Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
WordPress Permissions Configuration Script
#!/bin/bash
#
# This script configures WordPress file permissions based on recommendations
# from http://codex.wordpress.org/Hardening_WordPress#File_permissions
#
# Author: Michael Conigliaro
#
WP_OWNER=changeme # <-- wordpress owner
WP_GROUP=changeme # <-- wordpress group
WP_ROOT=/home/changeme # <-- wordpress root directory
WS_GROUP=changeme # <-- webserver group
# reset to safe defaults
find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;
# allow wordpress to manage wp-config.php (but prevent world access)
chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
chmod 660 ${WP_ROOT}/wp-config.php
# allow wordpress to manage .htaccess
touch ${WP_ROOT}/.htaccess
chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
chmod 664 ${WP_ROOT}/.htaccess
# allow wordpress to manage wp-content
find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;
@macbleser

This comment has been minimized.

Copy link
Owner Author

commented Feb 21, 2014

Save the file as wordpress-perms.sh and set appropriate permissions for that script file using the following command:

chmod +x wordpress-perms.sh

Run the script with the following command:

./wordpress-perms.sh

After successful execution delete wordpress-perms.sh script file and then you are done.

rm wordpress-perms.sh
@vancouverwill

This comment has been minimized.

Copy link

commented Apr 13, 2015

hey @macbleser this script was great super helpful. I would suggest returning the .git directory back to the sysadmin owner after processing as this directory shouldn't be controllable by the apache user.

see https://gist.github.com/vancouverwill/b409515938548497bc7e

thanks

Will

@jacksierkstra

This comment has been minimized.

Copy link

commented Oct 10, 2015

I made a minor alteration to this script namely:

#!/bin/bash
#
# This script configures WordPress file permissions based on recommendations
# from http://codex.wordpress.org/Hardening_WordPress#File_permissions
#
# Author: Michael Conigliaro
#
WP_OWNER=changeme # <-- wordpress owner
WP_GROUP=changeme # <-- wordpress group
WP_ROOT=$1 # <-- wordpress root directory
WS_GROUP=www-data # <-- webserver group

And then you can call this script like the following:
./wp-permissions-script /var/www/wordpress-directory

That was useful to me as I had more Wordpress installations on my webserver.

@bradbakerdx

This comment has been minimized.

Copy link

commented Nov 26, 2015

WS_GROUP makes sense - that's going to be www-data or apache depending on your distro
WP_OWNER makes sense - that's going to be whatever user needs to interact with the files

But what is WS_GROUP? What's that supposed to be set to?

@NeonMonk

This comment has been minimized.

Copy link

commented May 3, 2016

Good work @jacksierkstra, that means it can be run on all wordpress directories like this: find /var/www -maxdepth 1 -type d -exec wp-permissions-script {} ;

@bradbakerdx: WS_GROUP is generally the same as WP_GROUP. Some people may have a different setup, if it's not immediately obvious to you, you don't. :)

@tech4eleven

This comment has been minimized.

Copy link

commented May 9, 2016

Is it possible to run this script on a wordpress installation on a windows server 2008 server? if so, how exactly?

@s1037989

This comment has been minimized.

Copy link

commented Aug 18, 2016

Wow, this is helpful! I wish Wordpress would include this in the tarball! Every time I do a new installation I struggle to get the permissions right before handing it over to the developer and then it's constant back and forth: "try again!"

What do you think about this updated version:

#!/bin/bash
#
# This script configures WordPress file permissions based on recommendations
# from http://codex.wordpress.org/Hardening_WordPress#File_permissions
#
# Author: Michael Conigliaro (https://gist.github.com/macbleser/9136424)
#
WP_ROOT=${1:-.} # <-- wordpress root directory, current directory by default
[ -e "$WP_ROOT/wp-config.php" ] || { echo "Usage: $0 /path/to/wordpress"; exit; } # <-- detect that the directory is a wordpress root
WP_OWNER=$(id -u $(logname)) # <-- wordpress owner (This assumes the wordpress owner is the logged in user)
WP_GROUP=$(id -g $(logname)) # <-- wordpress group (This assumes the wordpress owner is the logged in user)
WS_GROUP=$(
     source /etc/apache2/envvars 2>/dev/null && # This works on debian-based systems at least
     echo "$APACHE_RUN_GROUP" ||
     echo nobody  
) # <-- webserver group
echo "Fixing permissions on $WP_ROOT"
echo "Wordpress owner.group: $WP_OWNER.$WP_GROUP"
echo "Web Server group: $WS_GROUP"

echo 'reset to safe defaults'
find ${WP_ROOT} -exec chown ${WP_OWNER}:${WP_GROUP} {} \;
find ${WP_ROOT} -type d -exec chmod 755 {} \;
find ${WP_ROOT} -type f -exec chmod 644 {} \;

echo 'allow wordpress to manage wp-config.php (but prevent world access)'
chgrp ${WS_GROUP} ${WP_ROOT}/wp-config.php
chmod 660 ${WP_ROOT}/wp-config.php

echo 'allow wordpress to manage .htaccess'
touch ${WP_ROOT}/.htaccess
chgrp ${WS_GROUP} ${WP_ROOT}/.htaccess
chmod 664 ${WP_ROOT}/.htaccess

echo 'allow wordpress to manage wp-content'
find ${WP_ROOT}/wp-content -exec chgrp ${WS_GROUP} {} \;
find ${WP_ROOT}/wp-content -type d -exec chmod 775 {} \;
find ${WP_ROOT}/wp-content -type f -exec chmod 664 {} \;
@jaysin586

This comment has been minimized.

Copy link

commented Sep 8, 2016

I want to thank you so much for this!

For those of you looking into a default AWS word press install please use the below variables:

WP_OWNER=apache # &lt;-- wordpress owner
WP_GROUP=apache # &lt;-- wordpress group
WP_ROOT=/var/www/html # &lt;-- wordpress root directory
WS_GROUP=apache # &lt;-- webserver group
@KontrivedMedia

This comment has been minimized.

Copy link

commented Sep 15, 2016

How would I get this working on my local machine (Mac running Mamp Pro) as the above script doesn't work for me and sets the group to nobody. Which renders my site a whitescreen.

@jult

This comment has been minimized.

Copy link

commented Oct 26, 2016

This assumes apache is the webserver. I have to admin several servers and sites that run solely using nginx and php5-fpm.

@phidomo

This comment has been minimized.

Copy link

commented Dec 10, 2016

How do I get the WP_OWNER, WP_GROUP and WS_GROUP of my current WordPress installation?

@michaelwdc

This comment has been minimized.

Copy link

commented Mar 21, 2017

This is great! I've been struggling with getting the correct file/folder permissions. This script makes it easy.

@burbridgeconsulting

This comment has been minimized.

Copy link

commented Apr 2, 2017

I can't tell you how helpful this is. Thanks!

@milesstewart88

This comment has been minimized.

Copy link

commented Aug 30, 2018

I needed this!

@KarlYee

This comment has been minimized.

Copy link

commented Oct 4, 2018

Wonderful! Something that should come bundled w/ the WP install package.

@inventortechie

This comment has been minimized.

Copy link

commented Dec 4, 2018

Why is there a separate WordPress group, and a Server Group?

@kl3sk

This comment has been minimized.

Copy link

commented Dec 28, 2018

To automatically find webserver user, symfony provide a command:

HTTPDUSER=$(ps axo user,comm | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v root | head -1 | cut -d\  -f1)

source: https://symfony.com/doc/3.3/setup/file_permissions.html#using-acl-on-a-system-that-supports-setfacl-linux-bsd

@pwil30

This comment has been minimized.

Copy link

commented Jun 20, 2019

Brilliant, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.