Wordpress, File Ownership and Permissions

I was wondering if someone might be able to provide some quick and dirty advise with the setup of my first linode. I've tried to look up as much as I can but haven't really been able to find definitive guidance on this particular point.

In any event, what I've tried to do is to set up a site using CentOS, PHP (with APC and Suhosin), nginx, mysql and Wordpress. I've tried to follow the linode tutorials as closely as possible along the way, including the security stuff like creating a new user and disabling root and cobbling together some iptables rules.

As for users, what I did was to create a new user "smith". Tried to add him to the "sudo" group per the tutorial, but wasn't able to do because I think the tutorial was for Debian or Ubuntu. Anyway, when I looked up the groups there didn't seem to be a "sudo" group so I used visudo and added smith to the "root" group. I'm not quite sure that was right but assumed that it was what I needed to do.

So I logged out and back in as smith and went on my merry way, sudoing to and fro to setup the various bits and pieces. I now have Wordpress seemingly up and running, but it doesn't seem quite right. For one, when I SFTP in as smith, I couldn't upload or delete any plugins or themes. I also can't enable SSH2 in Wordpress to update, delete or install plugins - error connecting or some such thing.

So now I'm thinking I may have done something along the way that has messed up either file permissions or ownership. I've tried googling but opinions seem to be all over the map on this - some say do X, while others say, no, doing X will introduce a big fat security hole. Can anyone perhaps point me to a guide (or even give some guidance) as to whether file permissions and ownership should be changed? I'd very much appreciate it. Following are the permissions currently. The base install of Wordpress is at /srv/www/my.site.com/public_html/.

drwxr-xr-x 5 nginx nginx 4096 Aug 14 06:22 public_html

Then within public_html, everything is

-rw-r--r-- 1 root  root

Except for directors, including wp-content, which are all like this:

> drwxr-xr-x 9 root root 4096 Aug 14 00:33 wp-admin

This is also the same with everything in the wp-content directory. The plugins and themes directory have the same ownership and permission as above - everything owned by root:root, 755 on all directories, 644 on all files. Same thing when I go one level deeper into plugins.

Perhaps needless to say, but the permissions of course don't let me FTP any new plugins up or delete existing ones. However I find this odd given I've stayed as close as I can to the tutorials.

Can anyone provide some guidance here? I'm not quite sure if some things should be set to be owned by smith, or if smith should be added to another group, or if some things should be owned by nginx or what.

Any thoughts on this would be most appreciated.


5 Replies

Host the files in /home/smith and make sure the files are owned by smith.

chown -R smith:smith public_html

Typically files are owned the user whose home directory the files are being hosted from, and that user should be quarantined to writing within its respective home directory until higher permissions are granted.

OK - thanks for the guidance.

I was facing a similar problem. This is how I solved it.

1. Gave all rights to the main group. In my case group is "nginx"

2. Created one ftpuser and made it part of a group "nginx".

3. Change the ownership of site folder to ftpuser. Also, gave read/write/execute access to ftp user.

4. Set folder permissions to 755 and file permissions to 644.

5. Gave 755 permission to /wp-content.

6. Gave 754 permission to /wp-content/uploads

These steps solved the problem.

Thanks very much amitb. I ended up doing something quite similar but with different names. However, I decided to set permissions as 775 for directors and 664 for files, then added the user id to the group that is used by nginx. I imagine that probably opens up some security issues, so I might change back.

One question: If you have rwx to ftpuser, would that not prevent you from updating contents and plugins within the WP admin interface given the permissions you've set?


I am new to Linux and Linode and am working through this problem with my wordpress set up right now. Can you link to the documentation/tutorials which explain how to do each of those steps?

I've looked for how to setup ftpuser but have only found warnings against using ftp.



Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct