What file and directory permissions should I use for my web files?
This article details the correct permissions for your hosting files and directories. We have other articles on Understanding file and directory permissions and also how to use cPanel File Manager to set permission.
Files
Files should always be uploaded and set to chmod 644
. The only important exceptions to this are :
- PHP files that contain sensitive information - e.g. configuration files containing database usernames and passwords (WordPress's
wp-config.php
for example). For security reasons, these files should bechmod 600
- in fact, it won't hurt to set all PHP web scripts tochmod 600
. The files don't need the execute bit set because they are interpreted by PHP. - Scripts that are run from the shell command line or crontab using the required shebang (PHP, Perl or Python) - Such files should be
chmod 700
because they are actually being executed directly by your Linux user account. - Scripts that are run from the cgi-bin or other directory as a CGI script using the required shebang - should be
chmod 700
because they are also executed directly by your linux user account. - .htaccess file - these files can be
chmod 644
, but a more secure solution is to set themchmod 444
(effectively read-only). This offers more protection against some simple file injection attacks.
Whenever you upload files using cPanel File Manager those files will be set tochmod 644
automatically. Unless your FTP software has been specially configured to set uploaded files to different permissions, then newly uploaded files will also be set tochmod 644
automatically.
Directories
Directories should always be uploaded and set to chmod 755
.
Whenever you upload files using cPanel File Manager then directories will be setchmod 755
automatically. Unless your FTP software has been specially configured to upload directories with different permissions, then newly created directories will also be set to chmod 755
automatically.
What if the installation notes for my PHP web application say otherwise?
Software developers are often more interested in making their software work than the security of your website. You might be told that directories should be chmod 777
or even that files need to be chmod 755
, but if you are just talking about a PHP based website then PHP files will operate just fine chmod 600
or chmod 644
.
The reason for this is that LiteSpeed serves PHP files via the suEXEC CGI. This means that PHP files are served under your cPanel username's security context. And because your username owns your web files, you only have to grant Read and Write permissions to the owner (thus, chmod 600
).
If in doubt, and you want your site to be as secure as possible please log a support ticket via your Krystal Client Area.