WordPress chown, chgrp, chmod Explained for FTP and SSH

Most users fumble with understanding WordPress chown, chgrp, chmod. We have explained the terms for FTP and SSH in very easy language. Actually we have talked about CHMOD and CHOWN for WordPress before, but this is an illustrated guide with explanation of the terminologies, how to use and set proper permissions and file ownership. In this context of explaining WordPress chown, chgrp, chmod, we must emphasize that; we are taking that the user has full SSH and FTP access to the server – simply, it is not a shared hosting but either a dedicated server, virtual private server or a cloud server.

 

WordPress chown, chgrp, chmod Explained for FTP and SSH : Tools of Trade

 

Tools for SSH :

Actually you can have three kind of Operating System on your Computer, for Windows users; there is no Terminal App, so you need to download and install PuTTY. For Linux, there is Terminal App and for Mac / OS X; either use the default Terminal App or use iTerm2. We use iTerm2 and the setup described on the linked article.

Tools for FTP :

For Linux users : FileZilla ( free software )
For OS X / Mac users : FileZilla ( free software ), Transmit ( Paid ), Ported version of WinSCP ( Not Recommended for root users for security reasons )
For Windows users : WinSCP ( free software ), FileZilla ( free software )

 

Never save password specially on Windows OS. We do not recommend to either SSH or FTP to server from MS Windows. Windows OS is prone to virus, malware etc. ; it is safer to use any GNU Linux or BSD variants or OS X / Mac.

 

WordPress chown, chgrp, chmod Explained for FTP and SSH

 

If you are using deb Linux, like Debian or Ubuntu and Apache2 as Webserver software; www-data is Apache2, root is usually the per on who installed the Linux / build on Cloud platform (so actually it will feel to be you, but it is the Linux Kernel). To get the name of Apache username, you can run this command on SSH :

As Wheel Group is disabled in Linux, root feels to be the main user. Actually there should be an user – who will login to FTP. MySQL Database username is less understood by the most – in most cases, specially for wp-inclues folder, MySQL Database access the files. To avoid issues, most consumer grade Linux distro are compiled with usernames localhost, 127.0.0.1, www-data in proper groups. MySQL Database username never creates the issue as most uses the database as localhostor 127.0.0.1. MySQL Database also has a root user!

As example username is commonly used as wordpress, it basically create a confusion. On cPanel or Plesk, the ownership is usually properly set in a scripted manner. We are taking that your wp-config.php file is located at :

Which is default in Ubuntu 14.04 in one server one domain setup.

chown changes file owner and group.
chgrp changes group ownership. chmod changes the permissions of a file or directory.

To check the ownership of a file or directory use:

chmod is the worst way to allow WordPress to write files. Unfortunately for shared servers, FTP is usually the only way and it forces to change the default chmod value.

On FTP (FileZilla, you will see) :

Who owns the file? If root owns it, it can do anything; but if www-data owns; it will be less liberal (hence safer). WordPress doesn’t really need full ownership of everything – this is for preventing hacking attempts and actions by malwares. Who owns the file is ownership. What that owner can do is dictated by chmod.
The usual permission for WordPress chmod is :

It is very liberal as it is not possible to individualize the ownership for all kind of setup, the changed permissive wheel group chain in Linux makes the thing more complicated.
These are excellent docs :

chmod is inferior way to make a file writable over setting proper ownership.

 

Why My WordPress needs to chmod files to 777 to write?

 

Your combination of ownership, group of the owner and permissions are too restrictive to MySQL database or even to Apache web server. Apache’s father will fail to open a file on browser if ownership is set to no one! Obviously no one is not Apache’s another username in that case. Then, world becomes even the MySQL database. You can set your wp-config.php file’s chmod value to very very restrictive value or change the ownership to no one – it will frankly throw Error Connecting Database – localhost becoming the world.

You will never ever set any file or directory to chmod 777. If a directory is set to chmod 777, world means that anybody including the user www-data, will be able execute php scripts inside it. Which is actually never possible for anyone outside your server for hacking purpose with proper directory permission settings (disabling directory browsing), proper firewall setup, using a good FTP/SFTP server side software for protection (no chance of creation of anonymous FTP account). We say setting chmod 777 is very dangerous as it is taken that, the user who is asking about basic chmod, definitely has no idea about Linux Administration. With key chain based SSH access restriction, it is never possible to access any directory without the access key. Another point against chmod 777 is that, setting chmod 777 helps the hackers to run exploit using any buggy software’s weak point which is installed on the server including PHP.

It is possible to do a MySQL injection via comment form, contact us form even if chmod is set to 755 when you are using a plugin like W3 Total Cache or WP Super Cache (that is why advise to offload comments to another server). For temporary dev purpose or troubleshooting, you can chmod to 777 and then decrease the permission to 755 or to less permissive – but always close the comments (if default WordPress is used) temporarily in such situations.

Many takes backup via plugins – in most cases the wp-content’s some sub directory is set to 755 or 777. Anyone can download your backup and get the passwords. It is not wise action to allow search engine bots to crawl the whole wp-content folder in such cases – the files can get indexed. Actually it is possible to find weak point of any website, but usually unless you are FBI or NASDAQ, no one will ever invest so much time to hack you.