WordPress file and directory security for IIS 7.0 and greater

It seems when we setup a new WordPress site on IIS (for whatever reason) the question always arises: “What is the directory and file security again?”.  We haven’t pulled the actual metrics, but we suspect this is one of the top 100 most asked questions of all times.

To help our own rather leaky memories, we are putting together this blog entry on our own internal best practices.  Hopefully it helps you as well!

 

Our Best Practices Overview

  • Modify level security is only allowed on .\[WordPress]\wp-content\uploads
  • All other directories are read only
    Why?  This helps prevents malware from infecting your site.
  • During updates (plugin or WordPress itself), the entire WordPress site is set for Modify permissions.
    Important:  Manual updates (XCOPY) are safer but not necessarily easier.  That being said, if you are already on the box setting permissions, you are already in position for an XCOPY update!

 

Initial Setup Details

  1. At the WordPress root directory (.\[WordPress])
  1. Remove all inheritance from the parent objects
    Why?  This prevents the parent directory objects from changing your security without you knowing about it!
  2. Replace all child object permissions with inheritable permissions from your WordPress root directory
    Why?  This guarantees that all WordPress directories get your explicit permissions!
  3. Grant the user IUSR the following permissions: Read & Execute, List folder contents, Read
  4. Grant the group IIS_IUSRS the following permissions: Read & Execute, List folder contents, Read
  5. Grant the group Administrators the following permissions: Full control
  6. Recommended:  Remove the group Users (I.E. grant the Users group no rights to the WordPress directory)
  • At the WordPress upload directory (.\[WordPress]\wp-content\uploads)
    1. Remove all inheritance from the parent objects
      Why?  This configures your upload directory for specific permissions to allow publishing of content!
    2. Replace all child object permissions with inheritable permissions from your \uploads directory
    3. Grant the user IUSR the following permissions: Modify, Read & Execute, List folder contents, Read, Write
    4. Grant the group IIS_IUSRS the following permissions: Read & Execute, List folder contents, Read
    5. Grant the group Administrators the following permissions: Full control
    6. Recommended:  Remove the group Users (I.E. grant the Users group no rights to the \uploads directory)

     

    Update Time Details
    When it becomes time to update your WordPress site, perform the following steps:

    1. At the WordPress root directory (.\[WordPress])
    1. Grant the user IUSR the following permissions: Modify
      Why?  Permissions inheritance will automatically set all WordPress directories to allow modification by the IUSR account.  This will allow updates to be performed

    Important: Be sure to remove both the Modify and Write permissions from IUSR when you are done with your updates!

    Leave a Reply

    Your email address will not be published. Required fields are marked *