WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#44190 closed defect (bug) (invalid)

Codex hardening guide recommends insecure permissions

Reported by: SimbaLion Owned by:
Milestone: Priority: normal
Severity: major Version:
Component: General Keywords:
Focuses: Cc:

Description

https://codex.wordpress.org/Hardening_WordPress#Core_Directories_.2F_Files

This guide falsely recommends 755 and 644 as permissions. But this is completely wrong.

For a hardened system the permissions should be 770 or 750 or 700 for directories (depending on server configuration), and files should be 660 or 640 or 600. wp-config.php especially should be set 'o-rwx' at a minimum, which the hardening guide makes no mention of.

The practice of allowing 'others' read access dates back to the 1980s and a philosophy of openness on multi-user systems. It has no place in 2018 in a single-user environment like most webhosts.

Change History (2)

#1 @JPry
2 years ago

  • Keywords needs-codex removed
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.9.6 deleted

Hi @SimbaLion, welcome to Trac!

Trac is used for the WordPress core code. The codex is an entirely separate wiki that is editable by anyone, which means you can create an account an make edits directly. Take a look at https://codex.wordpress.org/Help:Contents to start with. You're welcome to add to the Codex if you feel that it is missing information.

This guide falsely recommends 755 and 644 as permissions. But this is completely wrong.

This is not completely wrong. It very clearly mentions that these are default recommendations, and it also mentions that the permissions can be set to be more restrictive. I would recommend that you only add your own information about further hardening rather than removing anything that is currently there.

#2 @swissspidy
2 years ago

  • Component changed from Security to General
  • Milestone Awaiting Review deleted

Note that you don't even need to create an account. Your existing WordPress.org account (SimbaLion) works on the Codex as well.

Note: See TracTickets for help on using tickets.