What should the permissions be? Really!

I think it depends on how you use WP. Some recommended permissions are listed here but that’s all the help I can give you I’m afraid.

The link that finkyfeke gave should help you, but unfortunately it is very dependant on how your web hosting is configured as to what permissions will work best (and be most secure).

There is no way to give a generic set of permissions like that, because the correct permissions depend entirely on how your web host is configured.

A good general principle is to start out with everything at 644, and then increase them to the minimum needed to make specific things work when you need them to work.

The “safest” set of permissions is always “the lowest permissions that still work”. ??

You have to choose between security and convenience.

Tim

Those who choose convenience over security, deserve neither security nor convenience!
~~ Benny “the orginal wordpresser” Franklin

Sorry I couldn’t resist. Having said that, is there a reson why the WP-SUPERCACHE plugin I believe) says that the ‘root’ directory for the site root should not be writable by the anyone including the owner? This of course make upgrading difficult, but beyond that, why?

So I find this interesting. The software has these great features but only if you reduce your security (at least temporarily). Otherwise they don’t work and in most cases don’t even tell you why.

If they are going to continue with this model, if it is in fact true, I do like the approach that some plugins use where they notify you of their inability to function and ask for credentials so they can.

As a software developer I find the model incomplete and lacking. That said the benefits of WordPress far out way this deficiency.

Thanks all who have added to this thread.

Otherwise they don’t work and in most cases don’t even tell you why.

Actually, most of the time it does check and does tell you why it won’t work.

A few quick examples:

– If you change your permalinks, it creates an .htaccess for you. If it is unable to do so, it gives you the .htaccess rules instead and tells you to put them in the file yourself.

– If you try to use the theme or plugin editor, and the file is not writable, then it will give you the file, but also a message saying “if this file was writable then you could edit it”.

– The plugin updater works in one of two ways. If it can’t write the files itself, then it tries to FTP to itself by asking the user for FTP credentials.

The software has these great features but only if you reduce your security (at least temporarily).

I take some exception to that… There’s security and then there is paranoia. Security is not a matter of “improved” or “reduced” in any meaningful sense by making a few changes. That’s oversimplification of reality.

If I make a file world writable, then it doesn’t affect my security in any way if the world still has no access to my system. Securing a system is far more complex than a set of rules that you have to follow. People like those sets of rules because they’re easy to understand, but they then get the mistaken impression that the rules must be followed, because anything less is “less secure”. It’s not true and it’s the wrong way to think about security, because it leads people into doing stupid things for no good reason.

This is what I did on mine based on all the stuff I read and it worked pretty well so far on a Media Temple host.

So like Otto basically said… chmod the entire root to 644 and work your way up from there.

For Directories
chmod 755;

For Files
chmod 644;

**** REQUIRED FOR WP-SUPER-CACHE/ I tried 755 to no avail ****
/wp-content/ 777
/wp-content/wp-cache-config.php 666

wp-config 600
.htaccess 666

IMPORTANT— according to the wordpress doc
You have to omit to use this command for /wp-includes/
Usually 444