Correct permissions for WordPress on LEMP?

I’m confused about how to set permissions for a WordPress install. I’ve got it setup and running very well on ubuntu based droplet using LEMP. The only issue I’m having is getting permissions correct. I went for the normal:

sudo chown www-data:www-data * -R sudo usermod -a -G www-data usernamehere

That worked great, but stopped my user from creating files inside the WordPress install which I use for manually installing some plugins. I’ve also tried using:

sudo chown usernamehere:www-data * -R

However while that gives me permission it stops WP from uploading/updating. I’ve also used:

sudo chmod g+s directoryname

To make it so all files created in the folder by me are owned by the web server.

Can anyone recommend a good permission setup that will allow my user to create files, allow WP to update & upload but doesn’t introduce any security issues? I know a decent amount about web servers but permissions are my downfall. Any help would be greatly appreciated.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

You usually shouldn’t but that would be the easiest way to enable Wordpress’s automatic updating system to work properly. <br> <br>Check out <a href=“”></a>—it’s written for Apache but should work fine on nginx with some tweaks.

Would that be still safe from a security point of view? I’ve heard people saying you should never give write access to the web server’s group. <br> <br>To me though I’ve never figured out how that is a security risk when the web server is the owner of the files anyway.

The commands you ran are fine, however there’s one missing step: <br><pre>sudo chmod -R g+w directoryname</pre> <br>This command allows users of the group that owns the files (www-data in this case) to write to the files.