WordPress Webroot Ownership / Permissions Script

Ok, so I’ve seen a fair amount of “run this script to fix your permissions” posts about, and for a number of reasons I don’t really like them.

nn

Not saying that mine is perfect ofcourse, but the emphasis is trying to be around security.

nn

With all security, you’re always compromising convenience. If you really want to secure your WordPress file ownership and permissions. Give it user:apache and 750/640 permissions throughout. But it won’t do you much good when it comes to installing plugins, etc.

nn

So, here’s what you can do.

nn

NOTE: The outcome of this script (should you read it and use it properly) is that your wordpress web root will be read only to apache (this is how we want it really) and wp-content and below will be writeable by apache (you need this if you want to install plugins, upload media). Having apache write to wp-content is the compromise here, because its undesirable for the web process to have write permissions…but we’re balancing security and convenience here. Because apache cannot write to a directory higher than wp-content, then it will NOT be able to update itself. So you’ll need to organise that when the times comes. I might write a post about that, but because it sucks to have apache writing to the webroot, I possibly won’t

nn

[plain]

nn

#!/bin/bash

nn

## ok, you want to replace my ‘dcr226’ with whatever user you

nn

## login to your server with. Change all of these settings to suit your system

nn

username=”dcr226″

nn

web_user=”apache”

nn

web_directory=”/var/www/html/wordpress”

nn

chown -R $username:web_user $web_directory

nn

find $web_directory -type d -exec chmod 750 {} ;

nn

find $web_directory -type f -exec chmod 640 {} ;

nn

find $web_directory/wp-content -type d -exec chmod 770 {} ;

nn

find $web_directory/wp-content -type f -exec chmod 660 {} ;

nn

#selinux stuff because…you should be using it

nn

chcon -R -t httpd_sys_content_t $web_directory

nn

chcon -R -t httpd_sys_rw_content_t $web_directory/wp-content

nn

setsebool httpd_unified 0

nn

[/plain]