PHP Security

Recommended PHP File Permissions

Updated on: July 31, 2020

Recommended PHP File Permissions

PHP security is of prime importance, as it is the most widely used language for server-side scripting. PHP files contain HTML, CSS, and PHP code which builds your software or website. You can do everything from the collection of data to the generation of dynamic page content using PHP.

One of the easiest safety measures to put in place, yet one that makes a world of difference is to set PHP file permissions. Overlooking PHP file permissions can lead to serious vulnerabilities that can lead to hack or a data breach! Read on to find out what they are and how you can set them.

What are PHP file permissions?

As the name suggests, PHP file permissions are a guide for a file with respect to who can do what to it. Setting up file permissions not only ensures that unauthorized users are kept at bay, but that all loopholes where your site can be accessed are closed. This makes your website less vulnerable to predators who are waiting for an opportunity to steal your data.

Permissions follow octal numbering. That means, digits in PHP file permissions can take values from 0-7, where each digit has a significance or meaning. Here is a table of permission values:

0000No read, write, or execute permissions
1001Only execute permission.
2010Only write permission.
3011Only write and execute permissions.
4100Only read permission.
5101Only read and execute permissions.
6110Only read and write permissions.
7111Read, write, and execute permissions.

As you can see, the leftmost binary bit stands for “read”, the middle bit stands for “write”, and the rightmost bit stands for “execute” permissions.

These permissions are allotted to the owner, to groups, and to everyone else, from left to right. Here are some common permissions to set up and what they mean:

600Read and write permissions for the owner, no permissions for the others.
644Read and write permissions for the owner, read permission for the others.
740Read, write, and execute permissions for the owner, read permissions for the owner's group, and nothing for the others.
755Read, write, and execute permissions for the owner, read and execute permissions for the others.

How can you set up PHP file permissions?

While developing a software or a website, the file permissions usually go unchanged from the default settings.

The fopen() function not only opens an existing file, it can also create a new file for you with certain permissions, which are set by default if left unspecified. PHP also offers some other functions like checking and changing file permissions.

Here are a few simple steps that can save you time, money, and resources by blocking out any malicious users who can take advantage of your unmodified file permissions:

1. Plan what permissions you want to assign to your file users.

Map existing file users to the level of access they require and provide them with permissions accordingly. A good security practice is to follow the principle of least privilege, which states that any user should have the bare minimum privileges necessary to perform their function.

2. Update users and permissions.

Once you’ve planned what permissions to allow your users, you can now work on setting your permissions. Your FTP/SFTP client can help you in updating your file permissions. To change file permissions via the command line, run the following command:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} \;

Usually, the ideal permission for files is 644, and for directories, it is 755.

3. Monitor new files from time to time.

Setting your PHP file permissions is a continuous process. For every new file – especially important core or plugin files – you need to set file permissions. This makes sure there’s no weak link that attackers can target.

Manually keeping an eye on every new file that gets created can be quite a task. However, you can get a Web Application Firewall (WAF) to do it for you! WAFs specialize in acting like a shield between your website and the bad guys. By deploying a WAF, any new files that get created are regularly scanned, and any deleted or modified files are reported. They help you keep a check on what users are doing with your files.

4. Update regularly.

Make sure to use the latest PHP version to ensure that the vulnerable versions are out of your system, since they are susceptible to various forms of attacks. This is always a good security practice to follow.

PHP File Permissions: Conclusion

Following the best security practices is a good start to securing your website. Something as trivial as PHP file permissions can give your website a good run. Make sure that they are up to date so that potential threats can be kept at bay.

Be ready with Astra security tools to fight any bad guys that may threaten the security of your website!

Was this post helpful?

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany