A Better Alternative to the Risky 777 CHMOD!

It is a well-known fact that a 777 CHMOD on a directory or folder is considered a high security risk for a Linux server, in that, you can get hacked easily! However, most of the CMSs, including WordPress, ask you to CHMOD certain directories to 777 for easier functionality!

On one hand, if you don’t CHMOD the respective directory to 777, you may lose some of the functionality of the CMS, make your life harder, and even lose out on several plugins that would not be able to function without the required permissions; on the other hand, if you CHMOD the directory to 777, you open the barn doors of your server to hackers who would basically have free reign on your disk usage and bandwidth, not to mention that hacking can also mess with your website’s search engine rankings!

You can if you want, re-compile your server’s PHP to suPHP and then a 755 CHMOD would work just as good as a 777 CHMOD (in fact, post-suPHP-compilation, if you ever CHMOD a directory to 777 by mistake, you would get a 500 server error!) but the con is: if you use .htaccess on your site then your entire site would break and you would have to transfer all your settings from .htaccses to php.ini in order to fix your broken site, and that is quite a headache, let me tell you!

The other great alternative is to change the user/usergroup of the respective directory: from the domain account’s user to apache! Once apache owns a directory, you just give it write access – a 755 permission is enough to make a folder writable by Apache; thus, you can make your plugin work just as good as it would with a 777 CHMOD, BUT without the added security issues!

Now, in order to chown a directory so as to make Apache its owner, you would need SSH access to your server; if you don’t have that, you can ask your host for help (I opt for the latter as I am totally dumb as far as SSH is concerned). You can use Putty if you need to!

What to do:

First you would need to change the ownership/usergroup of the directory to nobody/nobody ("nobody" is the name of the Apache user), and then you can set the permission of the directory to 755. Now all those plugins which insisted on a 777 permission would work just as fine with these settings! It is a hard way I know, but I believe it is much more secure!

Please don’t ask me for specific instructions on how to do it: you can find some help here and here or even better, contact your host and ask them to do for you (I always ask my sweet host to do it for me; easier on me)!

Now, there IS a downside to making Apache the owner of a directory: you cannot delete that directory/any file in that directory, or download anything from it to your local hard drive (for backup purposes) UNLESS you have root access to the server (if you are on a Virtual private server or dedicated server then you should have root access), and are logged into your FTP client as a root user!!

1 Comment

  1. Huge List of Cool WordPress Plugins-Part 5

    [...] to CHMOD the its cache directory to 777! This is a high security risk, so I would suggest you try an alternative which works just as well! If you are technically oriented,  I would also suggest you change the cache directory's name [...]