Safe permissions for files and folders in cPanel

The folder permissions and ownership is one key to the security of the websites and your codes.  You have to keep them safe so that any hacker wont deface your websites or inject malware. These happens because of two reasons

Usage of weak passwords –

I cannot stress more on using ultra strong passwords for your accounts, cPanel, eMail accounts, database etc and they must all be unique. If the password is weak and some one gets in, it is your fault – no one else’s.

Bad File Permissions

The file permissions are one most important key to security. The files and folders must have safe permissions so that your websites are safe.

Safe permissions: –

Have you ever wondered what decides what permissions should the files under my account needs ? It is the PHP engine that does this job. You need to understand how PHP is configured in your server. There are mainly two ways to configure PHP in a cPanel server and it is either to set PHP run as DSO or using SuExec ( SuPHP, CGI etc ) . If PHP is configured as DSO, the PHP process will be owned by the apache user itself – so, you need to allow the cPanel user as well as the apache user to be able to make changes , ie read and write  to your files. If PHP is configured to use SuExec ( suphp or CGI ), php will run as the cPanel user itself, which is the FTP user. So you only need to allow the FTP user to make changes. The former way has been proven to be a faster way to run PHP and the latter is a secure way. If you are hosting a dedicated website in a cPanel server, the DSO will prove to be the fastest and if you are running a shared server, the SuExec way will save a lot of work. If you are on a SuExec server, you need to have all the files to have 644 permissions and folders to have 755 permissions. Then only the PHP will work.  To set that, you will need SSH access to your cPanel account. Once you have logged in to your account, you need to run these commands to come back to safe permissions.

cd ~
cd public_html ;
find . -type f -exec chmod 644 {} ;
find . -type d -exec chmod 755 {} ;

When you are a DSO server, you need to run these commands so that your website will work well.

cd ~
cd public_html ;
find . -type f -exec chmod 660 {} ;
find . -type d -exec chmod 770 {} ;

You then need to allow the Apache user ” nobody ” so that it is the group owner of all these files. Then only PHP will be able to make changes in your websites. Not a great idea – still if you can trade that with the speed, that is a great performance boost for the server.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu