This applies to self-managed Apache2 servers. Shared servers require different permissions, for example wp-config : set that file’s permissions to 440 or 400.
Site Lockdown
File permissions to lock down website, from the websites home folder. Do this from the root directory for example and you will break your server.
chown root:root -R *
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
Change the folder ownership of the site to root
chown root:root -R *
Change to wp-content/uploads (to allow uploads)
chown www-data:www-data -R *
To edit any files via ftp change that ownership to the ftpuser:wwwdata
chown username:www-data -R *
If you get asked for ftp details when trying to upgrade wordpress, or any plugins or themes, you need to add the following to wp-config.php
define('FS_METHOD','direct');Refer to https://wordpress.org/support/article/hardening-wordpress/ for more details, especially those regarding MySql.
On the server install
Disable root login
Install rkhunter (root kit hunter) to check for vulnerabilities.
sudo apt-get install rkhunterPerform check with
sudo rkhunter --check --skip-keypressor on first run
sudo rkhunter --checkall --skip-keypressAnd keep it updated with
sudo rkhunter --updateFor Ubuntu server you may have to “fix” /etc/rkhunter.conf
UPDATE_MIRRORS=0 to UPDATE_MIRRORS=1
MIRRORS_MODE=1 to MIRRORS_MODE=0
WEB_CMD="/bin/false" to WEB_CMD=""