[wp-trac] [WordPress Trac] #44190: Codex hardening guide recommends insecure permissions
WordPress Trac
noreply at wordpress.org
Tue May 22 15:53:37 UTC 2018
#44190: Codex hardening guide recommends insecure permissions
--------------------------+-----------------------------
Reporter: SimbaLion | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 4.9.6
Severity: major | Keywords: needs-codex
Focuses: |
--------------------------+-----------------------------
https://codex.wordpress.org/Hardening_WordPress#Core_Directories_.2F_Files
This guide falsely recommends 755 and 644 as permissions. But this is
completely wrong.
For a hardened system the permissions should be 770 or 750 or 700 for
directories (depending on server configuration), and files should be 660
or 640 or 600. wp-config.php especially should be set 'o-rwx' at a
minimum, which the hardening guide makes no mention of.
The practice of allowing 'others' read access dates back to the 1980s and
a philosophy of openness on multi-user systems. It has no place in 2018 in
a single-user environment like most webhosts.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44190>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list