Definitive wordpress directory ownership and permissions on linux

If your aim is security, the only directory writable by the web server should be uploads. Yes, it means no easy updates, but in a secure environment the web server should not be able to write to directories in which there is executable code.

If you have so many updates that SFTP becomes too much of a time waster, install and use the wp-cli utility to do updates.

…. Almost forgot, the way to have updates while avoiding the permissions confusion is to run and FTP server that will be limited to accept requests from the local host. Firewall the FTP ports from any other host and you got both the possibility to update from the browser while being secure.

Related Posts:

  1. Folder Permissions + Security Concerns
  2. Securing a multi-user permission structure
  3. What permissions should I give directories if I want to make WordPress more secure?
  4. How to change permissions of WordPress and/or apache on macOS securely?
  5. WordPress sites being filled with random PHP files
  6. On new server, site got hacked, permissions a bit strange? Please help
  7. Privilege escalation bugs in 2.9?
  8. wp-content – permissions for files/folders created by apache
  9. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  10. Should I change the default file and folder permissions?
  11. Malware/Permission bug removal?
  12. Default installation permissions for wp-config.php
  13. What permissions should my website files/folders have on a Linux webserver?
  14. How to change permissions for a folder and its subfolders/files in one step
  15. what is a auth_user_file.txt?
  16. How to view PHP on live site
  17. Is moving wp-config outside the web root really beneficial?
  18. Hide the fact a site is using WordPress?
  19. Verifying that I have fully removed a WordPress hack?
  20. Can I Prevent Enumeration of Usernames?
  21. Best way to eliminate xmlrpc.php?
  22. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  23. Are Nonces Useless?
  24. What is the difference between esc_html filter vs attribute_escape filter?
  25. Which KSES should be used and when?
  26. How do WordPress Nonces Work?
  27. How can I easily verify a core or plugin update has not broken anything?
  28. Disable comment windows for all existing posts (pages/blogposts)
  29. Generate WordPress salt
  30. Stop wordpress automatically escaping $_POST data
  31. Why is group ownership with rwx permissions not enough?
  32. how can i embed wordpress backend in iframe
  33. Handling nonces for actions from guests to logged-in users
  34. WordPress Logout Only If User Click Logout or If User Delete Browser History
  35. Can I force a password change?
  36. How brute-forcer knows that the password is cracked for target username?
  37. What is pclzip.lib.php file that wordfence think it’s a malicious code
  38. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  39. How to disable XML-RPC from Linux command-line in a total way?
  40. How to remove javascript malware in wordpress site [closed]
  41. Completely remove the author url
  42. Securing my WordPress Files and Directories
  43. About WordPress site security
  44. Single sign-on: wp_authenticate_user vs wp_authenticate
  45. How to allow internal links using wp_kses filtration
  46. How does Cross Site Scripting (XSS) work exactly? [closed]
  47. Relative security of different releases of WordPress
  48. How does the “authentication unique keys and salts” feature work?
  49. vs WordPress Security
  50. esc_html__ security : what for in this example?
  51. Don’t attribute content to admin users
  52. Using HTACCESS for Secret Access
  53. wp-config.php being written by attacker
  54. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  55. Changing Table Prefixes – once done, am I good to go going forward?
  56. wordpress website host price and security [closed]
  57. Are there security risks in working directly in the themes folder that builds into a theme folder?
  58. Secure WordPress: Change admin
  59. how much information can we hide when using wordpress cms?
  60. Is it safe to use a global wp nonce per user instead of a nonce per action?
  61. Wordfence detects change in wp-admin/includes/upgrade.php
  62. Basic password protection without using users and roles
  63. System setting changed by system user
  64. Does meta-data need to be sanitized?
  65. Will there be security updates for WordPress 4.9.9
  66. Any known bugs that could cause disappearance of the wp_users table?
  67. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  68. Restrict Access without Creating Users
  69. How to obfuscate wp-config.php or code
  70. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  71. How to prevent to direct access of my custom plugin folder/files
  72. Checking for origin of a xmlrpc request
  73. RESTRICT EDIT of PHP files?
  74. How can I restrict access to specific parts of a page, not just the page itself?
  75. User generated content and security
  76. Are major WordPress updates mandatory for security?
  77. i moved wp-config.php outside of public html and this broke my website
  78. Monitor wordpress all external calls
  79. Securing WordPress running on Azure platform
  80. Verifying that I have fully removed a WordPress hack?
  81. Spam Registrations
  82. How can I have more confidence that WP plugins aren’t getting and storing user data?
  83. Standard Method for Securing a WordPress Site
  84. Any way to disable /wp-login.php redirecting to the site folder?
  85. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  86. Secure a WordPress website in 2019: one plugin or a combinations of them?
  87. What are the different types of firewall protections available for a WordPress website?
  88. Run a security scan on WordPress site that has .htaccess password [closed]
  89. Is this a WordPress security bug?
  90. Competitor is somehow accessing MetaData on a hidden WordPress site
  91. WordPress Hacks/Defacing [closed]
  92. Move data from wp-config to another file
  93. Heartbleed: What is it and what are options to mitigate it?
  94. How to check if an RSA public / private key pair match
  95. Why does sudo command take long to execute?
  96. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  97. How to add a security group to a running EC2 Instance?
  98. OpenVPN vs. IPsec – Pros and cons, what to use?
  99. How to test if my server is vulnerable to the ShellShock bug?
  100. What is the difference between /sbin/nologin and /bin/false?