Web Server File Permissions — Apache, Nginx, and PHP

Web Server Permission Guide

Incorrect permissions on web server files are one of the most common security vulnerabilities. This guide covers the correct setup for Apache, Nginx, and PHP-based applications.

The Golden Rules

1. Web root directory: 755
2. Static files (HTML, CSS, JS, images): 644
3. PHP/script files: 644 (NOT 755)
4. Upload directories: 770 (restricted to web server group)
5. Configuration files with secrets: 600
6. Never use 777

Ownership Setup

# Set the web server user as owner
sudo chown -R www-data:www-data /var/www/html

# Or set your user as owner, web server as group
sudo chown -R youruser:www-data /var/www/html

Directory Permissions

# Set all directories to 755
find /var/www/html -type d -exec chmod 755 {} \;

# Set all files to 644
find /var/www/html -type f -exec chmod 644 {} \;

Upload Directory

# Create upload directory with restricted access
mkdir /var/www/html/uploads
chown www-data:www-data /var/www/html/uploads
chmod 770 /var/www/html/uploads

# Prevent PHP execution in uploads (Apache)
# Add to uploads/.htaccess:
# php_flag engine off

WordPress Specific

chmod 600 wp-config.php
chmod 755 wp-content/
chmod 755 wp-content/themes/
chmod 755 wp-content/plugins/
chmod 770 wp-content/uploads/

Common Mistakes

Mistake	Risk	Fix
chmod 777 on web root	Anyone can modify/execute	Use 755 for dirs, 644 for files
PHP files with 755	Can be executed from CLI	Use 644; web server reads, not executes
Secrets in web root	Direct URL access	Move outside web root or use 600
Upload dir without restriction	Uploaded code execution	Block script execution, use 770