What are the most restrictive file permissions I should use if I do not intend to use any of WordPress’s auto updating functionality. All the recommendations I find online assume you want WordPress to be able to write to its own files for auto updates…I don’t. When an update becomes avalible I manually test it and deploy it using version control (for core as well as plugins and themes) I already added the following to my wp-config.php
define( 'DISALLOW_FILE_MODS', true );
define( 'DISALLOW_FILE_EDIT', true );
define( 'AUTOMATIC_UPDATER_DISABLED', true );
define( 'WP_AUTO_UPDATE_CORE', false );
1 Answer
Generally speaking, if you don’t want WordPress to update itself or any plugins, don’t give the web server write permissions to any of the WordPress files outside of folders like wp-content/uploads.
You’ll need to be careful with this and test thoroughly, though, as some plugins, like WordFence, have folders they need to write to for logs and definition updates.
Example: If your web server user is apache, you could change the file ownership to another user, and set group permissions to the web server.
# Change Ownership of files and folders for entire install
chown -R <youruser>:apache /path/to/wordpress/install
# Make sure you set ownership of files and folders you want WordPress to upload to back to the web server user
chown -R apache:apache /path/to/wordpress/install/wp-content/uploads
# Set file and folder permissions to remove write from group
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
