Why 777 is bad

Viewed 4k times. Improve this question. How is this a WordPress question? Add a comment. Active Oldest Votes. My original comment: Is chmod a good idea? Improve this answer.

Milo Milo Whether your website is based on WordPress or not this is a very very bad idea. Gina Alessia Gina Alessia 73 1 1 silver badge 4 4 bronze badges. Milo: You should really post that as an answer. Becker J. Becker 6 6 bronze badges. Anita Hummer Anita Hummer 11 1 1 bronze badge. Learn more. Asked 10 years, 10 months ago.

Active 3 years, 11 months ago. Viewed 60k times. Improve this question. Luis Alvarado. Luis Alvarado Luis Alvarado k gold badges silver badges bronze badges. I would like to recommend this thread over serverfault. It does a great job of giving an example setup for apache2 and permissions.

I can't comment, so I have to add it as an answer. Add a comment. Active Oldest Votes. Improve this answer. Jacktose 4 4 silver badges 8 8 bronze badges.

I am sorry for the language but this is a kick-ass answer. Thank you Marco. I use dedicated Virtual Machines for each webserver that I run, and I wonder if it still holds true that you should be so careful. UrkoM You can never be too careful.

If you only have "one user" systems then the risk of have other with write permissions isn't as much a risk. A lot of instructions — and even software — suggest that you should use permissions. Indeed, that works well and your PHP files can now write to files. However, it actually works a bit too well for your site's well-being. It's like taking a bite of the forbidden apple.

How bad can it be? You know the story. One bite of the apple is all it takes. You see, on a shared host, you are not the only user. Other sites also have a user on the same system. To make things worse, the exact path a. If someone wants to hack your site, all he has to do is create an account on the same server and try to write to one of your site's files. They truly live up to their name. They allow anyone — and I mean anyone — on the same system to write to your directories and files!

Adding insult to injury, a clever hacker doesn't even have to create an account on the same server. If one of them is vulnerable, he can exploit them to write to your site's files. Even if you lock everything down, shared hosts pose a wonderful opportunity to screw you without even knowing about it.

Even though you have taken all measures to avoid exploits being able to run on your site, another site hosted on the same server might not be so keen on security. If the other site is exploited, the hacker will be able to hack your site because the permissions allow him to do that. Do you believe me now when I tell you that is the number of the beast? As a side note, I'd like to let you know of an exception to this rule. If any directory above the one you gave permissions has a 0 in the world permissions, e.

This may explain why on a properly setup host giving permissions apparently does nothing. There are different ways to expel the evil permissions off your server. It all depends on how your web server is set up.

Fasten your seatbelts, we're entering the do-it-yourself zone! Remember: before you attempt any change on a live site, take a backup. Download it locally and store it in at least three different media.

Never, ever, under any circumstances whatsoever attempt doing changes on a live site unless you have a valid and tested backup. You can take a backup manually, or using one of the free extensions in the Joomla! Extensions Directory. This is the ideal case, when your host's servers run on suPHP, like many reputable hosts. This means that only the first number of the permissions is important, while the second and third ones can be set to 4 just read or 5 read, browse for directories.

In this case, the perfect permissions are for files and for directories, which you can set using your favourite FTP software. If unsure, there's an easy way to figure out if your host runs on suPHP.

Go to Joomla! I did some research and understand that permission is not the best when it comes for security. I do understand first sets of number which are the owners and groups, However I would like to clarify giving 7 permission to others. Who are the others, users within the server?

Or anyone even public users who access the website through the browsers? Public users e. The process is owned by a user and access is granted to the files based on the permissions that are relevant to the users at the time of access. On a properly configured system, very few if any files will need to be The principal of least privilege should apply at all times.

Why, for example, would you want to give execute permission on an image when it is not executable? Why would you give other write access to an executable?

It does mean that anyone on the system may do it - and this is potentially a lot of third parties. Let's say you have one hacked Wordpress website, just one among the many others, which runs on apache or designated system user - this site may be used to iterate system in order to find any accessible readable, writable, executable file - and guess who is on board?

So, stick to general recommendation to provide only minimum rights to the part of your system whatever it may be needed to work. Consider any service account taking action on your files on behalf of a user, per se, including any system calls within these files. To exploit permissions, it becomes only necessary to compromise one account on a system.