[don-dilanga]

It actually depends on the plugins you plan to use as some plugins change the root document of the wordpress. but generally I recommend something like this for the wordpress directory.

This will assign the “root” (or whatever the user you are using) as the user in every single file/folder, R means recursive, so it just doesn’t stop at the “html” folder. if you didn’t use R, then it only applicable to the “html” directory.

sudo chown -R root:www-data /var/www/html  

---

This will set the owner/group of “wp-content” to “www-data” and thus allowing the web server to install the plugins through the admin panel.

chown -R www-data:www-data /var/www/html/wp-content

---

This will set the permission of every single file in “html” folder (Including files in subdirectories) to 644, so outside people can’t execute any file, modify any file, group can’t execute any file, modify any file and only the user is allowed to modify/read files, but still even the user can’t execute any file. This is important because it prevents any kind of execution in “html” folder, also since the owner of the html folder and all other folders except the wp-content folder are “root” (or your user), the www-data can’t modify any file outside of the wp-content folder, so even if there is any vulnerability in the web server, and if someone accessed to the site unauthorizedly, they can’t delete the main site except the plugins.

sudo find /var/www/html -type f -exec chmod 644 {} +

---

This will restrict the permission of accessing to “wp-config.php” to user/group with rw-r—– these permissions.

chmod 640 /var/www/html/wp-config.php

---

And if a plugin or update complained it can’t update, then access to the SSH and use this command, and grant the temporary permission to “www-data” (web server) to update/install through the admin panel, and then revert back to the “root” or your user once it’s completed.

chown -R www-data /var/www/html

---

And in Nginx (same procedure for the apache)to protect the wp-admin folder from unauthorized accessing, and probing. apache2-utils is required for encrypting the password even if you have nginx installed, omit c if you plan to add more users to the same file.

sudo apt-get install apache2-utils
sudo htpasswd -c /etc/nginx/.htpasswd userName

Now visit this location

/etc/nginx/sites-available/

Use this codes to protect “wp-admin” folder with a password, now it will ask the password/username if you tried to access to the “wp-admin”. notice, here you use the “.htpasswd” file which contains the encrypted password.

location ^~ /wp-admin {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    index  index.php index.html index.htm;
}

Now restart the nginx.

sudo /etc/init.d/nginx restart

[Author]

Posts