Why you should lock your critical WP files with read only 400 and 404 permissions

If you have a WordPress website, (like most website owners have) and your web host is using suPHP or suExec and running PHP as a CGI (Common Gateway Interface) and not using DSO – running PHP as an Apache Module (mod_php) then you should be locking your WordPress Mission Critical files.

Why? In Mass Code Injection attacks aimed at Web Hosts there is a vulnerability with having 644 Group Permissions on files. What this means is that it could be possible to cross code inject your WordPress Mission Critical file in a Shared Hosting Environment if Group Permissions Read is allowed. Just allowing Group Permissions Read and not having Group Permissions Write on files can make them vulnerable to Mass Code Injection attacks on Web Hosts in a Shared Hosting Environment.

404 File Permissions;

.htaccess files should have 404 File Permissions

• Owner Permissions – Read On – Write X – Execute X
• Group Permissions – Read X – Write X – Execute X
• Public Permissions – Read On – Write X – Execute X

400 File Permissions:

index.php, wp-config.php and wp-blog-header.php should have 400 File Permissions

• Owner Permissions – Read On – Write X – Execute X
• Group Permissions – Read X – Write X – Execute X
• Public Permissions – Read X – Write X – Execute X

By doing this you will harden your installation further while minimizing the outside access to files. Remember that this doesn’t just apply to your files in the root folder of your WordPress installation, but to all your .htaccess files throughout your whole file structure within the WordPress directory.