Managing File Permissions and Security on Your Hosting Account

File permissions determine who can read, write, and execute files on your hosting account. Properly configured permissions are a critical layer of website security, preventing unauthorised access to sensitive files while ensuring your website and applications function correctly. This guide explains the Linux permission system and provides best practices for securing your SakuraHost hosting account.

Understanding Linux File Permissions

Every file and directory on a Linux server has three types of permissions assigned to three categories of users:

Permission Types

• Read (r = 4): Ability to view file contents or list directory contents.
• Write (w = 2): Ability to modify a file or create/delete files within a directory.
• Execute (x = 1): Ability to run a file as a program or access a directory.

User Categories

• Owner (u): The user who owns the file, typically your cPanel username.
• Group (g): Users belonging to the file's group.
• Others (o): Everyone else, including web visitors and other server users.

Numeric Permission Notation

Permissions are represented as a three-digit number where each digit is the sum of read (4), write (2), and execute (1) permissions:

Recommended Permissions for Web Hosting

Changing Permissions in cPanel File Manager

Essential Security Practices

1. Protect Configuration Files

Files containing database credentials, API keys, and other sensitive information should have the most restrictive permissions possible. For WordPress, set wp-config.php to 600. Additionally, add this rule to .htaccess to block web access:

2. Disable Directory Browsing

By default, if a directory lacks an index file, Apache may display a listing of all files in that directory. Prevent this by adding to .htaccess:

3. Block Sensitive File Types

Prevent access to backup files, log files, and configuration files that might contain sensitive information:

4. Secure the wp-admin Directory (WordPress)

Add password protection to your admin directory using cPanel's Directory Privacy feature (under Security > Directory Privacy). This adds an additional authentication layer before the WordPress login screen. See the Apache authentication documentation for more details.

5. Keep Software Updated

Outdated software is the leading cause of website compromises. Regularly update your CMS, themes, plugins, and any custom applications. WordPress provides automatic update options in Dashboard > Updates.

6. Use Strong Passwords

Every password associated with your hosting account should be strong and unique: cPanel login, FTP accounts, database users, CMS admin accounts, and email accounts. Use cPanel's built-in password generator, which creates cryptographically strong random passwords.

Monitoring for Security Issues

cPanel provides several tools to monitor your account security:

• Imunify360 Malware Scanner: Available under Security > Imunify360 in cPanel, this tool scans your files for known malware and suspicious code.
• Error Logs: Check Metrics > Errors for unusual error patterns that might indicate attack attempts.
• Access Logs: Review Metrics > Raw Access to identify suspicious request patterns.

What to Do If Your Account Is Compromised

1. Change all passwords immediately: cPanel, FTP, database, and CMS admin passwords.
2. Scan for malware: Use Imunify360 in cPanel to identify and quarantine infected files.
3. Restore from backup: If malware cannot be cleaned, restore from a known clean backup via cPanel or JetBackup.
4. Update everything: Ensure all software, plugins, and themes are at their latest versions.
5. Contact support: Open a ticket at billing.sakurahost.co.tz for professional assistance with malware removal and security hardening.