One of the main problems with security on directory trees for HTTPS servers if you allow the user that runs the server read/write access at all times you bound to get hacked. If you disallow write access to most but temporary, cache and uploads directory then your possibility of getting hacked is far less.
I wrote a script that changes the permissions and ownership of a SITE directory quickly and automated. The script reads instructions from a file, then sets the permissions and ownerships on files/directories accordingly. The script also can delete files (like files leftover after an upgrade, e.g. readme.txt).
This script is most useful for Joomla and WordPress administrators.
There are ways to update a WordPress site without the need to give READ/WRITE access to the user running the webserver using ‘define(‘FS_METHOD’,’ssh2′);’ but this has been really buggy lately as shown in https://core.trac.wordpress.org/ticket/39746. Also there are inconsistencies in the code base.
So I wrote the attached script. It allows you to define instructions what to do to certain directories relative to a SITE directory (normally the root of the server tree).
You would execute the script for locking (i.e. making it non writeable by the server and writeable by developers)
/PATH_TO_DIR/permission_update -l -s /PATH_TO_SITE/htdocs/
You would execute the script for update (i.e. making it writeable by the server and developers) so you can update the site using the admin panel
/PATH_TO_DIR/permission_update -u -s /PATH_TO_SITE/htdocs/
You can also define different locations for the update and lock instruction files, like so:
/PATH_TO_DIR/permission_update -u -s /PATH_TO_SITE/htdocs/ -uf /PATH/UPDATE_FILENAME
or
/PATH_TO_DIR/permission_update -l -s /PATH_TO_SITE/htdocs/ -lf /PATH/UPDATE_FILENAME
Below is the instruction file I have for locking the directory tree of a standard wordpress site, it will stop write access for the SERVER to the tree to all but the required directories to have a functioning wordpress site. It also deletes some files you do not want, e.g. license.txt which contains the wordpress version. You would normally put this file named permission_update_lock.txt into the root of the SITE tree.
# First lock everything -------------------
perms,ro,DEVELOPER,SERVERUSER,index.php
perms,ro,DEVELOPER,SERVERUSER,wp-activate.php
perms,ro,DEVELOPER,SERVERUSER,wp-blog-header.php
perms,ro,DEVELOPER,SERVERUSER,wp-comments-post.php
perms,ro,DEVELOPER,SERVERUSER,wp-config.php
perms,ro,DEVELOPER,SERVERUSER,wp-cron.php
perms,ro,DEVELOPER,SERVERUSER,wp-links-opml.php
perms,ro,DEVELOPER,SERVERUSER,wp-load.php
perms,ro,DEVELOPER,SERVERUSER,wp-login.php
perms,ro,DEVELOPER,SERVERUSER,wp-mail.php
perms,ro,DEVELOPER,SERVERUSER,wp-settings.php
perms,ro,DEVELOPER,SERVERUSER,wp-signup.php
perms,ro,DEVELOPER,SERVERUSER,wp-trackback.php
perms,ro,DEVELOPER,SERVERUSER,wp-admin
perms,ro,DEVELOPER,SERVERUSER,wp-content
perms,ro,DEVELOPER,SERVERUSER,wp-includes
# now open the once we need ----------------
perms,rw,DEVELOPER,SERVERUSER,wp-content/themes/THEME/css-compiled
perms,rw,DEVELOPER,SERVERUSER,wp-content/upgrade
perms,rw,DEVELOPER,SERVERUSER,wp-content/uploads
# now delete the ones we do not need/want ------------
delete,readme.html
delete,wp-config-sample.php
delete,license.txt
delete,xmlrpc.php
This is the instruction file I have for updating the directory tree of a standard wordpress site, it will allow write access for the SERVER to the tree to all directories that will need to be updated.
You would normally put this file named permission_update_update.txt into the root of the SITE tree.
perms,rw,DEVELOPER,SERVERUSER,index.php
perms,rw,DEVELOPER,SERVERUSER,wp-activate.php
perms,rw,DEVELOPER,SERVERUSER,wp-blog-header.php
perms,rw,DEVELOPER,SERVERUSER,wp-comments-post.php
perms,rw,DEVELOPER,SERVERUSER,wp-config.php
perms,rw,DEVELOPER,SERVERUSER,wp-cron.php
perms,rw,DEVELOPER,SERVERUSER,wp-links-opml.php
perms,rw,DEVELOPER,SERVERUSER,wp-load.php
perms,rw,DEVELOPER,SERVERUSER,wp-login.php
perms,rw,DEVELOPER,SERVERUSER,wp-mail.php
perms,rw,DEVELOPER,SERVERUSER,wp-settings.php
perms,rw,DEVELOPER,SERVERUSER,wp-signup.php
perms,rw,DEVELOPER,SERVERUSER,wp-trackback.php
perms,rw,DEVELOPER,SERVERUSER,wp-admin
perms,rw,DEVELOPER,SERVERUSER,wp-content
perms,rw,DEVELOPER,SERVERUSER,wp-includes
Download the script (Size: 7.44 KB) , save it into a location of your choice, e.g. /usr/local/bin/permission_update_script.txt, remove the “txt” extension and chmod to 0750.
Also, do not edit the files in Notepad, the files come from a UNIX based OS, so the linefeeds are “\n” only.