All In One Files Security helps you setup the file permission for each folder and files in your website and more.
Last Updated: March 6, 2024
Latest News: Updated the documentation.
Your WP installation already comes with reasonably secure file permission settings for the filesystem.
However, sometimes people or other plugins modify the various permission settings of certain core WP folders or files such that they end up making their site less secure because they chose the wrong permission values.
This feature will scan the critical WP core folders and files and will highlight any permission settings which are insecure.
AIOWPS plugin helps you keep your files and folders permissions levels at the recommended minimum protection set out by WordPress.
Note: You can read more about this in the following link changing-file-permissions.
What you need:
All In One File Security
Step 1 ) Go to WP Security -> File Security admin sidebar menu as illustrated in the image below.
File security
Step 2 ) The following image File security allows you to set up the following file security settings tabs.
File security Settings
- File permissions
- File protection
- Host system logs
- Copy protection
- Frames
File Permissions
Step 3 ) Go to WP Security -> Filesystem Security -> File Permissions to check and make sure your file system permission are set up correctly. The following image shows all file permissions correct with a green colour.
This will add another 20 points score towards your security meter. (Basic Security Level)
Step 3-a ) The image below shows you the Current Permission and the Recommended Permission. Click on Set Recommended Permissions button if your permissions are incorrect.
Step 3-b ) The following list shows you the recommended files permissions by this plugin for your site. All permissions that have a green color means the minimum file permissions have been added as recommended by AIOWPS.
Note: Some of you might want to add a higher level of restrictions to your files. This is entirely up to you.
AIOWPS Recommended File Permissions
- root directory = 0755
- wp-includes/ = 0755
- .htaccess = 0644
- wp-admin/index.php = 0644
- wp-admin/js/ = 0755
- wp-content/themes/ = 0755
- wp-content/plugins/ = 0755
- wp-admin/ = 0755
- wp-content/ = 0755
- wp-config.php = 0640
Step 3-c ) The following message is displayed if your website is hosted in a Windows server. This stops you from having to adjust the folder file permissions as illustrated above when running your site in a windows server.
File Protection
Step 4 ) Go to WP Security -> File security -> File protection to set up the following option as illustrated in the image below.
File Protection Options
- Prevent Access to WP Default Install Files. The following will allow you to stop access to Default WP Files on your website.
- Click on Save setting button once you finish.
This will add another 10 points score towards your security meter. (Basic Security Level)
Prevent hotlinking
A Hotlink is where someone displays an image on their site which is actually located on your site by using a direct link to the source of the image on your server. Due to the fact that the image being displayed on the other person’s site is coming from your server, this can cause leaking of bandwidth and resources for you because your server has to present this image for the people viewing it on someone elses’s site.
This feature will prevent people from directly hotlinking images from your site’s pages by writing some directives in your .htaccess file.
Step 4-a ) The following image Prevent hotlinking allows you to setup the following option.
Prevent hotlinking Settings
- Prevent image hotlinking:
- Click on Save settings button when you finish completing your settings.
If you enable this option, it will add another 10 points score towards your security meter. (Basic Security Level)
The following is the rule added by this feature to the .htaccess file. Make sure this rule is added to your .htaccess file, or else this feature will not work.
.Htaccess rule added
# BEGIN All In One WP Security
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://localhost/tipstricks [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security
Troubleshooting Image Hotlinking
Q1 Image Hotlinking is not working in my site. How do I fix this issue?
Answer: In this case the problem was with the server Siteground. “For custom .htaccess rules to take effect the NGINX static cache for the website needs to be turned off”. Click the following link support thread to learn more.
Disable PHP file editing
Step 4-b ) The following image Disable PHP file editing allows you to setup the following option.
Disable PHP file editing Option
- Disable ability to edit PHP files:
- Click on Save settings button when you finish completing your settings.
The following entry is added into the wp-config.php file when you activate this feature.
//Disable File Edits
define('DISALLOW_FILE_EDIT', true);
This will add another 10 points score towards your security meter. (Basic Security Level)
Host system logs
Step 5 ) Go to WP Security -> File security -> Host system logs as illustrated in the image below.
Sometimes your hosting platform will produce error or warning logs in a file called “error_log”. Depending on the nature and cause of the error or warning, your hosting server can create multiple instances of this file in numerous directory locations of your WordPress installation. By occasionally viewing the contents of these logs files you can keep informed of any underlying problems on your system which you might need to address.
Host System Logs Settings
- Enter System Log File Name: = default name error_log
- Click on View Latest System Logs button to view the latest log file.
Sample List Of Log File Locations
- yoursite/wp-content/themes/suffusion/error_log
- yoursite/wp-includes/error_log
- yoursite/wp-includes/widgets/error_log
- yoursite/wp-admin/error_log
- yoursite/wp-admin/user/error_log
- yoursite/wp-admin/network/error_log
- yoursite/wp-admin/includes/error_log
- yoursite/error_log
Note: If you run into issues when checking the latest system logs, make sure you have enough memory allocated to your site. Also check to make sure you have not run out of disk space. Log files can become large in size.
Troubleshooting
Q1 The .htaccess file has ‘0’ (ZERO) permissions. How do I fix this?
Answer: The issue in this site was WordPress settings. The following WP Dashboard -> Settings -> General.
WordPress Address was: http://yoursite.com
Site Address was: http://www.yoursite.com
Changing both to http://yoursite.com fixed the .htaccess problem and allowed permalinks, etc to be written correctly. Check the following link forum post to learn more.
Copy protection
Step 6 ) Go to WP Security -> File security -> Copy protection as illustrated in the image below to activate the following option.
Copy Protection Option
- Enable Copy Protection
- Click on Save copy protection settings button once you complete this option.
Frames
Step 7 ) Go to WP Security -> File security -> Frames as illustrated in the image below to activate the following option.
Copy Protection Option
- Enable iFrame protection:
- Click on Save settings button once you complete this option.
=============================
I hope the above steps helps you manage your file system security in your site.
If you have any questions please let me know
Enjoy.
All In One Security (AIOS) Plugin Tutorial List
I have been working in IT since 1999 and I enjoy the challenges it brings me. I love developing websites with WordPress. I spend a lot of time helping out in wordpress.org forums. I have been writing tutorials since 2011. Now I am learning how to manage my own VPS "Virtual Private Server.