WordPress Ownership and Permissions

Complete Guide for PHP-FPM Pool Configuration

📚 Introduction

When using PHP-FPM pools, proper ownership and permissions are critical for security and functionality. This guide covers standard and hardened permission schemes for WordPress installations, including the advantages and disadvantages of each approach.

🔐 Understanding File Permissions

Key Concept: With PHP pools, the ownership is set to the user specified in the PHP pool configuration file. Permissions control who can read, write, and execute files.
Directories (Development)
770

Owner: Read+Write+Execute
Group: Read+Write+Execute
Others: No permissions

Files (Development)
660

Owner: Read+Write
Group: Read+Write
Others: No permissions

Permission Breakdown

Number Permission Meaning
4 Read (r) Can view file contents or list directory contents
2 Write (w) Can modify files or create/delete files in directory
1 Execute (x) Can execute files or access directory
0 No permission No access allowed

📋 Standard Permission Scheme (Development)

Use Case: Setting up a WordPress site, installing themes and plugins, uploading files, and configuring your site.

1Navigate to Site Directory

cd /var/www/example.com/

2Set Ownership

sudo chown -R username:username public_html/
Replace username with your actual PHP pool user.

3Set Directory Permissions (770)

sudo find /var/www/example.com/public_html/ -type d -exec chmod 770 {} \;

4Set File Permissions (660)

sudo find /var/www/example.com/public_html/ -type f -exec chmod 660 {} \;

5Verify Permissions

ls -l public_html/
Result: With 770/660 permissions, you'll have no issues setting up your site, configuring themes, configuring plugins, and uploading files during development.

🛡️ Hardened Permission Scheme (Production)

⚠️ Important: This permission scheme should only be applied AFTER your site setup is complete. Do not apply during initial setup or you'll encounter serious issues.

Security Benefits and Trade-offs

✅ Advantages

  • Enhanced Security: Prevents unauthorized modification of core WordPress files
  • Malware Protection: Limits write access to reduce injection vulnerabilities
  • Accident Prevention: Prevents accidental changes to core files
  • Compliance: Meets security best practices for production environments
  • Integrity Protection: Maintains file integrity by preventing unauthorized changes

❌ Disadvantages

  • Update Complexity: WordPress core, theme, and plugin updates become more difficult
  • No Auto-Updates: Automated updates through dashboard won't work
  • Plugin Compatibility: Some plugins requiring write access may break
  • Maintenance Overhead: Manual permission changes needed for updates
  • Temporary Permission Changes: Must grant write access temporarily for updates

Implementing Hardened Permissions

1Remove Write Permissions from Directories (550)

sudo find /var/www/example.com/public_html/ -type d -exec chmod 550 {} \;
This gives owner and group read+execute only, removing write permissions.

2Remove Write Permissions from Files (440)

sudo find /var/www/example.com/public_html/ -type f -exec chmod 440 {} \;
This gives owner and group read-only access.

3Restore Write Permissions for wp-content Directory (Directories)

sudo find /var/www/example.com/public_html/wp-content/ -type d -exec chmod 770 {} \;

4Restore Write Permissions for wp-content Directory (Files)

sudo find /var/www/example.com/public_html/wp-content/ -type f -exec chmod 660 {} \;
Critical: The wp-content directory MUST retain write permissions (770/660) to allow:

5Secure wp-config.php

sudo chmod 400 public_html/wp-config.php
Sets wp-config.php to read-only for owner only (most secure).

📊 Permission Comparison Table

Location Standard (Development) Hardened (Production) Purpose
Core WP Directories 770 (rwxrwx---) 550 (r-xr-x---) WordPress core folders
Core WP Files 660 (rw-rw----) 440 (r--r-----) WordPress core files
wp-content Directories 770 (rwxrwx---) 770 (rwxrwx---) Themes, plugins, uploads
wp-content Files 660 (rw-rw----) 660 (rw-rw----) Theme/plugin files
wp-config.php 660 (rw-rw----) 400 (r--------) Configuration file

🔄 Visual Permission Flow Diagram

Development Stage Directories: 770 Files: 660 Site Setup Complete Production Stage Core: 550/440 wp-content: 770/660 Updates Needed Temporarily restore 770/660 permissions After Updates

⚙️ Best Practices and Recommendations

During Site Setup (Initial Configuration)

After Site Completion (Production)

⚠️ Important Warnings

🔧 Automation with WP-CLI

Advanced Tip: This entire permission management process can be automated using WP-CLI and bash scripts. This allows you to:

Consider taking a WP-CLI course to learn advanced automation techniques for WordPress server management.

📝 Summary Checklist

Task Command When to Apply
Set Ownership sudo chown -R username:username public_html/ Always (both dev and prod)
Standard Directories sudo find ... -type d -exec chmod 770 {} \; Development/Setup Phase
Standard Files sudo find ... -type f -exec chmod 660 {} \; Development/Setup Phase
Hardened Core Directories sudo find ... -type d -exec chmod 550 {} \; Production Only
Hardened Core Files sudo find ... -type f -exec chmod 440 {} \; Production Only
wp-content Directories sudo find .../wp-content/ -type d -exec chmod 770 {} \; Always (both dev and prod)
wp-content Files sudo find .../wp-content/ -type f -exec chmod 660 {} \; Always (both dev and prod)
Secure wp-config sudo chmod 400 wp-config.php Production Only

🎯 Final Recommendations

Key Takeaway: The permission scheme you choose should balance security with functionality. Start with standard permissions during setup, then transition to hardened permissions for production environments.

Remember: