Sanjeev Sabhlok's notes on technology, hardware, gardening

WordPress security solution > File permissions for files and directories > An end to hacking

Addendum: This post covers it all, very systematically: 27 Ways to Secure WordPress Website

(Btw, my WP installations – around 20+ in all – have been 100 per cent secure for nearly 6 months now, I think I’m getting the hang of it all, but fingers crossed. 24 Feb 2016)



find . -type f -exec chmod 644 {} +

CHANGE ALL DIRECTORY PERMISSIONS ON A SERVER. The good thing is it won’t “loosen” files set to tighter permissions

find . -type d -exec chmod 755 {} +

(This second one doesn’t work on my server, so need to go into each directory and implement command)



See this. My latest security steps below:

STEP 1. Backup, Backup and Backup!

With functional backups someone could erase everything and you would be back online in hours. backup daily in at least two different physical locations.

STEP 2: Change The “Admin” User

Malicious person will guess the name of the admin and try thousands of password combinations. If the admin user in your blog is called “admin”, well, you just facilitated things a lot. Change admin username to something REALLY COMPLEX. It is not enough that the admin password be complex. Both should be complex. I’ve used random password generators.

STEP 3: Ensure the right permissions

All files



wp-config.php should be 600. (If the server doesn’t work, then try 660. If that doesn’t work, try 664. But never more generous than this.)


.htaccess should be 644


../index.php 755.

readme.html    0400 [this file gives away the version of WordPress. Delete that file – it is not necessary]

Same with licence.txt

All folders.


755 permission mode.


In order to perform write operations to a directory the permission mode can change to 777.

/ root folder ../ 750

all files should be writable only by your user account.

/wp-admin/ The WordPress administration area: all files should be writable only by your user account.
/wp-includes/ The bulk of WordPress application logic: all files should be writable only by your user account.
/wp-content/ User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:

Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Advice from WordPress |Advice | Further advice | Other advice

STEP 4: Install security plugins



BulletProof Security

Chap Secure Login (this encrypts the password)

Lockdown WordPress Admin (this ensures that no one can log in using wp-admin directory. Give the path a unique, different name)

Secure WordPress

WordPress File Monitor

WordPress Firewall (this is really good – and wards off a lot of SQL attacks)

WP Plugin Security Check

WP Security Scan

Three more plugins:

Step 5: Change the original codes in wp-config.

Change the table prefix

Step 6. Obscure Your WordPress Version

By default WordPress broadcasts to the world the version that you are running.  Add the following code to the functions.php file of your theme:

function hide_wp_vers()
return ”;


Step 7: Disable Folder Browsing

Ensure that .htaccess disables folder browsing. Include this line

Options -Indexes

Alternatively, upload a blank index.html page inside each folder.

Additional stuff

Kinds of attacks:

Here’s how hackers might be breaking in through a backdoor:

Here’s more:

Here’s more instruction on how hackers might be working:

Some (not very special) guidance on setting passwords:

useful guidance:



View more posts from this author

Leave a Reply

Your email address will not be published. Required fields are marked *