Files should always be uploaded and set to chmod 644. The ONLY important exceptions to this are :
- PHP files that that contain sensitive information – e.g. configuration files containing database usernames and passwords (WordPress’s wp-config.php for example). For security reasons, these files should be chmod 600 – in fact it won’t hurt to set ALL php web scripts to chmod 600. The files don’t need the execute bit set because they are interpreted by PHP.
- Scripts that are run from the shell command line or crontab using the required shebang (PHP, Perl or Python) – Such files should be chmod 700 because they are actually being executed directly by your linux user account.
- Scripts that are run from the cgi-bin or other directory as a CGI script using the required shebang – should be chmod 700because they are also executed directly by your linux user account
- .htaccess file – these files can be chmod 644, but a more secure solution is to set them chmod 444 (effectively read only). This offers more protection against some simple file injection attacks.
Whenever you upload files using cPanel FileManager then files will be set chmod 644 automatically. Unless your FTP software has been especially configured to set uploaded files to different permissions, then newly uploaded files will also be set to chmod 644automatically.
Directories should always be uploaded and set to chmod 755.
Whenever you upload files using cPanel FileManager then directories will be set chmod 755 automatically. Unless your FTP software has been especially configured to upload directories with different permissions, then newly created directories will also be set to chmod 755 automatically.
If in doubt, and you want your site to be as secure as possible, just ask us!