psst.. this blog is on hiatus.

WordPress file permissions

After disabling php-cgiwrap, I got in the bad habit of chmod’ing files and directories to 777. Bad idea. A helpful reminder about WordPress file permissions and security got me back in line with 755 for directories, 644 for plugins and core WP PHP files, and 666 for my active theme files.

In so doing, I’ve had to disable WP-Cache, but since the site seems to be peachy since I switched back to using the PHP Apache module (default), I think the performance/availability will be fine.

Related security tidbit: Using require() with an external file to increase security on wp-config.php’s database password storage.

Update: WP-Cache security

I decided it would be prudent to enable WP-Cache. In its default configuration, it’s unnecessarily secure, so here are two steps you can take.

All of these steps apply only to those whose http daemon runs as www or nobody, not their own users. If Apache runs as you, everything can be 700 and 600.

  1. Keep wp-content/ chmod’ed to 755.
    • Initially, you must chmod wp-content/ to 777 so the WP-Cache plugin can write wp-cache-config.php.
    • After wp-cache-config.php is created in wp-content/:
      • Chmod wp-content/ to 755
      • Chmod wp-content/wp-cache-config.php to 666.
      • Change line 430 of wp-content/plugins/wp-cache/wp-cache.php to
        if ( !file_exists($wp_cache_config_file) && !is_writable($dir)) {

  2. Secure the wp-content/cache/ directory
    • Chmod wp-content/cache/ to 777 (this is unavoidable)
    • Place the following .htaccess file in wp-content/cache. (This prevents the cache directory from being Web-accessible. If anyone on your shared hosting box writes to this directory, their files won’t be accessible and they can’t steal your bandwidth. Yes, this is a fringe scenario, but that’s kinda what security is about.)
      Options -Indexes
      <Files *>
              order deny,allow
              deny from all
      </Files>