Wordpress Archives - Derrick Smith

File permissions on computer systems have long been the go-to security mechanism to protect files and restrict access for authorized use only but file permissions can only work when they are configured correctly. WordPress, like all other client/server web content platforms has files that are presented to a webserver which makes them accessible to a browser. These files, if configured incorrectly, can introduce malware into WordPress sites or provide attackers a way to escalate privileges.

WordPress.org publishes strict hardening guidance around file permissions here. To make configuring WordPress permissions easier, I wrote a script to automate the process.

For this script to work, I made a few assumptions about your environment:

Your web server is Apache installed on a Linux operating system
The root directory for your WordPress installation is located at /var/www/{virtual_host}/

To Run the script, supply the virtual host folder on the command line as a script parameter.

You can find the script below.

https://github.com/derricksmith/wordpress/blob/master/Permissions/wordpress.sh

!/bin/bash
SITE_FOLDER=$1
echo "Change owner on all sites"
echo ""
echo "chown -R -F www-data:www-data /var/www"
chown -R -f www-data:www-data /var/www
echo "Securing the entire site $SITE_FOLDER"
echo ""
echo "chmod 755 -type d /var/www/$SITE_FOLDER"
find /var/www/$SITE_FOLDER -type d -exec chmod 755 {} \;
echo "chmod 755 -type f /var/www/$SITE_FOLDER"
find /var/www/$SITE_FOLDER -type f -exec chmod 644 {} \;
echo "chmod 640 /var/www/$SITE_FOLDER/.php" chmod 640 /var/www/$SITE_FOLDER/.php
echo "chmod 640 -type f /var/www/$SITE_FOLDER/wp-admin"
find /var/www/$SITE_FOLDER/wp-admin -type f -exec chmod 640 {} \;
echo "chmod 640 -type d /var/www/$SITE_FOLDER/wp-admin"
find /var/www/$SITE_FOLDER/wp-includes -type f -exec chmod 640 {} \;
echo "chmod 440 /var/www/$SITE_FOLDER/.htaccess"
chmod 644 /var/www/$SITE_FOLDER/.htaccess
echo "chmod 766 /var/www/$SITE_FOLDER/sitemap." chmod 766 /var/www/$SITE_FOLDER/sitemap.
echo "chown -R www-data:www-data /var/www/$SITE_FOLDER/wp-content/uploads"
chown -R -f www-data:www-data /var/www/$SITE_FOLDER/wp-content/uploads
chmod 777 -R /var/www/$SITE_FOLDER/wp-content/uploads
find /var/www/$SITE_FOLDER/wp-content/uploads -type f -exec chmod 660 {} \;
chmod 770 -R /var/www/$SITE_FOLDER/wp-content/upgrade
chmod 750 -R /var/www/$SITE_FOLDER/wp-content/plugins
find /var/www/$SITE_FOLDER -name 'index.php' -exec chmod 640 {} \;
echo "Done"

If this script helped you with your WordPress permissions please leave me a comment below.

I recently needed a BuddyPress compatible Wiki component for a project and couldn’t exactly find what I needed with the available plugins in the WordPress repository. The first solution I found was BuddyPress Docs, which is a great plugin but was overly complicated for what I needed. The second solution I found was the Buddypress Wiki Component (bp-wiki). This plugin seemed to fulfill all of my requirements but it had a few bugs. Support for the plugin was lacking and the developer hadn’t updated it in over 2 years. Numerous people had opened support threads indicating it was not compatible with the latest version of WordPress. As a result, I downloaded the plugin and got to work. At this point, I’ve updated the plugin to be compatible with WordPress 3.8+. The frontend editor has been updated to use the wp_editor function in WordPress and javascript has been fixed to allow for inserts and updates to wiki entries. With the permission of the original developer, I’ve placed the updated code on GitHub. You can find the updated code here.