Codex hardening guide recommends insecure permissions

[SimbaLion]

​https://codex.wordpress.org/Hardening_WordPress#Core_Directories_.2F_Files

This guide falsely recommends 755 and 644 as permissions. But this is completely wrong.

For a hardened system the permissions should be 770 or 750 or 700 for directories (depending on server configuration), and files should be 660 or 640 or 600. wp-config.php especially should be set 'o-rwx' at a minimum, which the hardening guide makes no mention of.

The practice of allowing 'others' read access dates back to the 1980s and a philosophy of openness on multi-user systems. It has no place in 2018 in a single-user environment like most webhosts.

[JPry]

Hi @SimbaLion, welcome to Trac!

Trac is used for the WordPress core code. The codex is an entirely separate wiki that is editable by anyone, which means you can create an account an make edits directly. Take a look at ​https://codex.wordpress.org/Help:Contents to start with. You're welcome to add to the Codex if you feel that it is missing information.

This guide falsely recommends 755 and 644 as permissions. But this is completely wrong.

This is not completely wrong. It very clearly mentions that these are default recommendations, and it also mentions that the permissions can be set to be more restrictive. I would recommend that you only add your own information about further hardening rather than removing anything that is currently there.

[swissspidy]

Note that you don't even need to create an account. Your existing WordPress.org account (SimbaLion) works on the Codex as well.