How to set up Files Permissions the right way on a Web Server

Working with different CMS and multiple users requires the server to be set up properly or you might end up with security leaks.

I won’t cover the whole settings for your entire server but only the access to your web pages via SFTP (I definitively not recommend the use of FTP). Generally speaking of web server, I mean the following configuration :

  • Apache 2 running under www-data user (by default)
  • Linux machine
  • SFTP access via different users
  • Php scripting language
  • WordPress, Drupal, Magento, Prestashop, Zend, Joomla…

To jump straight to the settings commands, click on this link.

Default files permissions

When you first install let’s say for instance WordPress, either using wget or simply by uploading a tar.gz file via SFTP, you end up with the following files and directories permissions :

drwxr-xr-x   for html directory (the root of your wordpress website – can also be docs or /var/www depending on your configuration)

and :

DEfault files permissions web server

Let’s depict a little the permissions settings we have here (for those who are unaware of their meanings, you should read this page on :

drwxr-xr-x stands for d as directory, r for read, w for write and x for execute authorizations.

The wwwuser we have here is a web user we have given access to the WordPress directory, you may have another user name, this is not important, but during this tutorial we will refer to wwwuser.

Common pitfalls using the default settings

When using the above default files permissions, whenever you need to add a new WordPress plugin or upload an image into the media repository, then it will simply not work !

The reason for this is clear, the web server under Apache2 (can be the case with other servers such as Nginx or Php) is usually running under the www-data user which has no login possibilities.

As we don’t want to give login rights to the above user, we must use the following features :

  1. User group settings
  2. Define proper files permissions

Here is a list of directories access (for writing) needed for the www-data user :




Right now we don’t have the uploads directory, let’s create it using our wwwuser :

$ mkdir html/wp-content/uploads

Check out the directory permissions :

drwxr-xr-x 2 wwwuser wwwuser 4096 june 14 09:30 uploads

As you can see, the wwwuser user has Write, Read and Execute rights. However any other users has only Execute and Read accesses.

To fix this, the best method is to change the group access rights to any other users which are not within the group can not write to the directory. We will use the www-data user group as follow :

$ chown -Rf wwwuser:www-data uploads

See the result :

drwxr-xr-x 2 wwwuser www-data 4096 june 14 09:30 uploads

Then give the group write rights :

$ chmod -Rf 775 uploads

drwxrwxr-x 2 wwwuser www-data 4096 juin 14 09:30 uploads

But with this configuration we still have a problem ! You might not guess it, so let me explain in a few words – sometimes you update your website (any type of files) using the web interface (ie: from your WordPress backoffice), but sometimes you make the changes right from SSH using your wwwuser user. If you always go with the backoffice then no problem will occur however when you make changes using the later option then the files permissions settings will revert back to :


So the www-data will be able to write again.

Make a test yourself :

  • upload a file on your server using the backoffice interface of WordPress

File www-data uploading

The above file should be inside the wp-content/uploads/YYYY/MM directory.

  • Try now to overwrite this file using SFTP

What do you see ? Well you can not overwrite the file as you do not have the proper rights ! No worries this is not very important as we can just add our wwwuser to the www-data group as follow :

# useradd -G www-data wwwuser

You must have root rights to achieve the above command.

Now you can overwrite the file and everything is fine.

  • Upload a new file into the directory

The file permissions for the new file are back to wwwuser:wwwuser and from the backoffice we can not overwrite it or delete it !

Basically you will seldom play with the media files out of the backoffice but for themes and plugins, you will do.

Proper Files permissions settings

To fix the above pitfall, we will set the parent directory with some specific permissions. See the advanced permissions definition from :

s – This indicated the setuid/setgid permissions. This is not set displayed in the special permission part of the permissions display, but is represented as a s in the read portion of the owner or group permissions.

In other words, when another user creates a file or a directory which has SETGID settings, the new file or directory will inherit the group instead of the user group.

Let’s provide an example :

$ chmod -Rf g+s uploads

When you issue this command, all new files added to the uploads directory and its subdirectories will be owned by the wwwuser user and the www-data user group. However there is still one setting which is not set right so far and the only fix to adding the write permission to the user group on any new file and directory, is by using ACL (Access Control Lists).

$ setfacl -R -m g:www-data:rwx uploads

The above command will allow inheriting permissions to the user group for the uploads directory and its children.

For more details on Access Control Lists, you may browse the RedHat website about ACL.

Well now you have everything to apply the settings to your folders such as wp-content/plugins and themes or any required permissions depending on your CMS or framework you are using.

All the steps for the plugin directory :

$ chown -Rf wwwuser:www-data plugins

$ chmod -Rf 775 plugins

$ chmod -Rf g+s plugins

$ setfacl -R -m g:www-data:rwx plugins


I hope you have enjoyed this tutorial, you can drop a comment here if you have any questions or suggestions.

Remember to follow us and give us some credit if you like the content here. Stay tuned and browse other pages to learn about your favorite topics.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Want more information?

Related links will be displayed within articles for you to pick up another good spot to get more details about software development, deployment & monitoring.

Stay tuned by following us on Youtube.

%d bloggers like this: