Proper permissions/ownership for wp-config.php and .htaccess on a LEMP server.

  • I am running a Linux/Nginx/MariaDB/PHP (LEMP), server with my wordpress in the root account at /var/www/example.com/. My wordpress is running as the www-data user, and Nginx is also running as the www-data:www-data user/group.

    In my initial setup of wordpress, I first change the set the Nginx user (www-data) recursively (and insecurely) as the owner of the WordPress root directory by using the following command:

    sudo chown www-data:www-data /var/www/example.com/ -R

    This effectively gives the nginx user ownership of all of my wordpress files and folders.

    Next, (as recommended by the “hardening-wordpress” guide) I change the permissions of all folders to 755, and all files to 644.

    find /var/www/example.com/ -type d -exec chmod 755 {} \;
find /var/www/example.com -type f -exec chmod 644 {} \;

    In the wordpress “Changing File Permissions” article, it says that secured permissions for the wp-config.php file are 600. However, in the “hardening-wordpress” guide, it says that secured permissions for wp-config.php files are 400 or 440 (i.e. it generally means a 400 or 440 permission). Which is it and does it depend on who owns wp-config.php and who owns the rest of the wordpress files?

    It doesn’t say if files ownership for wp-config should be www-data:www-data, root:root, root:www-data, or www-data:root. The hardining guide and change file permissions guide have now mention of proper ownership for the wp files, and the wp-config.php/.htaccess. They only discuss permissions, not ownership.

    This leaves things confusing. To experiment with my specific configuration (everything owned by www-data:www-data so far), I have tried the following to secure my important wordpress file such as wp-config.php:

    EX:1

    sudo chown root:root wp-config.php
sudo chmod 400 wp-config.php

    This breaks my wordpress installation and give me a blank white screen when I navigate to my homepage.

    EX:2

    sudo chown root:root wp-config.php
    sudo chmod 444 wp-config.php

    This successfully allows me to see my wordpress homepage, and seems to work.

    EX:3

    sudo chown root:root wp-config.php
sudo chmod 404 wp-config.php

    This also successfully allows my wordpress installation to work and I can get to the homepage just fine. However, It also indicates that in order for wordpress to work, it needs the wp-config.php file to allow world readable permissions. WHY IN THE WORLD IS THAT? Isn’t that insecure? Shouldn’t www-data be the only user that should be able to read this file?

    To prove this theory of world readable permissions required I proceeded to example 4.

    EX:4 

    sudo chown root:root wp-config.php
    sudo chmod 004 wp-config.php

    These permissions with root ownership still allow my wordpress installation to work, even though the group root can’t read/write/execute, and the user root can’t read/write/execute.

    Next, I tried something different to understand how group permissions are used.

    EX:5

    sudo chown root:www-data wp-config.php
sudo chmod 040 wp-config.php

    Again, with the group being owned by www-data, and giving www-data read permissions only, this allowed my wordpress installation to work as well. My homepage works just fine with this configuration. This seems like it might be the winner for the most secure permissions/ownership configuration. But I’m not sure I fully understand what the “Group” access allows with these permissions. Can the group www-data override the user root in this configuration by any means? Can wordpress, or my root user write to this file? If not (which I assume is what the permissions dictate), then why can I edit this file with nano using my root account on linux? For example, If a file has ---------- (no permissions whatsoever) permissions on it, then why can my root user use the nano editor to access and write to this file? Shouldn’t ---------- permissions lock the file into the operating system permanently and render it immutable because nobody is allow to access or change it? I’m not sure I fully understand or grasp how the root account can override permissions for files that have limited permissions, and I’m not sure the repercussions of giving wp-config.php group access to www-data, and user access to root.

    Could someone please explain to me how all of this works, by answering some of these questions, and the with all things considered with my setup (LEMP SERVER), could you please recommend what user ownership/ group ownership/ permissions, I should be using on my wp-config.php, .htaccess, and then the rest of my wordpress installation, for my setup to be as restricted and secure as possible without impacting the usability of the wordpress installation itself?

    Any help is much appreciated. Thanks for any explanations, examples, and gained understanding.

    • This topic was modified 1 year, 5 months ago by danrancan.

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    As long as your server is properly configured to process .php files and not serve them as text files, there’s no problem assigning read permission to all users (as in 644) of .php files. The last digit is for all user permissions.

    Whatever is good for all users is also good for groups (middle digit).

    The first digit applies to the file owner only. If it’s 4 (read only), WP will not be able to manage wp-config.php content. This might be acceptable for many users, but WP needs read/write (6) permission to be able to automatically manage certain wp-config.php content.

    Because the read/write only applies to the file owner, IMO, little security is gained by removing owner write permission. It’d only be meaningful if a hacker were able to login as www-data. If that were to happen, you’re screwed anyway. Not being able to write to wp-config.php would not be much of a hindrance.

    IMO, I think 644 permission is fine for wp-config.php. I assume this does not break anything? No doubt some will beg to differ, that’s fine. Everyone has their own opinion ??

    You should be able to use 444 instead if it gives you some peace of mind. Most users don’t need write access once WP is installed and configured.

Viewing 1 replies (of 1 total)
  • The topic ‘Proper permissions/ownership for wp-config.php and .htaccess on a LEMP server.’ is closed to new replies.