I just recently installed PHP and wordpress on our coldfusion box and wordpress is throwing me an dialog saying I need to input FTP information so wordpress can alter the files. I read up on this and basically this only comes up if wordpress cannot manipulate the files directly via PHP/apache user.

My question is now how should I set the folder permissions so things are secure and play nicely?

The wordpress root folder has the following permissions

drwxrwxr-x  6 wwwtech    root  4096 Feb 21 14:09 home

files and folders within have

-rw-r--r--  1 wwwtech root   418 Sep 25  2013 index.php
drwxr-xr-x  9 wwwtech root 12288 Jan 23 20:17 wp-admin

PHP and apache are running under user tech

tech     12465  0.0  0.0   9400   936 pts/0    S+   09:58   0:00 grep --color=auto php

and are part of group

tech : tech root adm dialout cdrom plugdev sambashare lpadmin admin

I just recently installed PHP and wordpress on our coldfusion box and wordpress is throwing me an dialog saying I need to input FTP information so wordpress can alter the files. I read up on this and basically this only comes up if wordpress cannot manipulate the files directly via PHP/apache user.

My question is now how should I set the folder permissions so things are secure and play nicely?

The wordpress root folder has the following permissions

drwxrwxr-x  6 wwwtech    root  4096 Feb 21 14:09 home

files and folders within have

-rw-r--r--  1 wwwtech root   418 Sep 25  2013 index.php
drwxr-xr-x  9 wwwtech root 12288 Jan 23 20:17 wp-admin

PHP and apache are running under user tech

tech     12465  0.0  0.0   9400   936 pts/0    S+   09:58   0:00 grep --color=auto php

and are part of group

tech : tech root adm dialout cdrom plugdev sambashare lpadmin admin

• php
• admin
• installation
• directory
• permissions

1 Answer 1

For starters, the WordPress Codex has a wealth of information on this very topic. For the sake of brevity that should take care of most of it; however, there are some relievant points that should be made:

• If you do not wish WordPress (essentially PHP) to have access to the file system with the exception of dynamic static assets such as images or cache then leaving your permissions as is and only changing the ownership of the wp-content/uploads and wp-content/cache folders to be the same user|group that runs PHP should be sufficient. Please keep in mind that some plugins require the wp-content folder be made writeable, but in such cases typically you will be notified. In some cases, this may require assigning 755 permissions.
• You will need to manually upload any relivant files during upgrade of core or plugins that have updates available. This will break the default mechanism of auto updates for core and the streamlined maintenance mode functionality utilized during the update process (both core and plugins).
• Security of your server is paramount, I would suggest also thoroughly evaluating the items outlined in Hardening WordPress to ensure that you are running secure environment.