Apache WordPress Drupal Website Permissions

By | 2013/01/14

Permissions on a Linux webserver is an often confusing topic but hopefully I can clear the mud. There may not be one right answer for all, but below are some suggested configurations!

The following applies to WordPress, Drupal, or any similar application.

Two concepts to hang on to:

– In Linux there are users who ‘own’ particular directories and files.

– In Linux there are also individual permissions (or access levels) on particular files and directories.

For best security, both of these (ownership and permissions) must be inspected and adjusted.

Your document root

The website files for your website will be installed in their own dedicated folder or directory on the server.

If the server is a dedicated server or VPS, the default directories are:

Ubuntu / Debian: /var/www/

CentOS / Red Hat: /var/www/html/

If using shared hosting or another location, a home directory may be used for the website files. In this case, it may be:




The apache user

The webserver (apache) has its own username and group. Your website software (drupal, wordpress, etc) runs on the server as this user.

In Ubuntu / Debian, the user and group are: www-data and www-data

In CentOS / Red Hat, the user and group are: apache and apache

Directory and File Permissions

Web server directories should by 750 or 755.

Files should be 644.

Files and folders should never be 777. 777 permissions are not required for Drupal or WordPress to operate (not even the upload directory). More on that shortly!

Ok so what do I do??

First, set directories to 755. And then files to 644. Here are the two commands to run to make these changes. Change /var/www/ to your appropriate document root.

$ sudo find /var/www/ -type d -exec chmod 755 {} \;
$ sudo find /var/www/ -type f -exec chmod 644 {} \;

Document root and user ownership

1. Most strict / paranoid configuration: document root owned by a regular user, and in the group of the apache user:

Ubuntu / Debian:

$ sudo chown -R myusername:www-data /var/www/

CentOS / Red Hat:

$ sudo chown -R myusername:apache /var/www/html/

With this configuration, regular media uploads, posting, and regular use work fine.

However, WordPress and Drupal updating, plugin, and module installs will _not_ work.

Temporarily change the document root to be owned by apache (#3 below) to perform maintenance such as plugin / module install and self-updating. When maintenance is complete, revert back to the above ownership. For the super paranoid only!

2. Shared hosting / more flexible permissions / usability compromise

This configuration is a compromise as the document root will be owned by apache. This is generally seen a a security risk but is a compromise to allow the web app (WordPress or Drupal) to operate properly for the end user without having to resort to poor file or directory permissions. All media uploads, plugin, module and web app updating work. Also, FTP uploads by the user work.

First add the hosting regular user to the apache group:

Ubuntu / Debian:

$ sudo gpasswd -a myusername www-data

CentOS / Red Hat:

$ sudo gpasswd -a myusername apache

Now change the ownership of the document root to be owned by apache and group of that user:

Ubuntu / Debian:

$ sudo chown -R www-data:myusername /home/myusername/

CentOS / Red Hat:

$ sudo chown -R apache:myusername /home/myusername/

3. Even more flexible. Use these to troubleshoot only as a temporary measure or to perform site maintenance. All media uploads and updating work. Again, change /var/www to your appropriate document root.

Ubuntu / Debian:

$ sudo chown -R www-data:www-data /var/www/

CentOS / Red Hat:

$ sudo chown -R apache:apache /var/www/html/

As always, YMMV but hopefully this helps. With usability as a concern, security will be a compromise depending on the target end users or environment. At any rate, avoiding 777 permissions is possible and good advice to keep some security for the server and web application.