本文翻译自:Correct file permissions for WordPress [closed]
I've had a look over here but didn't find any details on the best file permissions. 我看过这里,但没有找到关于最佳文件权限的任何细节。 I also took a look at some of WordPress's form's questions over here too but anybody that suggests 777 obviously needs a little lesson in security. 我也看了看一些的WordPress的形式的问题,在这里也不过任何人说建议777显然需要在安全一点教训。
In short my question is this. 总之,我的问题是这个。 What permissions should I have for the following: 我应该拥有以下权限:
- root folder storing all the WordPress content 根文件夹存储所有WordPress内容
- wp-admin 可湿性粉剂管理员
- wp-content WP-内容
- wp-includes WP-包括
and then all the files in each of those folders? 然后是每个文件夹中的所有文件?
#1楼
参考:https://stackoom.com/question/1F0N0/正确的WordPress文件权限-关闭
#2楼
When you setup WP you (the webserver) may need write access to the files. 设置WP时,您(Web服务器)可能需要对文件进行写访问。 So the access rights may need to be loose. 因此访问权限可能需要松散。
chown www-data:www-data -R * # Let Apache be owner
find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--
After the setup you should tighten the access rights , according to Hardening WordPress all files except for wp-content should be writable by your user account only. 在设置之后你应该收紧访问权限 ,根据Hardening WordPress,除了wp-content之外的所有文件都应该只能由你的用户帐户写入。 wp-content must be writable by www-data too. wp-content也必须由www-data写入。
chown <username>:<username> -R * # Let your useraccount be owner
chown www-data:www-data wp-content # Let apache be owner of wp-content
Maybe you want to change the contents in wp-content later on. 也许你想稍后更改wp-content中的内容。 In this case you could 在这种情况下你可以
- temporarily change to the user to www-data with
su, 使用su暂时将用户更改为www-data - give wp-content group write access 775 and join the group www-data or 给wp-content组写访问权775并加入组www-data或
- give your user the access rights to the folder using ACLs . 使用ACL为您的用户授予对该文件夹的访问权限。
Whatever you do, make sure the files have rw permissions for www-data . 无论您做什么,请确保文件具有www-data的 rw权限。
#3楼
Giving the full access to all wp files to www-data user (which is in this case the web server user) can be dangerous. 将所有wp文件的完全访问权限授予www-data用户(在本例中为Web服务器用户)可能很危险。 So rather do NOT do this: 所以不要这样做:
chown www-data:www-data -R *
It can be useful however in the moment when you're installing or upgrading WordPress and its plug-ins. 但是,当您安装或升级WordPress及其插件时,它会很有用。 But when you finished it's no longer a good idea to keep wp files owned by the web server. 但是当你完成它时,保持Web服务器拥有的wp文件不再是一个好主意。
It basically allows the web server to put or overwrite any file in your website. 它基本上允许Web服务器放置或覆盖您网站中的任何文件。 This means that there is a possibility to take over your site if someone manage to use the web server (or a security hole in some .php script) to put some files in your website. 这意味着如果有人设法使用Web服务器(或某些.php脚本中的安全漏洞)将某些文件放入您的网站,则有可能接管您的站点。
To protect your site against such an attack you should to the following: 为了保护您的网站免受此类攻击,您应该执行以下操作:
All files should be owned by your user account, and should be writable by you. 所有文件都应归您的用户帐户所有,并且您应该可以写入。 Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process. 任何需要来自WordPress写入权限的文件都应该由Web服务器写入,如果您的主机设置需要它,这可能意味着这些文件需要由Web服务器进程使用的用户帐户进行组拥有。
/The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you. 根WordPress目录:所有文件只能由您的用户帐户写入,但.htaccess除外,如果您希望WordPress自动为您生成重写规则。
/wp-admin/The WordPress administration area: all files should be writable only by your user account. WordPress管理区域:所有文件只能由您的用户帐户写入。
/wp-includes/The bulk of WordPress application logic: all files should be writable only by your user account. 大量的WordPress应用程序逻辑:所有文件只能由您的用户帐户写入。
/wp-content/User-supplied content: intended to be writable by your user account and the web server process. 用户提供的内容:旨在由您的用户帐户和Web服务器进程写入。
Within
/wp-content/you will find: 在/wp-content/你会发现:
/wp-content/themes/Theme files. 主题文件。 If you want to use the built-in theme editor, all files need to be writable by the web server process. 如果要使用内置主题编辑器,则所有文件都需要由Web服务器进程写入。 If you do not want to use the built-in theme editor, all files can be writable only by your user account. 如果您不想使用内置主题编辑器,则所有文件只能由您的用户帐户写入。
/wp-content/plugins/Plugin files: all files should be writable only by your user account. 插件文件:所有文件只能由您的用户帐户写入。
Other directories that may be present with
/wp-content/should be documented by whichever plugin or theme requires them./wp-content/中可能存在的其他目录应该由任何插件或主题需要它们来记录。 Permissions may vary. 权限可能会有所不同。
Source and additional information: http://codex.wordpress.org/Hardening_WordPress 来源和其他信息: http : //codex.wordpress.org/Hardening_WordPress
#4楼
For those who have their wordpress root folder under their home folder: 对于那些在其主文件夹下有wordpress根文件夹的人:
** Ubuntu/apache ** Ubuntu / apache
- Add your user to www-data group: 将您的用户添加到www-data组:
CREDIT Granting write permissions to www-data group CREDIT 向www-data组授予写入权限
You want to call usermod on your user. 您想要为您的用户调用usermod 。 So that would be: 那就是:
sudo usermod -aG www-data yourUserName
** Assuming www-data group exists **假设存在www-data组
Check your user is in
www-datagroup: 检查您的用户是否在www-data组中:groups yourUserName
You should get something like: 你应该得到类似的东西:
youUserName : youUserGroupName www-data
** youUserGroupName is usually similar to you user name ** youUserGroupName通常类似于您的用户名
Recursively change group ownership of the wp-content folder keeping your user ownership 递归更改wp-content文件夹的组所有权,保持用户所有权
chown yourUserName:www-data -R youWebSiteFolder/wp-content/*Change directory to youWebSiteFolder/wp-content/ 将目录更改为youWebSiteFolder / wp-content /
cd youWebSiteFolder/wp-contentRecursively change group permissions of the folders and sub-folders to enable write permissions: 递归更改文件夹和子文件夹的组权限以启用写入权限:
find . -type d -exec chmod -R 775 {} \\;
** mode of `/home/yourUserName/youWebSiteFolder/wp-content/' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x) **模式`/ home / yourUserName / youWebSiteFolder / wp-content /'从0755(rwxr-xr-x)变为0775(rwxrwxr-x)
Recursively change group permissions of the files and sub-files to enable write permissions: 递归更改文件和子文件的组权限以启用写入权限:
find . -type f -exec chmod -R 664 {} \\;
The result should look something like: 结果应该类似于:
WAS:
-rw-r--r-- 1 yourUserName www-data 7192 Oct 4 00:03 filename.html
CHANGED TO:
-rw-rw-r-- 1 yourUserName www-data 7192 Oct 4 00:03 filename.html
Equivalent to: 相当于:
chmod -R ug+rw foldername chmod -R ug + rw foldername
Permissions will be like 664 for files or 775 for directories. 权限将为664个文件或775个目录。
Ps if anyone encounters error 'could not create directory' when updating a plugin, do: 如果有人在更新插件时遇到错误'could not create directory' ,请执行以下操作: server@user:~/domainame.com$ sudo chown username:www-data -R wp-content
when you are at the root of your domain. 当你在你的域的根。
Assuming: wp-config.php has 假设: wp-config.php有
FTP credentials on LocalHost LocalHost上的FTP凭据 define('FS_METHOD','direct');
#5楼
Commands: 命令:
chown www-data:www-data -R *
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
Where ftp-user is what user you are using to upload the files 其中ftp-user是您用来上传文件的用户
chown -R ftp-user:www-data wp-content
chmod -R 775 wp-content
#6楼
I think the below rules are recommended for a default wordpress site: 我认为以下规则建议用于默认的wordpress网站:
For folders inside wp-content, set 0755 permissions: 对于wp-content内的文件夹,设置0755权限:
chmod -R 0755 plugins chmod -R 0755插件
chmod -R 0755 uploads chmod -R 0755上传
chmod -R 0755 upgrade chmod -R 0755升级
Let apache user be the owner for the above directories of wp-content: 让apache用户成为上述wp-content目录的所有者:
chown apache uploads chown apache上传
chown apache upgrade chown apache升级
chown apache plugins chown apache插件
扫一扫
659
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
