autoupdate feature that by de way can break the page.

Great news. Maybe this is enough.

eris · May 26, 2021, 11:41am

True but If I have 50 clients that don’t know to update Wordpress and every they enable this “option” and ask why update doesn’t work it doesn’t make sense.

Most hacks I have seen are with outdated software or just bad written plugins. The first one is just simple keep your website up to date and the second option it harder to solve as it requires basic knowledge of php / wordpress.

Is currently only for Nginx+PHP-FPM for Nginx+Apache2 it makes probally sense to use modrewrite or we have to use an new proxy template or make a new apache2 template that blocks them.

jlguerrero · May 26, 2021, 12:54pm

Oh then… I use apache2.

system · June 25, 2021, 12:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.