When it comes to improving the security of a WordPress website, installing security plugins is usually considered as the best practice that every WordPress website must follow. However, people don’t pay much attention to setting up file permissions and ownership of a WordPress site.

But remember that, file permissions and ownership are crucial elements that help ensure the overall security of a website. And, not setting up them properly can cause fatal errors and can compromise the security of your site and make it susceptible to attack.

Through this post, I’ll provide a detailed insight on setting up proper file permissions and ownerships in a WordPress site: what exactly do we mean by file permissions and ownerships and how to properly set them up. I’ll also share with you the different type of WordPress file configurations and how they differ from each other.

Using Terminal For Changing Permissions and Ownerships Over FTP Client

As you read through this post, in several sections, you’ll find that terminal is used for changing permissions and ownerships. But, probably a few of you might wonder why can’t you use an FTP Client to serve such a need? The reason that we’ll not be using the FTP client is that it comes with certain limitations.

Wondering what?

While it’s true that the FTP Client can help in transferring files and changing the permissions of files and folders, but it refrains users from changing the ownerships settings. Now, before you begin to setup your file permissions and ownerships, be sure about getting logged-in into your server using the “SSH” command. If you’re not familiar with using Linux commands, then you can have a better understanding of the same by going the article: “Introduction to Linux Commands.”

Understanding the Difference Between Groups and Users

One important concept that you need to become familiar with before getting down to anything technical is the difference between users or groups. That’s because, both users and groups are closely related and are used to define permissions.

The user is basically an account having access to a computer system, while a group that help identify a set of users. What this means is that at the time whenever you need to transfer your files using an FTP client, you’ll need to get logged in with your main server – using your user account. And based on how your web host has set up your user account, you might be a part of one or more groups.

In essence, you can consider “Users” and “Groups” to be just like WordPress users roles. Both of these concepts are same in a contextual manner, however, the former is being used on the server.

What makes users and groups important is that they help in recognizing identifying files and folder privileges. Any user, who is the owner, of a particular file usually have complete privileges on that file; a few other users belonging to the same group as the owner will have lesser privileges to the file. Lastly, everyone else won’t be having any privileges on the file.

What Exactly Does File Permissions Mean?
So now that you’ve come to know about a few basic aspects of file permissions and ownerships, let us now talk about what exactly do we mean by WordPress file permissions.

In simple terms, permission is something that makes users authorized to read, write, modify and access different files and directories, belonging to a website. In WordPress, permission is normally highlighted by a set of different numbers, such as: 644 or 777. These numbers are also referred to as “permission mode”.
If you’re a programmer and have worked on WordPress files and plugins before, then you most likely would have stumbled across a situation wherein: a certain program asks to change the permissions associated with some specific files and directory, since they cannot be configured by a plugin. Put it simply, in order to give your web server the ability to access anything from a file, you’re required to change the file’s permission.

Oftentimes, permission mode in WordPress are being referred to as a statement: “who can do what”, to which every single numeric value (of the permission mode) represents the “who” part of that statement.

• The first numeric value corresponds to what can a user account having ownership of the file can do.
• The second numeric
  value corresponds to what all other user accounts – that are a part of the group that owns the file – can do.
• The third numeric value represents
  what leftover user accounts can do.

Next, in the permission mode the numbers represent
the “what” part of the programming statement, and is basically the “sum of the combinations” of the following digits:

• 4: Read a file, or the many different names of the files placed in a particular folder
• 2: Write a file or modify it, or allow modifying the contents of a specific folder.
• 1: Executes a file or run it, or help provide access to the files inside a particular folder.

 
The above mentioned digits are actually the privileges that are associated with the “who” part of the permission mode.
Note: Permissions can vary from one host to the other.

Understanding How You Should Modify the Permission Modes

An FTP client provides an interface that allows to change the permissions of all the files and folders in a highly convenient manner. The interface of the FTP client looks something like:

You can even make changes to the permission mode of your WordPress website files using the server’s terminal, but you must-have access to the terminal. Apart from having access to the terminal, you can make use of the “chmod” command for making the desired changes to permission modes of a particular file as well:

sudo chmod 644

Now, for making modification to all of the files (and folders) of your site, you’ll have to use the chmod command together with the find command, as follows:

sudo find . -type f -exec chmod 644 {} +

A Look at the WordPress Server Configurations

Before you start to make changes to your WordPress file permissions, it’s very important for you to become familiar with the process of setting up the server first. You can find many different server configurations that requires a distinct set of permission modes to make a WordPress site work in a proper and secure manner. But, I’ll be sharing only two of the most important and commonly used configurations and how you can set up proper file permissions for those configurations.

1. Standard Server Configuration – This WordPress configuration does not have any relationship between the user account and web server. This is because the configuration requires that the web server must run as any other user account. Before we start with the process of setting up permissions for the files for the standard server configuration, we must make some adjustments to the ownerships of files and folders taking into account the following considerations:

• your user account must own all the files and folders of a WordPress install.
• your user account and another user account of your web server should be part of the same group.

You can find out the group that your user accounts are associated with, using the “groups” command within your server’s terminal. And, to figure out the groups that your web server is a part of use the following PHP script:

echo exec( ‘groups’ );

If you come across a situation where your user and the web server belongs to a different group, then you can add a user to any group of your web server, by using the below provided command in the terminal:

sudo usermod -a -G <a-the-group-name> mygroup

In order to ensure that your user account has access to all the things of your WordPress folder and belongs to the newly created shared group, simply run the below mentioned command within the folder of your WordPress install:

sudo find . -exec chown mygroup:a-the-group-name {} +

Abiding by all of the aforementioned commands will ensure that all the files and folders of your WordPress site have correct ownership. Lastly, all you have to do is to make adjustments to the file and folder permission mode. To do so, you must keep the following key points in mind:

• All files are required to have 664 permission mode.
• All folders are required to have 775 permission mode.
• The permission mode of the wp-config.php file ought to be 660.

 
Use either an FTP client for modifying the permission modes, or simply use the below mentioned commands within your WordPress install directory to serve such needs:

sudo find . -type f -exec chmod 664 {} +
sudo find . -type d -exec chmod 775 {} +
sudo chmod 660 wp-config.php

2. Shared Server (Or SuEXEC) Configuration: Compared to the standard WordPress server configuration, the permissions for the shared server configuration can be implemented in a remarkably easier way. This is because, we don’t need to emphasize on setting up the ownership since the web server owns the files and folders. This means that both our user account and web server are the owners, and have same privileges. And so, all we have to do is to modify the permission modes considering the below listed key points:

• all the files ought to be 644.
• all your folders ought to be 755.
• And the permission mode of wp-config.php file should be 600.

 
To change the permissions of the files and folders, simply use the following commands in your WordPress website directory:
sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
sudo chmod 600 wp-config.php

Final Words

One more important thing that you must consider is to avoid using the ‘777’ permission mode since it allows anyone to get access to the list of files, and enables to make modifications to any file in the folder. It’s pretty obvious that giving access privileges of a file to everyone is not good for your website security, as malicious users can place code in the file that can compromise your site’s security.

Hope that the post will make you better understand about the correct way to set up the file permissions and ownerships of your WordPress website.

Author Biography:
Jack Calder is a master in Web development technologies. He has successfully completed so many projects on time. Right now he is a PSD to WordPress Conversion service provider for some potential clients for SKT Themes.

With the rise of modern information technology and the proliferation of cybersecurity breaches happening, being able to detect attacks in your network has become quite the necessity. Cybercriminals certainly aren’t slacking.

Every day, they come up with all manner of new strategies that they can use to infiltrate a vulnerable network. In such an environment, your top priority should be to take preventative measures rather than reactive ones. You should be able to sniff out an attack long before it happens.

However, that’s easier said than done because, as it turns out, one of the most difficult and expensive endeavors to embark on is monitoring your system’s activity to prevent network attacks. It doesn’t have to be that way, however. You need to have a good idea of the best ways to handle it.

Ultimately, the main thing that matters to stopping network attacks before they get out of hand is transparency. You need to increase visibility in your network so that you can see more of and consequently stop more often. That’s what we’re going to be looking at today: tips on how to increase visibility in your network with Syslog.

1. Always Be Vigilant :

At its very core, Syslog is no more than a standard whose job is to log system messages. It is much more useful than that in practice, however, as it gives us a way to abstract the system messages in such a way that we can separate the systems that store and analyze source software from the source software itself. This makes it possible for us to be very flexible and control the kind of low-level detailed communication that takes place in our networks.

One of the reasons why it makes sense to get syslog services from a cloud provider, rather than do it yourself, is that you can be overwhelmed by the sheer volume of messages coming from the different devices on a network when you’re monitoring your infrastructure. You’ve got network appliances, storage appliances, servers, desktops, printers and so on. All these devices are pumping out logs, most of them rather cryptic and you’re probably wondering where you should start.

The answer to that question becomes simple once you remember the whole purpose of syslog in the first place, which is to increase visibility. If you want to maximize the visibility you are getting out of your logging environment, then you should have at least one centralized log repository and deploy it. This is what infrastructure monitoring services do. The log repositories act as dynamic organizers and managers of the messages flowing out of your system. With this highly organized aggregation and analysis of your system logs, you will be able to solve your problems in real time, but you will also be able to collect vital information that will help you to prevent future attacks.

We can’t get into the specifics associated with setting up a remote logging server, but that doesn’t mean the process isn’t straightforward. You need to find the -/etc/syslog.conf- file on your most critical devices once you initialize the server and then get the file to point to the repository you have just created. That way all messages are funneled through to that repository. All these messages come in as plain text files, so it’s a good idea if you tunnel them through SSH port 514.

2. Catching the Threats :

So, you have a central place where you are collecting system messages. You should now have a way to analyze these messages that is automated. The messages are usually tagged with the facility and severity, which means it’s very easy to sort them. This is where a third-party logging system helps since it can filter out logs from various devices, such as network appliances, for such things as internet protocols (IPs) you do not recognize, dropped packets, port scanners and lots of other things that hint at malicious behavior.

Now all you need to do is configure any messages that report suspicious IPs or dropped packet floods to trigger notifications automatically and the resolutions that follow. A third party log analyzer will have these triggers already integrated and probably connected to your email or text messaging. The resolution measures, such as port switching, IP blocking and alterations to the firewall can also be set up to respond in a times manner to deal with attacks.

Try to configure each solution effectively. You should figure out the usefulness of the information you are getting from each device that you make a priority. The highest priority devices should be the most visible.

Ultimately, most of the information you need to protect your network is already being generated by your network. All you need to do is organize it and make it visible.

Steps to increase WordPress security have been detailed

WordPress is a highly designed and curated content management system that serves as a platform to run online businesses for innumerable companies. However, the high design and development of WordPress in the web world still don’t immune the platform from security attacks from unauthorized users or hackers.

No matter how well organized is your WordPress security system, there is always a chance of breach of security that might affect your business affairs on the site.

Don’t stress already. There are several WordPress security measures that can be applied to ensure that the hackers trying to break into and take over your website are having a hard time doing it. Most chances are that after applying these methods, your WordPress site will be safe from unauthorized use.

Before we have a look at the ingenious tips to augment your WordPress security, let us discuss what is the importance of applying these methods.

The most common way through which hackers attack your website is via your login system. Although WordPress has good login security system, there are ways through which hackers can get into your admin dashboard and do damage to your website that has irreparable consequences.

You might lose customers, goodwill, and brand image. Not just that, you might also lose private and confidential information that might not only cost you but also your trusting customers some damages.

Hackers mostly log in to your website using two ways:

● Brute force attack
● Stealing login credentials

Brute force attack is the repeated and logical guessing of login id and password combinations to pass through your website until the hacker gets it right. Which the other way is by simply stealing your login credentials by other means.

It is thus, extremely important to protect your business by ensuring precautions with your WordPress site by exercising the following WordPress security tips.

1. Change of default username and password

There is one set of default username and password assigned to admins by WordPress when you launch your website on WordPress. The most common mistake that people do is keep using this default username and password for their login credentials.

This is the easiest way for a hacker to get into your system and create havoc. Use of these default credentials is exposure of your website to danger constantly, at all times. Brute force Technique is what hackers use in such cases to break in. The simple solution to this problem is to simply change your username and password.

You can go two ways for this process. You can either create a new admin username and password and delete the old default ID and password, or, you can change the username using PHPMyadmin.

To do this, you just have to go and login to cPanel and navigate to PHPMyadmin. There you have to select your WordPress database and look for WP_users. There you have to press edit and start changing your user login details. It’s that simple.

2. Limit the number of login attempts

Letting your settings be the way where a hacker can try brute force attack by trying to login innumerable times on your WordPress website, is not a smart way to go. the logical way is to limit the number of login attempts one can have while logging into your WordPress website.

A plugin like Limit Login Attempt can help you block login attempts that is more than the authorized number of time. This plugin also lets you know how many times a hacker has tried to log in to your WordPress website.

Brute force attacks are stopped through this method, as well as you get the information to analyze unauthorized activities on your website.

3. Whitelist IP addresses

You can also ensure that only some specific IP addresses can access log in to your WordPress website. IP addresses are unique and thus it is easy to stay protected with whitelisting some IP addresses, only those which you want to have authority to login.

IP addresses are almost impossible to replicate. So it will become a huge task for your hacker to ever be able to attempt a login to your WordPress system. This process is extremely simple. All you have to do is add a few lines of code to. htaccess file in your WordPress system and you are ready to go.

4. Disable theme and plugin editors

Black hat coders can take advantage of the fact that WordPress allows people to change themes and plugin files directly through the administration area. Taking advantage of this fact, hackers can get access to your WordPress dashboard and create havoc of damages and loss to your precious business WordPress website.

A very simple and easy trick to avoid this phenomenon from occurrence is to keep your WordPress theme and plugin editor turned off unless you want to use it yourself. To do this, you just have to add this code- define( ‘DISALLOW_FILE_EDIT’, true ); to your wp_config.php file and you are good to go.

5. Add two-factor authentication to log in – A simple technique to ensure no unauthorized user gets into your WordPress website is to enable two-factor authentication to your WordPress website login system.
It is much safer than using just a password to get through your website. Physical access to get to your device will be required by any hacker to ever be successful in his endeavor. There are a variety of tools available to enable two-factor authentication to your WordPress website.

Conclusion

It is not very difficult to harness WordPress security tips to protect your business website. The method is pretty simple once you know the tools and tricks to save your site from unauthorized access. What makes it tricky is knowing what exactly you have to focus on while applying these tricks and apply them with accuracy.

You need to know what kind of security attack is your website prone to and defend it accordingly. Focusing efficiently on your login screen for security can help you escape major security breach incidents. Having a stronghold and understanding of your website and what it needs as well as well versed knowledge of these tricks can help you keep your website safe and sound.

Related articles:

Ways to protect website from hackers

Protect WordPress website against DDOS attacks

Tips to secure WordPress website against vulnerabilities

As a webmaster, you want the world to have access to your website. That’s especially true if you have a product or service to sell.

However, there are reasons why you may want to restrict access to your website. If you happen to operate a landscaping company in British Columbia, Canada, then you’re probably not interested in generating interest from potential customers in the Philippines. Broadcasting your website to the world and allowing other countries to index it is a waste of bandwidth.

Allowing worldwide access to your website is a bad idea for other reasons. As Privacy Australia notes, many hacking and phishing schemes are conducted by bad actors in other countries.

Which Countries Have the Most Hackers?

According to Security Today, the countries that have the most hackers are China, Turkey, Russia, Brazil and the U.S. Depending upon where your company is located, you may want to block access from any or all of these countries.

If you have customers in these nations, then blocking access won’t work. Instead, you’ll have to beef up website security. Some of these steps may include:

-Keeping your software up to date

-Installing any pertinent security plug-ins

-Employing HTTPS

-Making all passwords complex

-Using Content Security Policy

-Securing File Permissions and Directories

Whether you’ll be blocking access from certain countries or not, the above list of security protocols is critical to protecting your website.

What Is .htaccess?

Suppose that you have identified users from a country that you suspect are trying to hack or otherwise undermine your website. You’re located in Canada, and the website visitors have IP addresses that originate in Turkey. Your business does not operate in Turkey, you have no customers there and you’re worried that you’re being targeted for an attack.

What can you do?

The answer may lie in .htaccess. This configuration file is used on web servers that run Apache Web Server software. The .htaccess file is loaded onto the server software where it is subsequently executed. These files can be used to disable or enable numerous functions and features.

Among the capabilities of .htaccess is blocking website visitors from unwanted IP addresses. Here is an example of the code you would create to restrict visitors from certain IP addresses from being able to access your website:

order allow,deny

deny from 255.0.0.0

deny from 124.35.6

allow from all

Accordingly, all visitors with either the IP address 255.0.0.0 or 124.35.6 will be denied access. Notice that in the second denied IP address, the fourth set of numerals is missing. All IP addresses that begin with “124.35.6” will be blocked regardless of the content of the fourth set of digits.

The next time that someone from a blocked IP address tries to access your website, they will receive an error message that says “403 Forbidden.”

What If You Have a Long List of IP Addresses to Block?

Any hacker worth their salt isn’t going to use just one IP address. They may use several, and many hackers now work out of farms. A webmaster can block one IP address, but the same bad actor just pops up a few minutes later with a new IP address.

Adding each IP address to the “deny” list in your coding is time-consuming and likely to be a losing battle. Fortunately, you may be able to make use of some alternatives.

Some webmasters who are really concerned about being targeted by hackers in another country are getting memberships for service providers such as Country IP Blocks. This Internet-based service allows users to choose specific countries that they would like to block from accessing their website. It’s possible to select multiple countries at a time and what kind of restriction protocol, including .htaccess, should be used.

After making selections, the website generates code that can be copied into the user’s website to prevent web browsers from certain countries from accessing the website. Comprehensive in scope, this is an efficient shortcut when compared to having to painstakingly enter IP addresses one by one.

Options for People Who Don’t Want to Use .htaccess

.htaccess configuration files are fairly helpful when it comes to limiting access to a website. However, it’s not necessarily the most effective or efficient method.

IP2Location may be a reasonable alternative. This company sells IP geolocation databases as well as offering a free and extensive database firewall list. Organized by country, it’s possible to choose to allow everyone in the IP address list to access your website or to ban them. If you sign up for a free account, you can block as many as 30 countries. Choose the selection Apache .htaccess deny from the menu, which gives you an appropriate text file to upload the directory on your homepage.

BlockACountry.com is another website that may be useful if you have several websites to protect. After signing up for a free membership, you enter a website address and select which countries you would like to block. This enables you to download the appropriate block list.

Your Web Host May Be Able to Help

The better your web host, the more secure your website is going to be. If you’re using shared hosting, then there may be little that your host can do to block IP address from particular countries. Although you may have access to a control panel, you may not have networking controls because any changes you made might affect all of the other websites that are hosted on the same server.

Still, you may be able to add certain IPs to your firewall. This also is the case with bare metal servers. You have complete control over this server, but you may not have control over how the back end is routed.

When it comes to blocking certain countries from accessing your website, you have many options. One or a combination of these options may help to protect your website from a hacker.

In this page, this article guides you the way to effortleSSLy get an SSL certificate for free to your WordPress internet site and set it up all with the help of yourself.

Nowadays, most of the search engines suggest all non-SSL web sites as insecure because of this in case if you do not use an SSL certificate on your internet page then you will surely lose the client’s faith.

As the SSL certificate allows defending your internet site information, it’s certainly a demand for accepting transactions on the internet.

Typically, paid SSL certificates are mostly high-priced.

In case you are simply beginning a weblog or creating a DIY commercial enterprise internet site, you may probably need to maintain expenses low.

There are a couple of methods to get a free SSL certificate to lessen your internet site price.

About the SSL?

SSL stands for Secure Sockets Layer.

It’s a web protocol for securing information exchange among the client’s browser and the internet site they may be in connection with, each internet client transfers data once they go to web sites.

This data can frequently be confidential like transaction information, credit card facts, or login credentials.

The use of the regular HTTP protocol indicates this data may be hijacked through hackers.

That is why SSL or HTTPS was made for.

Web sites want an SSL certificate free issued through any of an identified certificate issuing authority.

This certificate is proven and highlighted within the client’s browser link bar with a padlock symbol and HTTPS in place of HTTP. Link bar displaying SSL secure padlock icon with HTTPs.

Do you want an SSL certificate for My WordPress webpage?

SSL / HTTPS is usually recommended for all web sites on the internet.

But, it’s certainly required for all internet sites that acquire client data like login information, transaction facts, credit cards, and even more.

In case you are owning an e-trade shop, a membership internet site, or require the client to login, you then want to get a best free SSL certificate immediately.

Maximum web transaction activities require your internet site to apply SSL/HTTPs earlier than you could obtain money.

Aside from protection, SSL certificate additionally creates an advantageous influence of your company amongst your clients.

Google additionally recommends the usage of SSL, and studies indicate that SSL-enabled web sites rank a little better in search engines.

Final suggestion but not so least, in case your internet site does not use a free SSL certificate, then Google Chrome will display your clients that your internet site doesn’t seem secure.

And no longer secure label displayed in the Google Chrome web browser.

This icon impacts your fame, name and client’s faith for your internet site.

How Does SSL certificate function?

Now that you got to know about the SSL and why is it essential, you are probably thinking how does an SSL certificate truly run?

SSL protects data utilizing encrypting the information transfer among a client’s browser and the internet site.

Whilst a client visits an SSL/HTTPs internet site, their browser first verifies if the internet site’s SSL certificate is available.

If it entirely succeeds out, then the browser makes use of the internet site’s public key to encrypt the information.

This information is then despatched back to the appropriate server (internet site) in which it gets decrypted by the usage of the public key and a mysterious personal key.

What is the price of an SSL certificate?

The price of SSL certificate differs from one certificate authority to others.

Their pricing may be almost among $50-200 / 12 months.

A few companies provide add-on features with their certificate which may additionally affect the fee of your SSL certificate.

In case you are going to buy an SSL certificate, then it is recommended to make use of the providers which are considered one of the biggest domain name registration providers within the market, and that they provide the pleasant deal on SSL certificate.

They provide considerable SSL certificate plans beginning from $35.99 / 12 months, and it comes with a $10,000 protection warranty together with the TrustLogo website seal.

After successfully getting an SSL certificate, you could ask your web hosting issuer to install it for you.

However earlier than you do this, you ought to test to look if you could get the SSL certificate at no cost.

How can you get an SSL certificate at no cost?

A variety of internet site owners are reluctant to make use of SSL because of the extra fee.

This left many small web sites at risk of information and information robbery.

A non-profit service referred to as Let’s Encrypt determined to repair this by setting up a price free certificate authority.

The motive of this certificate authority is to make it simpler for internet site owners to get a price free SSL certificates.

Internet may turn into a type of safe place if an increasing number of web sites begin the usage of SSL.

Because of the importance of the service, it instantly earned the aid of predominant organizations like Google, FB, Shopify, WordPress.com and plenty of others.

The competition is that putting in the free SSL certificate by way of Let’s Encrypt for a starter client is somewhat tough as it needs programming skills and server systems understanding.

However, all the fine WordPress web hosting organizations are providing free SSL certificate with all their website hosting plans (a few are making use of lets Encrypt).

Selecting any of these vendors will help you from the trouble of integrating the free SSL certificate WordPress on your very own.

Right here are the famous WordPress website hosting organizations that provide SSL certificate for free with their website hosting plans.

• Bluehost
• SiteGround
• WPEngine
• Dreamhost
• InMotion hosting
• And even more…

In case you are already utilizing any of these web-hosting providers, then you may switch on your free SSL certificate Godaddy from the web hosting dashboard.

Just log in for your web hosting account’s cPanel dashboard and scroll down to the ‘security’ option(s) and activate an SSL certificate for free from cPanel.

WordPress has been often under fire for being insecure. And it is good to see that team at WordPress has taken this up seriously.

WordPress releases version 3.5.2 they focused on many security fixes and exploits.

In recent WordPress release they went up ahead and fixed even more.

As suggested by Andrew Nacin on WordPress releases 3.6.1 version .

Although in this WordPress release all the CSRF vulnerabilities weren’t fixed however they fixed the file upload CSRF vulnerability.

On another note all the themes on SKT can automatically be upgraded to version 3.6.1 as they have been found to be fully compatible with.

All the custom codes inside your WordPress themes and plugins shouldn’t get affected by this update since it only holds certain fixes for security.

It is however suggested only for people who run WordPress 3.5 and above to update to latest version. Previous version WordPress users should always first back up their WordPress before upgrading and should rather upgrade to 3.5 first and then upgrade to latest version.

Regards,
SKT Themes Team