[spinozarabel]

Based on all the reading and agonizing on my own sites and after having been hacked I have come up with the above list that includes permissions for a security plugin for WordPress called Wordfence. (Not affiliated with it)

In our example, the wordpress document root is
/var/www/html/example.com/public_html

Open up the permissions so that www-data can write to the document root as follows:

cd /var/www/html/example.com
sudo chown -R www-data:www-data public_html/

Now from the dashboard in your site, as an admin you can perform updates.

Secure Site after Updates are finished by following these steps:

sudo chown -R wp-user:wp-user public_html/

The above command changes permissions of everything in the wordpress install to the wordpress FTP user.

cd public_html/wp-content
sudo chown -R www-data:wp-user wflogs
sudo chown -R www-data:wp-user uploads

The above command ensures that the security plugin Wordfence has access to its logs. The uploads directory is also writeable by www-data.

cd plugins
sudo chown -R www-data:wp-user wordfence/

The above command also ensures that the security plugin has required read write access for its proper function.

Directory and Files Permissions

# Set all directories permissions to 755
find . -type d -exec chmod 755 {} \;

# Set all files permissions to 644
find . -type f -exec chmod 644 {} \;

Set the permissions for wp-config.php to 640 so that only wp-user can read this file and no one else. Permissions of 440 didn’t work for me with above file ownership.

sudo chmod 640 wp-config.php

WordPress automatic updates using SSH were working with fine with PHP5 but broke with PHP7.0 due to problems with php7.0-ssh2 bundeld with Ubuntu 16.04 and I couldn’t find how to install the right version and make it work. Fortunately a very reliable plugin called ssh-sftp-updater-support (free) makes automatic updates using SFTP possible without need for libssh2. So the above permissions never have to be loosened except in rare cases as needed.

[Author]

Posts