Just as we give WordPress users the least possible permissions, so we must secure WordPress files and folders. wpCop explains.
The bottom line is to have least privilege permissions.
This underlying security principle applies to any file on any computer. We must cut user rights to the bone while not restricting functionality.
The platform's default permissions are fair: 755 for folders and 644 for files. Over time, though, these can become loosened up, particularly by developers and tinkerers. Bring them into line.
Pruning permissions at the terminal
Logged into the server and swapping the path here to that of your WordPress root folder, do this:
VPS and dedicated server users should have to append those two commands with sudo.
Reset permissions with a control panel
With cPanel you can check permissions by navigating to the File Manager, clicking through to the WordPress root and having a look at the column marked Perms. To change the properties for a file or folder, right-click on it and select Change Permissions.
wp-config.php permissions
The file that contains among other things your database credentials merits a special note.
Rather than 644, if you share a server then WordPress recommends a setting of 750: that loosens permissions for you and the server but, more importantly, denies access entirely to the wider web. That's all very well but, depending on the server configuration you may find your site and administrative functions work happily with far tighter rights.
OK. As said above and yes this is another gentle nag, we'll readdress this vital issue in wpCop's server file permissions and ownership guide when, having demystified what these digits actually do, it will be easier and safer for us to implement a least privilege setting.
