Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?

In short:

YES, is a big time threat.

Explained:

Little time has passed since I asked this question but now I have found that the safer and most useful file permissions for wordpress are the following:

Directories: 755 Owner can: Read, write and execute. Group and public can: Read and execute.

Read-only files:644 Owner can: Read and write. Group and public can read only.

Example of read only files:

  • *.css
  • *.htm
  • *.html
  • *.jpeg
  • *.jpg
  • *.gif
  • *.png
  • *.js
  • *.mpeg
  • *.mpg
  • *.mp3
  • *.avi
  • *.txt
  • *.doc
  • *.pdf

Executable files:700 Owner can: Read, write and execute.

Example of executable files:

  • *.php
  • *.cgi
  • *.pl
  • *.py
  • *.rb

TO IMPLEMENT THE CHANGES (in terminal):

Determine where are you, this will tell you that.

pwd

Once you get to the desired folder (there were the wp-config.php lays) in order to change the directory permissions you could try:

sudo find . -type d -exec chmod 755 {} \;

Where: -type d stands for instances listed as directories found by find command.

Then:

sudo find . -type f \( -iname '*.css' \-or -iname '*.htm*' \-or -iname '*.jpeg' \-or -iname '*.jpg' \-or -iname '*.gif' \-or -iname '*.png' \-or -iname '*.js' \-or -iname '*.mpeg' \-or -iname '*.mpg' \-or -iname '*.mp3' \-or -iname '*.avi' \-or -iname '*.txt' \-or -iname '*.doc' \-or -iname '*.pdf' \) -exec chmod 644 {} \;

Where: -type f stands for instances listed as files with given file extensions founded by find command.

And finally:

find . -type f \( -iname '*.php*' \-or -iname '*.cgi' \-or -iname '*.pl' \-or -iname '*.py' \-or -iname '*.rb' \) -exec chmod 700 {} \;

Where: (again) -type f stands for instances listed as files with given file extensions founded by find command.

Happy server management.

Related Posts:

  1. Securing a multi-user permission structure
  2. What permissions should I give directories if I want to make WordPress more secure?
  3. wp-content – permissions for files/folders created by apache
  4. Folder Permissions + Security Concerns
  5. File and directory permissions
  6. How to get WordPress to save upload file beyond web root [closed]
  7. How to disable XML-RPC from Linux command-line in a total way?
  8. Is it good security advice to install wordpress in subdirectory but link to root?
  9. Definitive wordpress directory ownership and permissions on linux
  10. How to change permissions of WordPress and/or apache on macOS securely?
  11. Are there security risks in working directly in the themes folder that builds into a theme folder?
  12. On new server, site got hacked, permissions a bit strange? Please help
  13. Privilege escalation bugs in 2.9?
  14. Why are the latest visits to my website originating from my own website?
  15. Should I change the default file and folder permissions?
  16. Malware/Permission bug removal?
  17. Default installation permissions for wp-config.php
  18. Directory to store secure file
  19. WordPress – tracking options
  20. What is the difference between a cer, pvk, and pfx file?
  21. Is it possible to decrypt SHA1
  22. How to change permissions for a folder and its subfolders/files in one step
  23. Error `sec_error_revoked_certificate` when viewed in Firefox only
  24. Why should I use the esc_url?
  25. Where to securely store API keys and passwords in WordPress?
  26. What are the recommended database permissions for WordPress?
  27. Why escape if the_content isnt?
  28. Full path disclosure on rss-functions.php
  29. What to use instead of wp_kses() in user output
  30. Are the default salts secure?
  31. is_email() VS sanitize_email()
  32. Moving wp-config.php: Can this be done after site launch?
  33. How to secure or disable the RSS feeds?
  34. Make password invalid once logged out of password-protected page
  35. Is security a problem in WordPress?
  36. Moving wordpress out of the public directory
  37. Logout via Subdomain, non-wordpress page on a different server?
  38. Protecting HTML5 video [closed]
  39. How can I tell who changed the password?
  40. WordPress website Security [closed]
  41. Do I need to use the esc_html() function on hard coded links?
  42. Can’t reset WordPress password
  43. Is the “lost password” feature truly a vulnerability?
  44. local folder permissions vs chown — security considerations
  45. Is it possible to reduce the minimum character length for passwords?
  46. Handling email piping attachments and detecting unsupported file types
  47. What is the best way to move a plugin´s subdirectory+files to wp-content/uploads-directory?
  48. Why was my blog post inserted lot’s of ad links by others?
  49. WordPress SQL Injections through User Agent
  50. Should I Worry About SQL Injection When Using wp_insert_post?
  51. Is there a way for a user to have an alias?
  52. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  53. Security threat with `home_url`?
  54. When is wp_set_password() called or how to capture a password
  55. Correct folder permissions?
  56. Something is unescaping all html entities before output to browser [closed]
  57. Is there a way to hide WordPress behind a web visible directory?
  58. Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
  59. How to get WordPress to send Password Reset Link Email instead of New Password?
  60. WordPress and plugins can’t update (“inconsistent file permissions” error)?
  61. Verifying that I have fully removed a WordPress hack?
  62. Large Session Tokens
  63. Using an Encryption class in a WordPress Plugin
  64. Disable directory browsing of uploads folder
  65. Moved WordPress site to new server, directory permissions not working correctly
  66. Config file with no Keys..?
  67. How much should I worry about these messages?
  68. WordPress sites being filled with random PHP files
  69. Security concerns with external links
  70. Uploading .webm format on WordPress results in security guidline breach and fail
  71. fail2ban to prevent Brute Force Attacks on WordPress?
  72. .htaccess password protection bypassed
  73. Session Cookie security questions
  74. Storing FTP details in wp-config.php
  75. Spam injected in w3 total cache page cache [closed]
  76. How to distinguish between a hack and an encoding error?
  77. Prevent editor from adding script or form
  78. How to change location of wp-config.php to folder or 2 folders up?
  79. How might I sanitize an XML file before WP Import? (Does wordpress verify or clean text when importing from an XML document? )
  80. Finding where a snippet of code is coming from
  81. Remove hacked code – out of ideas! [closed]
  82. How to write to the plugin’s directory?
  83. Secure Server after configuration
  84. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  85. Block JSON access over the net
  86. Can someone do something to my website if I posted a snapped image of the header and covered my logo? (On reddit, when explaining a question)
  87. Where to store sensitive uploaded file?
  88. The in-famous Unable to locate WordPress Content directory (wp-content) and the Direct Method
  89. Security: Critical backend outside of wordpress
  90. Advice On How to Backup WordPress
  91. My site thinks it’s secure when it is fact not
  92. Is it possible to only have the admin interface bind to the local loopback?
  93. Permission functions within wordpress
  94. Correct setup to block file modifications from hackers
  95. Is my WP site being hacked?
  96. checking the form submit in right order
  97. Our security auditor is an idiot. How do I give him the information he wants?
  98. What permissions should my website files/folders have on a Linux webserver?
  99. I am under DDoS. What can I do?
  100. SSH keypair generation: RSA or DSA?