Which folders writable wordpress

Benjamin is the founder and lead developer of Gambit. Trusted by When people talk about WordPress security, file permissions and ownership are usually the last thing on their minds. Installing security plugins is a good practice and a must for every WordPress website. Permissions and ownership are quite important in WordPress installations. Setting these up properly on your Web server should be the first thing you do after installing WordPress.

Having the wrong set of permissions could cause fatal errors that stop your website dead. Wrong permissions can also compromise your website and make it prone to attacks. Aside from the security concerns, a number of other issues can stem from having the wrong set of permissions and ownership. Have you ever encountered a blank white screen when trying to load your website for the first time?

Or have you ever received error messages when trying to upload images in the media uploader? Correcting permissions and ownership of your files and folders will often fix these types of problems.

In this article, we will teach you all about WordPress filesystem permissions and ownership: what they are, why they are important and how to set them up. You will learn a few basic principles that I follow to keep my file system intact.

We will also cover the two most common WordPress server configurations. During the course of this article, we will be using the terminal to change permissions and ownership.

Why not use an FTP client instead? The reason is that FTP is a bit limited for our needs. FTP can be used to transfer files and change file and folder permissions, but it cannot be used to change ownership settings. To perform the commands listed in this article, you will have to be logged into your server using the SSH command. Before anything else, we need to quickly talk about what users and groups are, because these go hand in hand when defining permissions.

Kornel gives one such authoritative link below. See also codex. But in the general case, when in doubt, give no write access and certainly no ownership and loosen on a case-by-case basis, not the opposite principle of least privilege which you're violating here.

Why is there an auto-update feature if it doesn't even work without changing the permissions?? ManuelSchneid3r, I see some PHP files under wp-content, are these really supposed to be writable by www-data??? That really sounds totally not secure at all. This solution will prevent wordpress from installing 'automatic security updates'. You need to manually run the steps above for each minor wordpress update.

This is not a secure configuration. Setting read permissions on these files has no affect when the apache user also owns the files! Refer to codex. Show 10 more comments. To protect your site against such an attack you should to the following: All files should be owned by your user account, and should be writable by you.

Calimo 6, 3 3 gold badges 32 32 silver badges 55 55 bronze badges. Kornel Kornel 3, 4 4 gold badges 24 24 silver badges 30 30 bronze badges. User account is your Linux user ssh, ftp user, etc. In this answer and in the accepted answer, should the user not www-data be part of the www-data group?

Nope, that is the whole point. Cannot add, nor update plugins. Only when I make www-data the owner of wp-content, does the Wordpress Admin plugin functionality work. Show 2 more comments. Community Bot 1 1 1 silver badge.

Jadeye Jadeye 2, 2 2 gold badges 44 44 silver badges 54 54 bronze badges. You do NOT want www-data to have write access to the wordpress files, except in wp-content.

With for files, for folders, and chown user:www-data, I was sometimes still having problems with media upload, plugin update, etc. Add a comment. This is not usually the case. All directories should be or All files should be or Exception: wp-config. No directories should ever be given , even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a directory. Not sure why you got down-voted: it's almost as if people want the top answer to be how to leave the installation insecure!

Link is outdated. The suggested permissions for all the folders are This translates to read, write, and execute permissions for the user and only read and execute permissions for groups and others. The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. This means that the user and groups have permission to only read and others will not be able to access the file.

This blank file present in the wp-root hides the entire directory, and without this file, the entire file directory will be naked. The suggested file permission will be This permission gives reading authority to all, including the user and the group.

WordPress file permissions are necessary for securing your account. As already discussed, this is one crucial step for the aforementioned reasons.

Ignoring this step could pose a potential threat to your account. Besides file permissions, there are other security to-dos that you should definitely follow. To make the process simpler, you can use the WP Hardening plugin by Astra. WP Hardening is a one-click security fixer tool for your WordPress website. To ensure even advanced security, deploy Astra on your website.

Tags: wordpress best practice file permissions , wordpress file permissions , Wordpress folder permissions , wordpress permission levels , wordpress user permissions , wp config permissions. This site uses Akismet to reduce spam. Learn how your comment data is processed. In your post you have written the wp-includes folder will have permission, but it will not work to load the site.

Please suggest If am wrong…. We make security simple and hassle-free for thousands of websites and businesses worldwide. Our suite of security products include firewall, malware scanner and security audits to protect your site from the evil forces on the internet, even when you sleep. Which directory should be writable to update correctly and keep as possible as secure? Unfortunately there is no 'one size fits all' according to the Codex.

It may depend on your host. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Which directory should be writable to update wordpress? Ask Question.