Hardening Wordpress File Permissions

DateJanuary 5, 2018

Length1 min read

recently had to move a bunch of Wordpress sites. Wordpress, generally, is terribly insecure. Here are my notes for configuring and hardening Wordpress. Certainly these measures are incomplete. I gathered them from several sources. I write them here, for posterity, and so I don’t forget in the future.

find ./ -type f -exec chmod 644 {} \;
find ./ -type d -exec chmod 755 {} \;

Add to /wp-content/uploads/.htaccess

# Kill PHP Execution

   deny from all

add to .htaccess


order allow,deny
deny from all


# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

AddHandler application/x-httpd-php56 .php .php5 .php4 .php3

And of course:


chmod 660 wp-config.php

find ./ -type f -exec chmod 644 {} \;
find ./ -type d -exec chmod 755 {} \;

Add to /wp-content/uploads/.htaccess

# Kill PHP Execution

   deny from all

add to .htaccess


order allow,deny
deny from all


# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

AddHandler application/x-httpd-php56 .php .php5 .php4 .php3

And of course:


chmod 660 wp-config.php