Technical guide on standardizing Linux file and directory permissions for WordPress. Learn to use the find command via SSH to apply 755 and 644 masks on your Hovixa VPS.
Standardizing File and Directory Permissions (755/644) via SSH
On a Hovixa VPS, maintaining the correct permission mask is a fundamental security requirement. Incorrect permissions—such as 777 (world-writable)—allow any user or malicious script on the system to modify your code. The industry standard for WordPress is 755 for directories and 644 for files. This ensures that the web server can read and execute directories, while only the owner has the authority to modify the content.
1. Understanding the Permission Octals
Linux permissions are represented by three digits: Owner, Group, and Public (World).
- 755 (Directories):
rwxr-xr-x. The owner can Read, Write, and Execute. Others can only Read and Execute (necessary to enter the directory). - 644 (Files):
rw-r--r--. The owner can Read and Write. Others can only Read.
2. Bulk Applying Permissions via the 'find' Command
Using chmod -R is often too blunt, as it applies the same permission to both files and directories. To standardize correctly, we use the find command to target specific types of objects within your web root (e.g., /var/www/html).
Step 1: Set Directory Permissions to 755
find /var/www/html/ -type d -exec chmod 755 {} \;
Step 2: Set File Permissions to 644
find /var/www/html/ -type f -exec chmod 644 {} \;
3. Ownership: The Missing Half of the Equation
Permissions are useless if the Owner is incorrect. On a Hovixa VPS running Nginx or Apache, the web server user (usually www-data) must own the files to allow for automatic updates and media uploads.
# Change ownership to the web server user
sudo chown -R www-data:www-data /var/www/html/
4. Permission Comparison Table
| Target | Standard | Security Level | Reasoning |
|---|---|---|---|
| Directories | 755 | Secure | Allows traversal and reading. |
| Standard Files | 644 | Secure | Prevents public modification. |
| wp-config.php | 600 or 440 | High | Hides DB credentials from other users. |
| Any Folder | 777 | CRITICAL RISK | Allows anyone to inject malware. |
5. Technical Implementation Details
- The Sudo Requirement: If you are logged in as a non-root user, you must prefix these commands with
sudoto modify files owned by the system or other users. - Special Files: Certain files require tighter security. As discussed in previous guides,
wp-config.phpshould ideally be set to600(read/write only for owner) or even400(read-only for owner). - Execution Speed: On large sites with hundreds of thousands of images, the
findcommand may take a few moments. Using+instead of;at the end (e.g.,{} +) can speed up the process by passing multiple files to a singlechmodinstance.
Sysadmin Advice: After applying these permissions, test your WordPress dashboard by uploading a dummy image. If the upload fails with a "Missing temporary folder" or "Permission denied" error, it usually indicates that ownership (chown) was not applied correctly to the `wp-content/uploads` directory.
