- root folder storing all the WordPress content
- wp-admin
- wp-content
- wp-includes
When you setup WP, the webserver may need write access to the files.
chown www-data:www-data -R * # Let Apache be owner find . -type d -exec chmod 755 {} \; #Change directory permissions rwxr-xr-x find . -type f -exec chmod 644 {} \; #Change file permissions rw-r--r--
ll files except for wp-content should be writable by your user account only. wp-content must be writable by www-data too.
chown: -R * # Let your useraccount be owner chown www-data:www-data wp-content # Let apache be owner of wp-content
To protect your site against a security hole in some .php script attack you should to the following:
All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.
/
The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.
/wp-admin/
The WordPress administration area: all files should be writable only by your user account.
/wp-includes/
The bulk of WordPress application logic: all files should be writable only by your user account.
/wp-content/
User-supplied content: intended to be writable by your user account and the web server process.
Within /wp-content/ you will find:
/wp-content/themes/
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
/wp-content/plugins/
Plugin files: all files should be writable only by your user account.
Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary. More..