156 users here now


  • summerchilde Developer/Blogger
  • otto4242 WordPress.org Tech Guy
  • r1ckd33zy Designer/Developer
  • carbis Developer
  • about moderation team »

Welcome to Reddit,

the front page of the internet.

and subscribe to one of thousands of communities.

submitted 1 year ago by WinTechLab

Want to add to the discussion?

[–]paultitude Developer 0 points 1 point 2 points 1 year ago (1 child)

[–]WinTechLab [S] 0 points 1 point 2 points 1 year ago (0 children)

[–]nuevaya 0 points 1 point 2 points 1 year ago (0 children)

  • apps & tools
  • Reddit for iPhone
  • Reddit for Android
  • mobile website

Use of this site constitutes acceptance of our User Agreement and Privacy Policy. © 2019 reddit inc. All rights reserved.

REDDIT and the ALIEN Logo are registered trademarks of reddit inc.

π Rendered by PID 30099 on r2-app-09a10c0716defa47c at 2019-03-07 01:03:19.945765+00:00 running 0ffe7ca country code: SK.


Support » Plugin: Wordfence Security – Firewall & Malware Scan » False or real malicious file report in Wordfence scan?

False or real malicious file report in Wordfence scan?

During few scans for my site Wordfence found several supposed malicious files in wp-content/cache/. The full path and the name of the file is: wp-content/cache/object/a58/4ad/a584ad18ea94b0da905d969ae2832879.php
This is the details of the Wordfence scans:

Filename: wp-content/cache/object/a58/4ad/a584ad18ea94b0da905d969ae2832879.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: document.documentElement.innerHTML = unescape(. The infection type is: A backdoor known as ejzlv.

I always delete those files but new reappear after some time.Since I use W3 Total Cache plugin I see those files as simple cache files.Am I right or these are real malicious files?

Thanks in advance for your help!

The page I need help with: [log in to see the link]


I’ve had a look over here but didn’t find any details on the best file permissions. I also took a look at some of WordPress’s form’s questions over here too but anybody that suggests 777 obviously needs a little lesson in security.

In short my question is this. What permissions should I have for the following:

  1. root folder storing all the WordPress content
  2. wp-admin
  3. wp-content
  4. wp-includes

and then all the files in each of those folders?

15 Answers

When you setup WP you (the webserver) may need write access to the files. So the access rights may need to be loose.

After the setup you should tighten the access rights, according to Hardening WordPress all files except for wp-content should be writable by your user account only. wp-content must be writable by www-data too.

Maybe you want to change the contents in wp-content later on. In this case you could

  • temporarily change to the user to www-data with su ,
  • give wp-content group write access 775 and join the group www-data or
  • give your user the access rights to the folder using ACLs.

Whatever you do, make sure the files have rw permissions for www-data.

Giving the full access to all wp files to www-data user (which is in this case the web server user) can be dangerous. So rather do NOT do this:

It can be useful however in the moment when you’re installing or upgrading WordPress and its plug-ins. But when you finished it’s no longer a good idea to keep wp files owned by the web server.

It basically allows the web server to put or overwrite any file in your website. This means that there is a possibility to take over your site if someone manage to use the web server (or a security hole in some .php script) to put some files in your website.

To protect your site against such an attack you should to the following:

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

The WordPress administration area: all files should be writable only by your user account.


The bulk of WordPress application logic: all files should be writable only by your user account.

User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:


Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.


Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

For those who have their wordpress root folder under their home folder:

  1. Add your user to www-data group:

You want to call usermod on your user. So that would be:

** Assuming www-data group exists

Check your user is in www-data group:

You should get something like:

** youUserGroupName is usually similar to you user name

Recursively change group ownership of the wp-content folder keeping your user ownership

chown yourUserName:www-data -R youWebSiteFolder/wp-content/*

Change directory to youWebSiteFolder/wp-content/

Recursively change group permissions of the folders and sub-folders to enable write permissions:

find . -type d -exec chmod -R 775 <> \;

** mode of `/home/yourUserName/youWebSiteFolder/wp-content/’ changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

Recursively change group permissions of the files and sub-files to enable write permissions:

find . -type f -exec chmod -R 664 <> \;

The result should look something like:

chmod -R ug+rw foldername

Permissions will be like 664 for files or 775 for directories.

P.s. if anyone encounters error ‘could not create directory’ when updating a plugin, do:
[email protected]:

/domainame.com$ sudo chown username:www-data -R wp-content
when you are at the root of your domain.
Assuming: wp-config.php has
FTP credentials on LocalHost

I set permissions to:

In my case I created a specific user for WordPress which is different from the apache default user that prevent access from the web to those files owned by that user.

Then it gives permission to apache user to handle the upload folder and finally set secure enough file and folder permissions.


If you’re using W3C Total Cache you should do the next also:


After a while developing WordPress sites I’d recommend different file permissions per environment:

In production, I wouldn’t give access to users to modify the filesystem, I’ll only allow them to upload resources and give access to some plugins specific folders to do backups, etc. But managing projects under Git and using deploy keys on the server, it isn’t good update plugins on staging nor production. I leave here the production file setup:

www-data:www-data = apache or nginx user and group

Staging will share the same production permissions as it should be a clone of it.

Finally, development environment will have access to update plugins, translations, everything.

www-data:www-data = apache or nginx user and group your-user:root-group = your current user and the root group

These permissions will give you access to develop under themes and your-plugin folder without asking permission. The rest of the content will be owned by the Apache or Nginx user to allow WP to manage the filesystem.

Before creating a git repo first run these commands:

  • All files should be owned by the actual user’s account, not the user account used for the httpd process
  • Group ownership is irrelevant, unless there’s specific group requirements for the web-server process permissions checking. This is not usually the case.
  • All directories should be 755 or 750.
  • All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
  • No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.

Correct permissions for the file is 644 Correct permissions for the folder is 755

To change the permissions , use terminal and following commands.

755 for folders and 644 for files.

I think the below rules are recommended for a default wordpress site:

For folders inside wp-content, set 0755 permissions:

chmod -R 0755 plugins

chmod -R 0755 uploads

chmod -R 0755 upgrade

Let apache user be the owner for the above directories of wp-content:

chown apache uploads

chown apache upgrade

chown apache plugins

It actually depends on the plugins you plan to use as some plugins change the root document of the wordpress. but generally I recommend something like this for the wordpress directory.

This will assign the "root" (or whatever the user you are using) as the user in every single file/folder, R means recursive, so it just doesn’t stop at the "html" folder. if you didn’t use R, then it only applicable to the "html" directory.

This will set the owner/group of "wp-content" to "www-data" and thus allowing the web server to install the plugins through the admin panel.

This will set the permission of every single file in "html" folder (Including files in subdirectories) to 644, so outside people can’t execute any file, modify any file, group can’t execute any file, modify any file and only the user is allowed to modify/read files, but still even the user can’t execute any file. This is important because it prevents any kind of execution in "html" folder, also since the owner of the html folder and all other folders except the wp-content folder are "root" (or your user), the www-data can’t modify any file outside of the wp-content folder, so even if there is any vulnerability in the web server, and if someone accessed to the site unauthorizedly, they can’t delete the main site except the plugins.

This will restrict the permission of accessing to "wp-config.php" to user/group with rw-r—– these permissions.

And if a plugin or update complained it can’t update, then access to the SSH and use this command, and grant the temporary permission to "www-data" (web server) to update/install through the admin panel, and then revert back to the "root" or your user once it’s completed.

And in Nginx (same procedure for the apache)to protect the wp-admin folder from unauthorized accessing, and probing. apache2-utils is required for encrypting the password even if you have nginx installed, omit c if you plan to add more users to the same file.

Now visit this location

Use this codes to protect "wp-admin" folder with a password, now it will ask the password/username if you tried to access to the "wp-admin". notice, here you use the ".htpasswd" file which contains the encrypted password.


Your email address will not be published. Required fields are marked *