A really good step towards developing secure Wordpress websites is to disable write access to system files. Just like the programs in an operating system should not have access to change core files in the OS, individual Wordpress plugins also should not have access to change core Wordpress files, or even the files in other plugins.
Wordpress does not have any security build-in to prevent this from happening. It would be difficult to implement properly, since it would require that we somehow prevented the use of build-in PHP file-system functions, and replaced them with functions that has extended security features.
The web server is usually able to write to all files in the system. It creates this nasty all-or-nothing situation where PHP code, regardless of placement, will be able to write to, and change, any part of the system. It is not hard to imagine why this can easily lead to security holes. Wordpress core is pretty secure in itself, but third-party plugins can be very poorly designed — which is often the case, even with plugins that are not free!
A solution is to disable write-access to carefully selected directories and files; it does make Wordpress harder to update for administrators, but it will prevent a lot of typical Wordpress hacks from happening.
Which files and directories should be read-only?
This depends largely on the system, its plugins and the theme in use.
Typically we can prevent write-access to everything except for the wp-content directory which needs to be configured carefully. There may also be other directories used for backup, cache, and temporary data, and such should also remain writable in order for the system to work properly. Examples include:
All of these should remain writable. The uploads dir should remain writable to allow user-uploads, and the languages dir to allow translating files through Wordpress wp-admin or plugins that handle translations.
The good news is that Wordpress will usually complain if a directory needs to be Writable. You can also examine the server log files to find out if write-errors has occurred due to file permissions.
Finally, sometimes you also need to handle the wp-content/plugins/ dir carefully, depending on the plugins you use. Normally a plugin should not need write access to its own directory, but some plugins might still save data to its own directory; you should therefor account for this as needed. The recommendation is, if a plugin needs to store data in the file system, to do so in a seperate directory inside wp-content.
How to change File permissions
File permissions can be changed either from a FTP client or through the terminal. The terminal is faster.
The recommended setting for writable directories and files is 775, which means readable+writable+executable by owner and group, while others can only read.
A setting of 555 is recommended for stuff that should not be writable; it still allows reading and execution, which is necessary for Wordpress to work properly.
We can change settings from a terminal like this:
chmod 555 -R /var/www/some-site/ chmod 775 -R /var/www/some-site/wp-content/ chmod 555 /var/www/some-site/wp-content/ chmod 555 -R /var/www/some-site/wp-content/plugins/
The "-R" parameter makes the command recursive, meaning it will also apply to sub- directories and files.
Remember to adjust other directories as needed; this is something you must work out on your own, since all Wordpress sites are not the same.
For those interested in ways to update and manage your Wordpress sites from a terminal, there is also the WP-CLI tool.
Note. The file-system paths on your hosting provider might be different than those in this example. Carefully note the correct paths, and adjust the commands accordingly.
You can still get hacked
Disabling write-access is not enough to prevent all hacking from taking place, but it an essential step towards developing a more secure Wordpress website.
When write-access is disabled to the file-system, basically only writable areas can be infected. This leaves you with your database as the next point of attack — if someone has write-access to this, you better have a backup ready in case an accident happen.
Remember, if you store sensitive personal data, either in the file system or in your database, and your site gets hacked, you may be required by law to inform your users and relevant authorities; you should seek legal advice if you are in doubt about legal matters.
Securing a Wordpress-based website that uses third-party plugins and/or theme is very difficult, and there is no one-size-fits-all solution. The best you can do is probably to limit your use of themes and plugins developed by unknown people, and disable plugins that you do not use. Sometimes even popular, and professionally made themes, like Divi, will suffer from security vulnerabilities — so do not assume that something is more secure just because it is paid!