What File and Directory Permissions Should I Use for My Web Files?

Understanding the correct permissions for your hosting files and directories is crucial for the security and functionality of your website. This guide will help you set the right permissions for your files and directories in cPanel.

Files

Files should always be uploaded and set to chmod 644. However, there are a few important exceptions:

• PHP files containing sensitive information: For example, configuration files containing database usernames and passwords (like WordPress's wp-config.php). For security reasons, these files should be chmod 600. In fact, it's a good practice to set all PHP web scripts to chmod 600. These files don't need the execute bit set because they are interpreted by PHP.
• Scripts run from the shell command line or crontab using the required shebang (PHP, Perl, or Python): These files should be chmod 700 because they are executed directly by your Linux user account.
• Scripts run from the cgi-bin or other directory as a CGI script using the required shebang: These should also be chmod 700 because they are executed directly by your Linux user account.
• .htaccess file: These files can be chmod 644, but a more secure solution is to set them chmod 444 (effectively read-only). This offers more protection against some simple file injection attacks.
  
  

When you upload files using cPanel File Manager, those files will be set to chmod 644 automatically. Unless your FTP software has been specially configured to set uploaded files to different permissions, then newly uploaded files will also be set to chmod 644 automatically.

Directories

Directories should always be uploaded and set to chmod 755.

When you upload files using cPanel File Manager, directories will be set to chmod 755 automatically. Unless your FTP software has been specially configured to upload directories with different permissions, then newly created directories will also be set to chmod 755 automatically.

What if the Installation Notes for My PHP Web Application Say Otherwise?

Software developers often prioritize making their software work over the security of your website. You might be told that directories should be chmod 777 or even that files need to be chmod 755, but if you are just talking about a PHP-based website, then PHP files will operate just fine chmod 600 or chmod 644.

The reason for this is that LiteSpeed serves PHP files via the suEXEC CGI. This means that PHP files are served under your cPanel username's security context. And because your username owns your web files, you only have to grant Read and Write permissions to the owner (thus, chmod 600).

If in doubt, and you want your site to be as secure as possible, please log a support ticket via your Brixly Client Area. We're here to help!