I have a web server and installed wordpress on it. I would like to know about the files permissions which are required to secure my site. (last time XSS happed on my site, they wrote inside my all index.php files and some other files. I don't know how they did this.)
What are the best file permissions?
The script must at least have owner read and execute permission. Here the scripts are set to 755 (only the owner of the script has read, write, and execute privileges; other users and groups only have read and execute permissions).
Be aware that you set the owner of the files to the apache user (usually apache or www-data or something like that).
Readable by the web server user, unwriteable by anyone. Of course, the exact details depend on what you're doing, but start there. And try to stay there if you can.
I think it's probably easier to link you to a blog post I find handy when securing Wordpress. It has more than what you are interested in but very handy nontheless.
http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/
3, 5 and 7 will be of interest to you.
In direct relation to your config file, you could secure it using a shell command as follows:
chmod 750 wp-config.php
If your environment allows it, 400 for basic files and 500 for directories. That means read-only. If you want to enable uploading, you should put the appropriate write permissions on it, 600.
Some hosting providers run all their websites on a shared user, say 'apache', but with FTP uses 'youruser'. In that case, you'll need 440 for files and 550 for directories.
Any writeable directory or file could make your installation less secure, but you'll have to balance usability and security.
In shell type :
chown apache:apache filename
or
chown root:root filename , it depends what is your superadmin username
after :
chmod 0755 filename
