SSL Labs ScoreSecurityHeaders.io ScoreHSTS Preloaded

Securing Joomla - Filesystem Permissions

Article Index

Filesystem permissions can be a tricky subject. Many webmasters aren't familiar with Unix filesystem permissions, so they accept whatever permissions happen by default when they unzip the installation package. I've been running Linux for 20 years (exclusively for 15 years), so this is something I'm intimately familiar with. Mac power users will have some familiarity with this, but seldom are Windows users accustomed to these types of settings.

This lack of knowledge can be the cause of many issues - the most extreme being that your site becomes vulnerable to edit and overwrite by an unintended third party. It cannot be stressed enough, the importance of filesystem permissions.

There is no cookie-cutter answer that can be given to explain what permissions your server needs. I can't even tell you what the username of the webserver is (although, for the purpose of this section we will assume it is www-data) or what your website root directory is (again, for the purpose of this section we will assume it is /var/www/html).

Please, do a sanity check on the values of these commands to determine if they are correct for your server.

cd /var/www/html
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chown -R www-data .

Again, please verify that these settings are appropriate for your server. The wrong path may cause all of the commands to fail (or may cause you to change something you shouldn't), and the wrong server username may also prevent the server from being able to see your contents. Other servers may require the server group to have write capabilities - which would change the numbers above to 664 and 775 respectively.

Learning about filesystem permissions has a steep learning curve for those not familiar with them already. The following links may be helpful when learning about permissions.

You have some learning to do, but it is well worth it when your server security is at stake.

PHP has an additional configuration which can be used to prevent rogue scripts from going beyond the boundaries of your Joomla installation. The PHP open_basdir configuration sets restrictions on where PHP is allowed to go within your filesystem. Obviously, special configurations should be reflected in this setting, but a good default is for your .htaccess file is below. This allows PHP to open the Joomla install path and anything inside of it, as well as access /tmp.

php_admin_value open_basedir "/path/to/joomla:/tmp"

One last thing - do not, under any circumstances EVER give permissions of 777!! If someone suggests that you do this, they either do not know what they're talking about, or they want your server to be vulnerable. Either way, the 777 permission is dangerous. Don't do it!

If anyone tells you to type 777, stop listening to them!

Ghandi understood server permissions:

Nobody can hurt me without my permission.

Mahatma Gandhi