Ok, so I’ve seen a fair amount of “run this script to fix your permissions” posts about, and for a number of reasons I don’t really like them.

Not saying that mine is perfect of course, but the emphasis is trying to be around security.

With all security, you’re always compromising convenience. If you really want to secure your WordPress file ownership and permissions. Give it user:apache and 750/640 permissions throughout. But it won’t do you much good when it comes to installing plugins, etc.

So, here’s what you can do.


The outcome of this script (should you read it and use it properly) is that your t will be read-only to apache (this is how we want it really) and wp-content and below will be writeable by apache (you need this if you want to install plugins, upload media).

Having apache write to wp-content is the compromise here because it’s undesirable for the web process to have write permissions…but we’re balancing security and convenience here.

Because apache cannot write to a directory higher than wp-content, then it will NOT be able to update itself. So you’ll need to organise that when the times comes. I might write a post about that, but because it sucks to have apache writing to the webroot, I possibly won’t




## ok, you want to replace my ‘dcr226’ with whatever user you

## login to your server with. Change all of these settings to suit your system




chown -R $username:web_user $web_directory

find $web_directory -type d -exec chmod 750 {} ;

find $web_directory -type f -exec chmod 640 {} ;

find $web_directory/wp-content -type d -exec chmod 770 {} ;

find $web_directory/wp-content -type f -exec chmod 660 {} ;

#selinux stuff because…you should be using it

chcon -R -t httpd_sys_content_t $web_directory

chcon -R -t httpd_sys_rw_content_t $web_directory/wp-content

setsebool httpd_unified 0