I’ve written about WordPress Security before, but if you really want to take your website’s security to the next level, you need to start looking at file and folder permissions, and the owner of said files and permissions.
This one’s a technical doozy, so try and stick with me, and I’ll be as clear as I can!
Some Background on Permissions
You’ll see the recommendation that your folders should have permissions of 755, and your files should be set at 644, but what do those numbers even mean?
Permissions are based on binary. If you want to read up on binary, feel free to Google it, but let’s start by simply counting to seven in binary:
Decimal: 1, 2, 3, 4, 5, 6, 7
Binary: 1, 10, 11, 100, 101, 110, 111
Permissions are used to dictate what’s “allowed” for three different groups – owner, group, everybody else. The first number is for the owner, the second for the group, and the third for everyone else (other). Here’s a breakdown of what 755 would mean, for a folder or file.
(Remember, 7 in decimal is 111 in binary; and 5 in decimal is 101 in binary.)
In this example, you can see exactly how permissions generate allowances for the owner, group, and everyone else – just follow the colors down from one level to the next.
1 and 0 is like a switch. 1 means the switch is on. 0 means the switch is off.
As mentioned above, the suggestions is to set all folders at 755, and all files at 644.
Who’s the User? Who’s the Group?
When you set up permissions on your files and folders, you’ll use a command like this (unless you’re using shared hosting, in which case you would not do this):
chown user:group /path/to/file
chown = change owner. You’re actually changing the owner and the group in one command, if you do it the way it’s listed above. If you set up your site with a product like Easy Engine (which I love!), then the ownership will be www-data:www-data.
The “www-data” user is the web server process. If you’re using Easy Engine, that means nginx is your web server, and it will own all files. There’s always the possibility that if someone can hack your site and gain control of the web server, they’ll now have control of all the files and folders your web server owns.
Although you could change the owner:group to “yourusername:anothergroup”, you’d then have the issue of not being able to upload images to your site (the webserver needs to own the “uploads” folder for images to be written to it) or do automatic plugin updates.
So Who Should Own What?
It’s hard for me to say. I like for the web server (www-data) to own the site files, because then the convenience of WordPress (which is why we’re using it, right?) shines through. However, letting www-data own the files and folders introduces security risks to your server that could be avoided by… not using WordPress?
I’ll be looking into WordPress alternatives in the near future, to see if there’s something as easy and expandable as WordPress, but without the heft of PHP and security risks involved with the most popular CMS on the web.