Question about 775 permissions on folders - security risk?

Keywords: WordPress - AWS - Technical issue - Permissions

bnsupport ID: 57cbce3b-6842-c621-5897-87139e2b9e70

bndiagnostic output:

? Apache: Found possible issues
? Resources: Found possible issues
? Php: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/
https://docs.bitnami.com/installer/faq/linux-faq/administration/increase-memory-linux/
https://docs.bitnami.com/general/apps/wordpress/configuration/configure-phpfpm-processes/

bndiagnostic failure reason: the tool is great, but I couldn’t find feedback related to this

Description:
Hello,

So… I’ve encountered an issue when updating plugins on a Lightsail WP instance with Bitnami, it kept giving this error:
“The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.”

I found the answer in the following topics to this issue and solved it by setting 775 to wp-content folders:


My question now is - isn’t it a security risk setting the folders permission in wp-content to 775?

My website has been under attack for some time now, I’ve taken several security measures so I wanted to make sure setting 775 permission to make the plugin updates work doesn’t pose such a big security risk.

I know that by setting 775 basically anyone accessing a malicious script on my website will be able to write in those folders.

Can you please help?

Thank you!

Best,
Chris

Hi @chrisx

Thanks for using Bitnami WordPress!

I found the answer in the following topics to this issue and solved it by setting 775 to wp-content folders:

I have read the threads but could not find any instructions there to set 775 to the wp-content folders. In general, they mention granting write permissions to the group (daemon, chmod -R g+w) which should be totally fine. Furthermore, one of them mentions the possibility of setting 777 instead and one of our agents reply that this is something we don’t recommend:

Having said that, let me bring up the fact that those threads date from 2007 and 2006 respectively. We now have the process documented in a guide:

https://docs.bitnami.com/google/apps/wordpress/administration/understand-file-permissions/

My question now is - isn’t it a security risk setting the folders permission in wp-content to 775?

Not really, let’s break it down to see :slightly_smiling_face:

  1. As the guide mentions, files and directories are owned by user bitnami and group daemon
  2. Directories are configured with permissions 775 by default. More info about this permissions mode here.

This means that the user and group will have read, write and execute permissions. On a counterpart, others will not have write permissions, but read and execute ones. In order to be able to search or even access folders, you need execute permissions. That is why you see everyone has this.

  1. Files are configured with permissions 664 by default.

This means that the user and group will have read & write permissions, while others will only have the former.

I know that by setting 775 basically anyone accessing a malicious script on my website will be able to write in those folders.

If you set a regular file 775 permissions, anyone in your system will be able to execute that file. But bear in mind that the default (and recommended configuration) does not set this, but rather encourages to follow more strict policies.

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart:

Hello @jcarmona

I see your points. If folders are 775 and files are 664 it means that we should be safe then.

Thank you for your help!

Best,
Chris

Glad to see you were able to solve your issue! We are marking the previous answer as “Solution” and this topic as “Closed”.

If you have any other questions, please do not hesitate to let us know. Feel free to create a new topic referencing this one if necessary.

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart: