Making an Unnecessary Change to a Website That Breaks Updates is Not Good for Security

There is a nearly endless amount of bad security advice for websites, so someone has to try hard to make theirs stands out, but that is what something we happened to run across recently from a company named ENDURTECH did.

Their post, https://endurtech.com/setting-proper-chmod-permissions-for-wordpress-wp-config-php-and-htaccess/, suggested that you should change the permissions on a couple of WordPress files to the “proper” permissions:

Set CHMOD Permissions to 444 on the following files:

  • .htaccess
  • wp-config.php

Those are not the proper permissions (if they were, you would assume that WordPress would set them that way for you) and they don’t make sense from a security perspective seeing as permissions only come in to play if someone has access to the files. In a normal hosting setup the only people that would have access to the files would also have permission to change the files permissions, so if you where to change those as suggested there, which would restrict editing the files, then those with access could change the permissions to be able to edit the files again, so this doesn’t provide a real benefit for most websites.

Bad advice is very common, what made this stand out is what is stated before that in the post:

Please note that doing as suggested within this article will no doubt eventually cause issues with WordPress plugin updates and maybe even WordPress core updates.

This is because these files are no longer “editable“.  Great for security, bad for updates.

Just keep this in mind and visit your website from time to time to make sure that your updates are completing correctly

Keeping software updated will actually have a positive impact on security, so they are suggesting doing something that isn’t useful that by their own admission makes something useful harder, which is bad idea.