

  • wordpress directory permission setting
  • wordpress directory permission setting site:stackoverflow.com



添加一个专门的用户用于WordPress的设置(一般情况下是和Web容器Apache/Nginx相同的用户,比如 www);

This is how I do it (change the stuff within brackets to your environment:)

$ cd [wordpress_install_folder]
$ chown -R [webuser]:[mygroup] *
$ chmod -R g+w *
$ chown root:root wp-config.php
$ chmod 644 wp-config.php


Here is the correct file permissions for WordPress:

To set correct permissions you need to use these commands:

chown www-data:www-data -R *		# Let apache be owner
find . -type d -exec chmod 755 {} \;	# Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \;	# Change file permissions rw-r--r--

Depending on your server configuration you may put your wp-content on 775. This permission will allow your group to write in this folder. Why add group permissions? Because in wordpress, you can have two users working on files, the www-data user (who executes the website) and the ftp user (who downloads plugins and updates from the webplatform wordpress). You can put your wp-content on 755 but you have to make www-data the owner of this folder and do your updates manually via FTP.

EDIT with ManuelSchneid3r’s answer

Source: http://www.electronicworkplace.com/latest-updates/wordpress-correct-permissions-for-files-and-folders

You may be interested in this one too : http://codex.wordpress.org/Hardening_WordPress




  • lnmp wordpress start user
  • lnmp wordpress start user permission




但像 “/var/www” 这样的Web根目录的属主应该为root,只有对于那些特殊的需要进行修改的文件/目录(比如主题、插件……等目录)可以将属主修改为www(644)。


Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.(新建一个组group_name,将”/var/www”的属主设置为root:group_name,给所有需要进行发布的用户添加到这个组里面来;同时你需要设置一下文件夹的setgid位允许该组中的成员具有写权限)


So, should www-data user be the owner of /var/www

Why is the apache process run by www-data, but the /var/www owned by root? Is there some risk to making www-data own the folder and run the process?

Your web server is running as www-data. If apache has the ability to write to /var/www and you have configured something incorrectly, or your running a buggy web application, or apache itself has an exploitable bug, then an evil person on the Internet would be able to write things to /var/www. Whenever possible you should always give service accounts the least privileges they need to operate.

is there something even better than the two solutions I’ve seen?

Create a new group, and change the ownership of the /var/www to root:group. Add all user that need to publish to that folder to the group. You might also want to mark the folder with the setgid bit and adjust the umask of your users so anything they write to this folder will be writable by anyone else in that group.


For 99.9% of situations the web pages should absolutely not be writable by the www daemon. This includes the www daemon owning the files or directories. I’ve found it to be very common for root to own the files/directories, 644/755.

If there’s an exploit of any kind, it’ll be more likely that your website can be modified, defaced, infected with malware, or any one of a hundred other scenarios when owned/writable by the daemon.


  • wordpress plugin dir
  • nginx: master process www or root
  • php-fpm: master process www or root
  • modify nginx start user


  1. Apache/Nginx这些Web容器应该以低权限(或特定权限)启动,常见的做法就是新建一个专门的用户www用于启动/管理Web容器;
  2. Web目录只读,一般是将Web目录的属主设置为root,权限设置为755;
  3. 对于确定需要写入功能的Web目录,其属主需要和启动Web容器的用户一致,权限设置为755,同时设置目录禁止执行动态脚本(PHP/JSP)。







最小化Web容器的权限 && 严格限定Web目录的权限(不可写 or 可写不可执行)。

《 “较为安全的WordPress目录权限设置” 》 有 10 条评论

  1. 【预警通告】WordPress 存储型XSS漏洞 威胁预警通告


  2. WordPress安全防护 你可以做这些事情
    * 一个强大的管理员密码
    * 登陆次数限制
    * 修改登录地址
    * 保持WordPress最新版本
    * 不安装来源不明的主题插件
    * 网站防火墙
    * 定期备份站点


    十条关于 WordPress 安全性的小贴士 操作
    1. 切换到 HTTPS
    2. 限制 MySQL 连接地址
    3. 使用强大的数据库凭据
    4. 使用强大的管理员帐户凭据
    5. 移动或保护 wp-config.php 配置文件
    6. 尽可能授予用户最低权限角色
    7. 限制 IP 地址访问
    8. 隐藏 WordPress 版本号
    9. 理智选择第三方插件和主题
    10. 定期更新 WordPress 和插件

  3. Hardening WordPress(WordPress官方给出的加固方法)
    What is Security?
    Security Themes
    Vulnerabilities on Your Computer
    Vulnerabilities in WordPress
    * Updating WordPress
    * Reporting Security Issues
    Web Server Vulnerabilities
    Network Vulnerabilities
    File Permissions
    * Changing file permissions
    * Regarding Automatic Updates
    Database Security
    * Restricting Database User Privileges
    Securing wp-admin
    Securing wp-includes
    Securing wp-config.php
    Disable File Editing
    * Firewall
    * Plugins that need write access
    * Code execution plugins
    Security through obscurity
    Data Backups
    * Monitoring your logs
    * Monitoring your files for changes
    ** Goals
    ** General approaches
    ** Specific tools
    ** Considerations
    * Monitoring your web server externally
    See Also

回复 hi 取消回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注