Reset File Permissions on a Managed WordPress Hosting Account
One of the most basic and critical security measures on any website is to protect the file system from unauthorized changes. While WordPress offers a number of built-in security features to help protect your content and your brand from being tampered with, the most basic way to ensure the safety of your website’s files is through the use of file permissions. In this article, we will step-by-step guide you in changing the default file permissions on a managed WordPress hosting account so you can feel confident that your content is safe and you can fully implement your website’s content strategy.
How to Change File Permissions on a Managed WordPress Hosting Account
To change the file permissions on a managed WordPress hosting account, you will need to login to your cPanel and go to the Files section. There, you will see a list of the different file types on your account. For this example, we will assume that you are logged in as the administrator of the account and that you are currently looking at the Files section from the cPanel. Let’s examine the different file types on your account:
- index.php (this is the default file for WordPress)
- robots.txt (this is a simple text file that helps search engines to navigate your site easily)
- hTwig (this is the default template engine for WordPress)
- phpstan.cache (this is a caching reverse proxy)
- phpstan.rules (this is a rules-based cache managing tool)
- vendor (this is a folder containing all the WordPress-related folder, such as the wp-content folder)
- wp-admin (this is the folder containing all the WordPress-related folder, such as the wp-content and wp-admin folders)
- wp-includes (this is a folder containing all the WordPress-related folder, such as the wp-content and wp-admin folders)
- test-on-this-blog.php (this is a file that will be placed in your root directory, which is the starting point of your site)
- favicon.ico (this file will be placed in the root directory)
- php.ini (this is a file that contains the default settings for your PHP installation)
- apache2.conf (this is a configuration file for your Apache HTTP Server)
Out of these, you will want to ensure that only the wp-admin and root directories have read permissions and that all the other files have write permissions. The reason for this is that your wp-admin and root directories are where all the critical files and folders are located that make up your WordPress installation. If these directories and files are not protected by restricting file permissions, anyone who knows the correct directory structure and file names can easily access your content and do whatever they want with it. This could potentially lead to system corruption, data loss, or even a huge security risk.
To change the file permissions on all the files and folders in your wp-admin and root directories, click on the “Advanced” button from the menu that appears when you click on one of the file types listed above.
This will open up the following screen:
As you can see, there is a checkbox with the label “Set File Permissions to ‘755’”. Beneath this, you will see the option to set the permissions for all the files and folders in your wp-admin and root directories to “755”. Setting these permissions ensures that only people with root access can read, write, or access your website’s files. By default, all new files that you create will have these same permissions. You will notice that in most cases, the permissions screen will only allow for the owner of the file or folder to be the one who can edit the permissions. However, there is one important exception to this rule: if you are the administrator of the account, you will have complete control over how other users can edit the permissions of any file or folder that they have permission to access.
When you are done making your changes, click on the “Save Changes” button.
You will then be returned to your Files page and the permissions of your wp-admin and root directories will have been updated. You can repeat this process to change the permissions of all the other files and folders on your account. You can also log out of your WordPress account and log back in with the new permissions to verify that they have been set correctly.
Why Should You Change File Permissions on Your Managed WordPress Hosting Account?
Since WordPress is a content management system, it needs to have all the basic files and folders in a readable state in order to be able to display content to users effectively. There are a few reasons why you should change the file permissions of your WordPress-related files and folders.
Firstly, WordPress stores all of its essential files in the wp-content and wp-admin directories. These are both located in the root directory of your WordPress instance. If you don’t change the permissions of these two directories and their sub-folders and files, anyone who knows the correct directory structure and filenames can easily access and modify the content of these directories. While this might seem like a good thing at first blush, it definitely isn’t something you want to allow to happen without proper monitoring and intervention.
Secondly, even if you try to hide important files and directories from view with clever filenames and directory structures, that doesn’t mean that they aren’t still accessible by anyone with the right know-how. For example, if you have images stored in a separate directory from your WordPress installation but they are still available through a link inside a post or page, an attacker could certainly get access to them by doing some simple directory browsing.
Changing the permissions of these important directories and files to “755” in read-write mode will prevent this kind of issue.
As mentioned above, WordPress needs to have all the basic files and folders in a readable state in order to be able to display content to users effectively. This means that if you store your images in a separate directory from your WordPress installation but still link to them inside posts or pages, the attacker can still access these images by simply browsing the file system.
Thirdly, WordPress is a very open source project. As a result, anyone who has the technical know-how and is determined enough can look at the source code and find out all the details about how your site works. One of the things they might well do is try to access and change the file permissions on your critical directories and files and gain full control over your site. If you aren’t comfortable with this, then you shouldn’t be using this kind of hosting service.
Restrictions On What Can Be Used With Your WordPress Hosting Account
Another important safety measure that you can put in place on a managed WordPress hosting account is to limit what kinds of content can be uploaded to your website. You don’t want to allow users to upload viruses, malware, or any other such harmful content to your site, as this could potentially damage your WordPress installation and lead to system errors and crashes, among other things.
There are a few things that you can do to prevent users from inadvertently or intentionally causing problems on your site. One such way is to set restrictions on what kinds of content can be uploaded to your account. You can do this from your cPanel under the “Files” section.
Click on the “Upload Files” button and you will see a screen with all the restricted file types for your account. For the purpose of this example, we will assume that you have selected the “.php” file extension and that you want to allow PHP files only. This means that you will not be able to upload any other file types to your account (for example, you could not upload a ZIP archive or an installer for WordPress).
Now that you have set the appropriate file permissions for your wp-admin and root directories, you can feel confident that your content is safe and you can fully implement your site’s content strategy.