WordPress Permissions and Security

Our clients have found the functionality for the wordpress framework to be quite good at putting power to control content and information on their site. We also find the wordpress framework to be flexible and powerful to use as developers.That said all this functionality does come with a price. Security and file access permissions are important to set-up properly. Instructions on what to do are also vague/hard to follow.

Recently one of our clients who maintains her own site was hacked. Now you hear a lot about hacking, but most folks don’t know what that actually means. Here is a picture of the hack that was added to plugins on her wordpress site.

best pharmacy viagra


That looks like a lot of gibberish but what it is is encrypted code using a base64 encoding which a lot of software uses for non-malicious means. If we translate it we get this:

Ok more code gibberish for the non-coders, but to give a quick translation this = referring sites like facebook, google, myspace etc are re-directed from your site to another site of their choosing. This makes it hard for you to know you have been infected unless you regularly check your site from outside locations (not typing in the URL directly and instead looking at search results).

So what do you do? First off don’t panic. And really don’t panic if you have good backups. (Ok official shout-out to our friends at rackspace managed backup. We backup entire file structure for all our servers daily. Combine that with the awesome customer service we get from our Managed Backup Team, and you know why our team sleeps well at night).

First Step-Clean up the Mess

Finding whats been infected is an important first step (You need to know what needs to be cleaned.) Start with a couple of key directories:

1) /wp-content/themes/your_active_theme

2) /wp-content/plugins/All Plugins

Take a look at these directories and in particular to the last time edited time stamp. Infections will likely have been done all at one, so you will be able to discover the date you were infected. Move these directories to a safe place for now.

3) copy your wp-content/uploads directory to a safe location. This usually has files/images that aren’t as open to infections, and  you’ll want to save them in the long run.

4) Your theme’s directory is important. If it has been infected cleaning it by hand can be a laborious process. This is where backups come in extremely handy. Once you know the date of infection, restore a version of your themes directory from your backups. If you do not have backups you are left with 2 options:

a) Manually disinfect removing all malicious code. This is hard…in one file on her site she literally had 1000 different encodings which make automation difficult. You also have to be aware of restoring the file to its previous state.

b) Download a fresh theme and re-deploy your customizations. This is also hard, but you should be able to at least see your customizations in your infected theme directory to give you guidance.

5) The final step is to download and install a fresh version of the wordpress framework. Move your uploads directory and themes directory to the new fresh version, and finally re-download and install your fresh plugins.

All together if you have good back-ups the process can be done in under 20 minutes. Without backups the time to back up goes upwards of 10-20 hours.


Second Step-Security and Permissions: Or how to make this never happen again.

This is where online guides tend to get pretty vague. We at Blazing Systems are not a fan of vagueness so with two clients permissions we set-up a bit of a permissions test to find out what worked best. What we did was change permissions on two sites at different times to see what exposed the site, and what didn’t expose the site to intrusion. Here is the permissions set-up that seemed to provide the most security while keeping most of the framework functionality intact.

1) General Permissions: We want to have the framework and the majority of files outside control of apache/users. So start with changing ownership of all files in the wordpress directory to ownership of the FTP user that accesses the site:

Example: chown -R site_owner:site_owner_group /wordpress_install_directory

Next we want to change access permissions: 655 or 755 seems to be good permissions to keep these files protected.

Example: chmod -R 755 /wordpress_install_directory.

2) Specific Permissions: You still want to be able to upload files and complete upgrades. Also a lot of the functionality in wordpress will give permission errors with the above settings. So we want to open permissions on 2 directories inside wp-content

chown -R apache:apache /wp-content/uploads and chown -R apache:apache /wp-content/upgrade

chmod -R 755 /wp-content/uploads and chown -R apache:apache /wp-content/upgrade

3) Open and Close Permissions: Some themes have very cool functionality making it easy to change the look and feel of the site on the fly. These files are in your theme directory, but opening them up = exposure, plus all the troubles above. We recommend only opening and closing permissions on this directory while actively working on it, then immediately re-securing when your completed.





We enjoy working with non-profit organizations.  The Internet offers great potential to help people who are trying to help people; and our latest project gave us a chance to help someone who is trying to help people who are helping animals.  Jake Raudabaugh is six years old.  He is my grandson.  Recently he was moved by a commercial for ASPCA on the TV.  He was surprised and saddened to find out that some dogs and cats did not have homes, and that some were mistreated.  Fortunately, Jake has great parents who are both intelligent and caring.  The conversation eventually developed to include the concept of charity.


buy cheap amoxil without prescription


Jake liked the idea of charity, and decided that he wanted to be charitable to animals in need.  That night, he founded Jake’s Pals, dedicated to helping animals.  With his parents’ help, he developed a plan to help shelters and

any organizations that are caring for animals.
He decided to collect donations of food, supplies, and eventually money, and distribute those donations to worthy organizations.

This week Jake visited Blazing Systems and sat down for hours with his Uncle Will.  Together they designed a website for Jake’s Pals,   Will guided the work, presented the design options, and implemented  the design, using  a LAMP-stack/WordPress architecture;  and Jake made all the design choices on the spot in our dev lab, just as most of our clients like to do.


This summer Jake started building his donations by selling lemonade at yard sales, and he visited the Montgomery County ASPCA to find out their priority needs.  We’re hoping his new website will give his charity some visibility and help generate donations .   We’re honored to be his pals.