WordPress configuration file weak file permissions
Description
The WordPress configuration file wp-config.php has insecure file permissions that allow the web server user (typically www-data, apache, or nobody) to modify it. This file contains sensitive database credentials, authentication keys, and other critical configuration settings. According to WordPress security best practices, configuration files should have 644 permissions (read/write for owner, read-only for group and others) to prevent unauthorized modifications by the web server process.
Remediation
Immediately correct the file permissions on wp-config.php to restrict write access to the file owner only. Connect to your server via SSH and execute the following command in your WordPress installation directory:
chmod 0644 wp-config.php
Additionally, verify that the file is owned by your user account (not the web server user) by running:
ls -la wp-config.php
If the owner is incorrect, change it using:
chown your_username:your_group wp-config.php
After making these changes, confirm the permissions are set correctly. The output of
ls -la wp-config.php should show -rw-r--r-- as the permission string. As a best practice, review permissions for all WordPress core files and directories to ensure they follow the recommended 644/755 pattern.