Tag: wordpress

Derrick Smith Header Image
Recent Posts

File permissions on computer systems have long been the go-to security mechanism to protect files and restrict access for authorized use only but file permissions can only work when they are configured correctly. WordPress, like all other client/server web content platforms has files that are presented to a webserver which makes them accessible to a browser. These files, if configured incorrectly, can introduce malware into WordPress sites or provide attackers a way to escalate privileges.

WordPress.org publishes strict hardening guidance around file permissions here. To make configuring WordPress permissions easier, I wrote a script to automate the process.

For this script to work, I made a few assumptions about your environment:

  • Your web server is Apache installed on a Linux operating system
  • The root directory for your WordPress installation is located at /var/www/{virtual_host}/

To Run the script, supply the virtual host folder on the command line as a script parameter.

You can find the script below.


echo "Change owner on all sites"
echo ""
echo "chown -R -F www-data:www-data /var/www"
chown -R -f www-data:www-data /var/www
echo "Securing the entire site $SITE_FOLDER"
echo ""
echo "chmod 755 -type d /var/www/$SITE_FOLDER"
find /var/www/$SITE_FOLDER -type d -exec chmod 755 {} \;
echo "chmod 755 -type f /var/www/$SITE_FOLDER"
find /var/www/$SITE_FOLDER -type f -exec chmod 644 {} \;
echo "chmod 640 /var/www/$SITE_FOLDER/.php" chmod 640 /var/www/$SITE_FOLDER/.php
echo "chmod 640 -type f /var/www/$SITE_FOLDER/wp-admin"
find /var/www/$SITE_FOLDER/wp-admin -type f -exec chmod 640 {} \;
echo "chmod 640 -type d /var/www/$SITE_FOLDER/wp-admin"
find /var/www/$SITE_FOLDER/wp-includes -type f -exec chmod 640 {} \;
echo "chmod 440 /var/www/$SITE_FOLDER/.htaccess"
chmod 644 /var/www/$SITE_FOLDER/.htaccess
echo "chmod 766 /var/www/$SITE_FOLDER/sitemap." chmod 766 /var/www/$SITE_FOLDER/sitemap.
echo "chown -R www-data:www-data /var/www/$SITE_FOLDER/wp-content/uploads"
chown -R -f www-data:www-data /var/www/$SITE_FOLDER/wp-content/uploads
chmod 777 -R /var/www/$SITE_FOLDER/wp-content/uploads
find /var/www/$SITE_FOLDER/wp-content/uploads -type f -exec chmod 660 {} \;
chmod 770 -R /var/www/$SITE_FOLDER/wp-content/upgrade
chmod 750 -R /var/www/$SITE_FOLDER/wp-content/plugins
find /var/www/$SITE_FOLDER -name 'index.php' -exec chmod 640 {} \;
echo "Done"

If this script helped you with your WordPress permissions please leave me a comment below.

I recently needed a BuddyPress compatible Wiki component for a project and couldn’t exactly find what I needed with the available plugins in the WordPress repository. The first solution I found was BuddyPress Docs, which is a great plugin but was overly complicated for what I needed. The second solution I found was the Buddypress Wiki Component (bp-wiki). This plugin seemed to fulfill all of my requirements but it had a few bugs. Support for the plugin was lacking and the developer hadn’t updated it in over 2 years. Numerous people had opened support threads indicating it was not compatible with the latest version of WordPress. As a result, I downloaded the plugin and got to work. At this point, I’ve updated the plugin to be compatible with WordPress 3.8+. The frontend editor has been updated to use the wp_editor function in WordPress and javascript has been fixed to allow for inserts and updates to wiki entries. With the permission of the original developer, I’ve placed the updated code on GitHub. You can find the updated code here.

While designing a proof of concept intranet solution in WordPress I wanted to provide a stock quote widget in the template sidebar. I searched through the WordPress plugin repository and found a couple of widgets that display a stock watch list or ticker in the sidebar but none of them provided an on-demand quote.  The plugin requirements were simple. I wanted a site visitor to be able to input a ticker symbol in the sidebar and then have a quote displayed in a popup using ajax.  Below are some of the plugins I looked at. Stock Quote Sidebar – This widget puts a stock quote list in the sidebar. It has a nice tooltip that displays a historical chart for the ticker symbol. This is a great plugin for a list of predefined stocks. WP Stock Ticker – This plugin creates an actual ticker from a list of ticker symbols. Its under current development and has a decent rating. Although this plugin came up in my search, it isn’t at all what I was searching for. In the end, I decided to build a quick plugin. The plugin is really very simple.  It queries the Yahoo stock API for current and historical data and passes the information back to the browser via an ajax call.  I decided to use Fancybox to implement the popup. As I began to build the plugin I realized the need to display historical price data in a chart. To this end I chose to use Highcharts as the charting plugin. The popup now displays the current quote and a 1 yr historical price chart for the stock. The following are screenshots of the widget.

Stock Quote Widget
Stock Quote Widget

Stock Quote Widget Popup
Stock Quote Widget Popup

Stock Quote Widget Popup showing History Tooltip
Stock Quote Widget Popup

This plugin does require Fancybox. I suggest Easy Fancybox or WP Fancybox. Also, Highcharts is a licensed software. If you intend to use this widget on a commercial site you will want to obtain the appropriate licensing from HighCharts.com. You can download the widget below. I do not plan to maintain the plugin unless there is high interest. If I receive enough feedback I will upload it to the WordPress plugin repository.


[wpdm_package id=’3862′]