Drupal is an open source PHP written content management system. In other words, the source codes in Drupal are rewritable by everyone. If the Drupal file permissions aren’t set properly, it becomes really convenient for hackers to gain access to these files and then manipulate them. Setting your file permissions right does not guarantee to shield you from all the attacks on your website, but it will definitely secure your website from some common attacks. Also, it is a great addition to the security measures already active on your website. Hence, we welcome you to this super helpful article on how to set secure File Permissions on your website.
What is Drupal File Permissions?
Contrary to popular belief, Drupal File permission is not a module, in fact, it is a set of drush commands on Drupal. These set of commands are bundled together for easy downloading with the help of drush DI command. The installation of these commands could be done by :
- Downloading module to your
~/.drushfolder, for example:
drush @none dl file_permissions-8.x. You can also do the downloading any other way and then copy it to the folder~/.drush. - Running
drush cc drushto clear Drush cache.
To run the module, use command drush fp.
How to Set Secure File Permissions in Drupal?
We already discussed that to keep your files secure, you need to have the best achievable Drupal file permissions handy.
But first, let us get this clear as to what permissions are to be given and to whom. Well, You need to give permissions to read(r), write(w) and execute(x) files and directories. This permission is more frequently converted to a code in which r=4, w=2, x=1. Technically there are three permissions need to be granted each for the owner, the group and the users. Generally, the creator of the file is the owner, the web server is the group and everyone else is the user. The complete power of setting the Drupal file permissions is reserved with the owner. Further, Drupal file permissions are set in each file and directory. (To know more about the process of these permissions visit Drupal.)
Coming to the issue of getting your security permissions in place, we need to set these permissions in a way so that only the owner (i.e. you) have the permissions to r, w & x while the group(web server) have the permissions to r,w & x and everyone else has no power at all.
Setting Drupal File Permissions by FTP program
For Directories
These are the File Permissions that we are going to set for your Drupal store.
For all directories, we’re going to set it to 770
Related Guide – Drupal Security Guide (Give Your Drupal website rock-solid security, Reduce chances of getting hacked by almost 90% )
Here’s how you can do it by an FTP program in these few Simple Steps:
- Log into your account Via FTP.
- Navigate to the folder where Drupal is installed. Ex: (/path/to/your/drupal/install/)
- Right click on the folder where your Drupal is installed, click the File Permissions option in the menu.
- Once you click on the option, a new window will open. In the Numeric value field, input the value “770”.
- Then enable the Recurse into sub-directories option. In the list seen below, select the checkbox titled “Apply to directories only”.
- Once ready, click the OK button.
- The process may take several minutes for a large number of files.
For Files
For All Files, we’re going to set it to 640
Here’s how you can do it
- Right click on the folder where your Drupal is installed, click the File Permissions option in the menu.
- Once you click on the option, a new window will open. In the Numeric value field, input the value “640”.
- Then enable the Recurse into subdirectories option. In the list seen below, select the checkbox titled “Apply to files only”.
- Once ready, click the OK button.
- The process may take several minutes for a large number of files.
Setting permissions by command
We can also change the settings for our Drupal website using commands. Here is how-
For directories
Use command-
ls -al
drwxr-xr-x
This set up will allow you (the owner) to read-write-execute, the server to read-execute and others to read-execute.
For files
Use command –
ls -al
-rw-r–r–
This set up will allow you (the owner) to read-write, the server to just read and others to just read as well.
Fixing Drupal 8 permissions
Moving on to the permissions in the latest version of Drupal i.e. Drupal 8. The Taxonomy access control module is updated to a more nuanced version named Permissions by term module in Drupal 8. It offers extended powers to the admin to control the access of nodes on the basis of user & user’s role.
To install the Permissions by term (pbt) module you can do either of the following:
- The module can be installed via Drush or Drupal Console. E.g. with command Drush: drush en permissions_by_term -y
- To do this manually, one can follow the process as: Download module from project page > Copy on your project’s “module” folder > Go to module management page (/admin/modules) and enable it.
Now, set the permissions for each user and each role in your website as required.
NOTE: The administrator with Id-(1) has access to all the nodes by default.
Drupal Settings PHP permissions
The settings.php file is where the database configuration is defined in Drupal. It resides inside the sites/default/files directory. For your Drupal site to run efficiently, you need to give Drupal the permissions to r,w & x in the directory and in settings.php.
The directory sites/default and the file setting.php should have permissions such that it is writable by the server. To achieve this run the following command-
For directory
ls -l sites/
Permission on sites/default should be 755 [drwxr-xr-x]:
ls -l sites/default/settings.php
For file
Permission on settings.php should be 644 [-rw-r–r–]:
chmod 644 sites/default/settings.php
Note: If you are in the same group as the web user, then changing the permissions to 664 will be sufficient.
Do the above mentioned set up for your Drupal file permissions and you are good to go. Hope this article was helpful for you.
Astra Security Suite for Drupal
Astra offers rock solid Web Application Firewall & Immediate Malware Cleanup for your Drupal website. Astra firewall is tailored for Drupal & stops attacks like SQL Injection, XSS, SEO Spam, Redirection Malware, SEO Spam, Bad Bots & 100+ attacks in real time.