Permission recommendations break my site

Hello Mosheeshel,

Are you hosting the WordPress on your own server?
If not then the issue is likely to be in the setup of your hosting provider.
Could you share which users own the files and which group user is set for your directories? Additionally, we would need to find out which user your webserver runs as (e.g www-data) and if it is part of the group.

If you don’t want to share the information publicly, you can also send me an e-mail using the “Feedback, Bugs or Feature Requests?” link in the top right corner.

Cheers,
Stefan

Hello again, were you able to solve the problem with your site?

Hi Again, and thanks for your patience.
No I didn’t resolve the issue, I host in a hosting company, it is a shared host and my interface is cPanel (I change the permissions via the “File Manager”)
I have no way of knowing the Apache configuration behind…

Hello mosheeshel,

Do you have ftp/sftp access to the system, then you should be able to see what the owner name and group name of specific files/directories are, which should help us determine how your file permissions can be secured without breaking the site.

In the meantime, please share the default file permissions that are set on /wp-config.php and /index.php, because these are some of the most important files to secure in a shared hosting environment.

Hi,

I’ve checked what it says on the FTP, under the Owner/Group column, it just gives numbers
594 592

Regrading the file permissions
wp-config 400
index.php 400
wp-blog-header.php 400
all the rest are 644

All the folders are 755 (setting any to 705 “breaks” the site)

Also recently I had a small hack performed
my index.php file was replaced, and the db user passwords were corrupted.

I noticed that someone uploaded a new theme to the themes folder, I’m unclear how this was accomplished, but I suspect there is some opening there which I am missing still.

How can this be accomplished? I am quite sure no one got my password, I use a 15 characters randomized string (using Lastpass) and certainly don’t share it with anyone else, nor have anything on my personal computer…

That is weird, because this would indicate that only the file owner has read permissions on the e.g wp-config.php file, which would also mean that the file owner is the web server. Otherwise the setup would not work, because the web server would not be able to read the config file. That in turn could mean that you could easily upload a php file that reads all other directories on the shared host. Regarding your permission problem, it seems like you can’t fix it due to the Linux user setup for the virtual hosts. I am speculating a bit here and I would have to take a closer look to be sure about that.

Are you using HTTPS to connect to the wp-admin interface?
Do you store the WP admin password in the FTP application on your computer?

Having a shared host can be quite dangerous, because if one other customer on the same server is hacked, attackers can potentially spread to all other sites, even though you would have done everything right and secured the site properly.

Hello, you can contact me again if there are any further questions. I’m closing the topic.

Thanks for all the help…

Sure thing ??