File Permissions: Be Aware !
#What is File Permission?
There are all together 3 operations that are done in any file & directory: read, write & execute. So, file permissions specify who and what can perform these operations.
#File Permissions as a structure
Generally speaking, there are two categories that need to be considered when viewing file permissions: Actions and user groups.
Actions your site’s plugins and files can make are:
- Read– allows access to a file to view its contents only
- Write– allows the file to be changed
- Execute– gives access to a file in order to run the programs or scripts that are contained in it
The user groups of the actions can be:
- User – you as the owner of your site
- Group – other users that can also have access to the files you choose such as the members of your site
- World – anyone with an internet connection who tries to view your files
File permissions are primarily viewed as three consecutive numbers:
- First number– the access to file actions granted to the user
- Second number– the file access given to the group
- Third number – the amount of file access given to the world
To come up with these numbers, a value is given to each possible action combination:
- 0– no access
- 1– execute
- 2– write
- 3– write and execute
- 4– read
- 5– read and execute
- 6– read and write
- 7– read, write and execute
This being the case, the greatest amount of access you can grant is 777 where the user, group and world have access to read, write and execute files.
#777- risky file permission
With permissions of 777 this means that anyone who is a user on the same server can read, write to and execute the file. In the case of a folder, anyone who is a user will be able to copy files to it. This obviously sounds dangerous if you are using a shared server for your website, which is the case for many personal and small business websites. Normally such servers host thousands of websites, meaning that there are thousands of users. For this reason, the normal safe permissions are considered to be 644 for a file and 755 for a folder. Depending on the way PHP is run on your server, PHP scripts will normally not run with permissions above 755 for security reasons.
I do not think that it is ever acceptable for a PHP developer to create an open folder or file and leave it like that. If you are a PHP developer and you really want 777 permissions in order to handle file operations, use chmod to change the permissions temporarily. Then, when you have finished your operation, change them back again. Do this even if you think that you have deleted the file, just in case you haven’t. Any open folder is a potential entry point for an attacker, even if you think it is not exploitable. There are some very clever people out there who make it their business to find weaknesses in websites, some of them are certainly cleverer than you – and me.
chmod(“/somedir/somefile”, 755); // decimal; probably incorrect
chmod(“/somedir/somefile”, “u+rwx,go+rx”); // string; incorrect
chmod(“/somedir/somefile”, 0755); // octal; correct value of mode
#What Permissions Should be Used?
If you set up your WordPress site on your own, chances are your file permissions are set correctly. If you find you’re getting permission errors or your site wasn’t set up by you, then it’s time to think about changing your file permissions.
Each plugin will have different needs as far as file permissions go depending on the purpose of the plugin, and your file and folder permissions will depend on your hosting setup.
If you run your own server, you can typically run your site just fine with these general guidelines recommended by the WordPress Codex:
- Folders – 755
- Files – 644
For the most important files you have in your WordPress installation such as wp-config.php, you can set the permission to 600 if you desire.
The .htaccess file is an exception since it needs to be accessed by WordPress if you want the file to be automatically updated. The recommended setting is 644. If you would like this file to be more secure you can set it to 604 in most cases.