Which wordpress should be obligatory writeable?

There is no definitive answer to this, but I’d like to share my 2 cents anyways.

In practice, many plugins write to custom folders in ./wp-content/. Just checking one client site I see 6 custom folders in there (e.g. from security, backup, caching plugins, etc.).

Some themes and plugins may even expect that they are able to write inside their own folder (inside ./wp-content/themes/foo/ or ./wp-content/plugins/bar/), so restricting file access within ./wp-content/ will usually lead to problems.

Depending on the project, I usually do a mix of the following:

  1. Have wp-config.php one level below the webroot. WordPress supports this out of the box and I consider it good practice to avoid accidental leakage of secure credentials.
/var/www/
        |- wp-config.php
/var/www/html/
             |- index.php
             |- wp-activate.php
             ...

  1. Make wp-config.php read-only. This way you avoid hacks that read the file, remove restrictive elements, and overwrite it.

  2. Set DISALLOW_FILE_EDIT (disallows editing via the editor in wp-admin) and DISALLOW_FILE_MODS (disallows any plugin/theme/core updates).

  3. Regularly scan your complete installation and compare against original files. (Most security plugins have features of this, beware that this might be resource-intensive, so you might want to do it automated at night.)

  4. Force secure passwords and if possible even 2FA for all backend users. (Forcing it for admins is a start, but there are “privilege escalation” scenarios, so forcing it for all users that have backend-access is usually best.)

  5. Use advanced setups like Roots’ Bedrock. If you manage your dependencies (core, plugin, theme) via composer, it is much easier to setup a new site. Bedrock also separates core from custom files better, so you can use more restrictive file-access.

  6. Make related services internal. E.g. your DB and Redis do not need to be public, but only be accessible by WP itself.

Related Posts:

  1. MySQL error 1449: The user specified as a definer does not exist
  2. WP in Docker – cannot install plugin or upgrade WP
  3. when FS_METHOD = ‘direct’ is chosen?
  4. Create custom permissions for user type
  5. WordPress REST API – Permission Callbacks
  6. Can’t upload images due to permissions error
  7. Recommended File Permissions
  8. What’s the difference between the permissions “edit_published_posts” and “edit_posts”
  9. Wrong permissions when uploading a file through WordPress | IIS
  10. ftp_nlist() and ftp_pwd() warnings
  11. WordPress in IIS 7.5 – “cannot create directory”
  12. What permissions should i have set up for the Database User after i have WordPress set up?
  13. Why is group ownership with rwx permissions not enough?
  14. Editing WordPress Permissions in LAMP – Ubuntu 11.10
  15. How can I limit WordPress editor roles to a specific category?
  16. can i run wp as root permissions
  17. Prevent or Disable creating new users or changing roles of existing users to Administrator
  18. Safe to set permissions to 757 temporarily to update via wp-cli?
  19. Does WordPress have fine-grained view permissions?
  20. WordPress debug.log is not updating
  21. WordPress file permissions for editing on local Ubuntu development machine
  22. Troubleshoot “You do not have sufficient permissions to access this page.”
  23. plugin install wants ftp (chown and 755 not enough)
  24. can’t change footer
  25. permissions access error
  26. Permissions Issue with WordPress
  27. What user/group does WordPress belong to in terms of file permissions?
  28. Enable plugin installs without FTP with user from same group as Nginx/PHP-fpm
  29. Iframe a WordPress template
  30. Moved my WordPress site and now it can’t read the theme
  31. WordPress folder ownership issues
  32. Applying roles to an admin sub-menu (eg Appearance -> Menus)
  33. WordPress unable to create folders even though correct NTFS-rights are set
  34. WordPress php mysql errors – errcode: 13 permission denied
  35. Safari not “giving Permission to Open This Page” when trying to load pdf from wordpress site [closed]
  36. Invalid changeset UUID WordPress
  37. Group ownership permissions don’t allow web server to update WordPress content
  38. Should Apache own /var/www/domain.com directory in WordPress?
  39. WordPress Permissions on my Local with Docker
  40. Grant user rights to access certain tabs of a plugin
  41. Permissions in a Local Dev Environment (OS X)
  42. Running WordPress as FTP user?
  43. How to to secure WordPress file and folder permissions
  44. Upgrading problem
  45. Return scheduled posts with WP REST API
  46. wp-content Folder Permissions (777 OK?)
  47. Permission of 775 not enough
  48. failed to open stream: Permission denied for WordPress plugin
  49. How to prevent plugins from being uninstalled
  50. Reseting file permissions
  51. What is the “user account” for WordPress’ file permissions?
  52. Auto-update failing with “hardened” permissions
  53. Restrict access to trash, only admin
  54. How to hide wordpress error message?
  55. What is this error message?
  56. “Backdoor-list.txt” files unexpectedly in server
  57. How to grant user access the page [closed]
  58. WordPress 4.4.2 Update not working
  59. Auto-Upgrade to 4.2.2 fails because theme functions.php is included instead of wp-includes/functions.php
  60. How to prevent people from seeing certain articles in menus?
  61. Configure Permissions in Mamp [closed]
  62. Edit draft from other author
  63. How to add only a (sub) capacity to an user role?
  64. Auto-Update Fails
  65. How to disable admin/editor access to specific user’s posts
  66. How to make file not open to public but javascript file under WordPress folder can load it
  67. Opening a file of the theme from outside
  68. Allow Editor access to a certain plugin
  69. Visitors “do not have permission to view this content” on home page only
  70. Permissions Script Not Working
  71. WordPress does not have the permission to update (IspConfig)
  72. Blank White page issue in WordPress
  73. Permissions working but not working
  74. Mamp Pro File Permissions
  75. CentOS 7 cPanel – Setting Correct Permissions
  76. Create a custom “you dont have permission” message
  77. How to lock all published posts so only admin can unlock delete and update permission
  78. Why do some of my directories need to be writeable that shouldn’t be?
  79. How to put WordPress website behind the credential for visitors?
  80. Downloaded WP but Nginx home page still showing
  81. Public and Private keys incorrect for user
  82. Why can I upload files but need FTP login for plugins
  83. sufficient permissions to access this page
  84. wordpress using WP MVC: You do not have sufficient permissions to access this page
  85. Uploaded files have permission 000
  86. Moved WordPress Directory – Having access issues now
  87. Strange error “You do not have sufficient permissions to access this page”
  88. Is it possible to allow a user to only edit categories of posts and nothing else?
  89. Restrict access to specific content
  90. WordPress – Public side and Private side
  91. the_tags only showing when logged in?
  92. Configuring WordPress permissions for easy updates
  93. Plugins Page – “Page disabled by the administrator”
  94. How to give access to programmer/developer to make changes, but prevent undesirable changes? [closed]
  95. WordPress files owner changed silently
  96. How do I share a Git repository with multiple users on a machine?
  97. Amazon Cloudfront with S3. Access Denied
  98. GRANT SELECT to all tables in postgresql
  99. Postgresql: what does GRANT ALL PRIVILEGES ON DATABASE do?
  100. WP Permission still set to Not Writable after I change the permission for the whole folder and files