At Hosting Marketers all our servers run on suPHP, this means that folders must be 755 and files 644 or even less, this blog post will explain why.<\/p>\n
Hosting Marketers does not allow 777 on files which process server-side (i.e. PHP). However, many scripts require you to change your files to 777.<\/p>\n
I can tell you that 755 will work in lieu of 777. You will not need to use 777 on PHP files or folders.<\/p>\n
The concern is giving writable permissions to Group and World. This allows hackers from the world wide web to edit your files. Thus, the last two digits of file permissions should never be 2, 3, 6, or 7.<\/p>\n
The problem is when you install a PHP script, the script needs permission to edit files. Traditionally, PHP is treated as ‘nobody’ on the server. Therefore, PHP is treated the same an any unknown visitor and must obey the permissions granted to World.<\/p>\n
The solution to this conflict is to treat PHP as the Owner. Hosting Marketers has done so by implementing a special PHP security environment known as suPHP (or phpSuExec).<\/p>\n
With suPHP, all PHP scripts are allowed the same permissions as the Owner, and outside visitors are still restricted by the World permissions. Therefore, 755 is the perfect number; it allows all actions for PHP and only reading\/viewing for potential hackers.<\/p>\n
Explanation<\/strong><\/p>\n If a server requires 777 permissions on folder in order for PHP to write to that folder, then your server is only as secure as the least secure account on that server.<\/p>\n If a server requires only 755 permissions for PHP uploads (i.e. with suPHP) then each account is on their own.<\/p>\n A couple of examples might illustrate this better.<\/p>\n Say a server has two accounts on it and that server is running PHP through Apache (i.e. no suPHP, 777 directories are required for PHP uploads). The two accounts are apples.com and oranges.com. apples.com is running a Gallery script, that requires the upload directory to have world-write enabled, permissions 777, but the owner of apples.com always keeps their Gallery script up-to-date and practices the best security policies. oranges.com on the other hand, they don’t care about security. They are running an old WordPress install, and old Joomla script, and perhaps some other scripts that they never used and never updated or removed.<\/p>\n When oranges.com gets hacked into because of the outdated scripts, those hackers may be able to place a PHP shell script onto the account, and they would then have access to write files into apples.com’s upload directory, the directory on apples.com that has 777 permissions.<\/p>\n This doesn’t seem quite fair, because apples.com was keeping their scripts up-to-date, yet their account was also being used in the exploit.<\/p>\n Now consider this same scenario where apples.com and oranges.com are on a server running suPHP. apples.com still has the Gallery script, but because suPHP is in use, the upload directory for the Gallery script can survive with permissions of 755.<\/p>\n Now when oranges.com gets hacked because of their old and outdated scripts, that hacker cannot upload anything onto the apples.com account because apples.com does not have any open directories. The hacker can go wild on the oranges.com account, upload and delete anything they want. But the blame always goes back to the owner of orange.com, why wasn’t that person keeping their scripts up-to-date?<\/p>\n This is why, Hosting Marketers, on its servers always uses suPH!<\/p>\n Now an extra word of advice with suPHP. In the above example, I would recommend that apples.com keep their Gallery scripts config file set with a permissions setting of 600 or even 400. The reason being, if the config file (the file that contains that Gallery’s database login credentials) is using the default permission setting of 644, then the hacker from orange.com would still be able to read the config file (they would be able to READ any files that are set to 644 or above, just not write to them). This is why you should always create a MySQL username and password for accessing your MySQL databases, and NEVER use your main account username and password in your script’s configuration files for accessing MySQL databases. If you do use your main account username and password in the config file, and the config file has a permission setting of 644, then hackers from orange.com would still be able to read the config file, get your login information, and then FTP into your account.<\/p>\n","protected":false},"excerpt":{"rendered":" why you may get 500 Server Error on your site?<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[88],"tags":[90,151,89],"class_list":["post-426","post","type-post","status-publish","format-standard","hentry","category-security","tag-folder-permissions","tag-security","tag-suphp"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p9Yxzd-6S","jetpack-related-posts":[{"id":1371,"url":"https:\/\/hosting-marketers.com\/news\/2025\/04\/15\/the-ultimate-wordpress-security-guide-for-cpanel-users-2025-edition\/","url_meta":{"origin":426,"position":0},"title":"The Ultimate WordPress Security Guide for cPanel Users (2025 Edition)","author":"Admin","date":"April 15, 2025","format":false,"excerpt":"WordPress powers over 40% of all websites \u2014 which makes it a prime target for hackers. If you\u2019re hosting with cPanel and using WordPress, security should be your top priority. At Hosting Marketers, we give you the tools (LiteSpeed, CloudLinux, CPGuard, Cloudflare) \u2014 but here\u2019s what you need to do\u2026","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"Protect your WordPress site from hackers with this complete security guide. Learn how to harden your site using cPanel, PHP updates, file permissions, .htaccess rules, and best practices.","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_36_03-AM.png?fit=1200%2C800&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":1367,"url":"https:\/\/hosting-marketers.com\/news\/2025\/04\/15\/12-essential-steps-to-secure-your-laravel-website-on-cpanel\/","url_meta":{"origin":426,"position":1},"title":"12 Essential Steps to Secure Your Laravel Website on cPanel","author":"Admin","date":"April 15, 2025","format":false,"excerpt":"Laravel is a powerful and flexible PHP framework \u2014 but with that power comes responsibility. If you're running your Laravel application on a cPanel server, securing your environment is critical. At Hosting Marketers, we use LiteSpeed, CloudLinux, CPGuard, and Cloudflare, providing a robust foundation \u2014 but the app itself must\u2026","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"Laravel security is not optional \u2014 and at Hosting Marketers, we make sure you start with the best protection possible. By combining strong server-level firewalls with smart application-level hardening, your Laravel website can stay one step ahead of hackers.","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_15_08-AM.png?fit=800%2C1200&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_15_08-AM.png?fit=800%2C1200&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_15_08-AM.png?fit=800%2C1200&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/04\/ChatGPT-Image-Apr-15-2025-06_15_08-AM.png?fit=800%2C1200&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":1353,"url":"https:\/\/hosting-marketers.com\/news\/2025\/02\/24\/how-to-secure-your-wordpress-and-laravel-sites-on-a-hosting-marketers-shared-accounts\/","url_meta":{"origin":426,"position":2},"title":"How to Secure Your WordPress and Laravel Sites on a Hosting Marketers Shared Accounts","author":"Admin","date":"February 24, 2025","format":false,"excerpt":"Website security is critical for protecting your data, preventing hacks, and ensuring your site runs smoothly. While your hosting provider has CSF Firewall to protect the server from external threats, securing your WordPress or Laravel site is your responsibility. Many hacks happen because of poor security practices\u2014such as outdated plugins,\u2026","rel":"","context":"In "security"","block_context":{"text":"security","link":"https:\/\/hosting-marketers.com\/news\/category\/security\/"},"img":{"alt_text":"How to Secure Your WordPress and Laravel Sites on a Hosting Server with CSF Firewall","src":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/hosting-marketers.com\/news\/wp-content\/uploads\/2025\/02\/security.jpg?fit=1024%2C1024&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":184,"url":"https:\/\/hosting-marketers.com\/news\/2010\/11\/02\/what-to-do-when-your-site-is-hacked-or-when-you-arrive-at-your-site-you-this-warning-reported-attack-page\/","url_meta":{"origin":426,"position":3},"title":"what to do when your site is hacked or when you arrive at your site you see this warning: Reported Attack Page!","author":"Admin","date":"November 2, 2010","format":false,"excerpt":"What to look for The three most common forms of badware that StopBadware sees on compromised sites are: 1. Malicious scripts 2. .htaccess redirects 3. Hidden iframes Malicious scripts Malicious scripts are often used to redirect site visitors to a different website and\/or load badware from another source. These scripts\u2026","rel":"","context":"In "Reported Attack Page!"","block_context":{"text":"Reported Attack Page!","link":"https:\/\/hosting-marketers.com\/news\/category\/reported-attack-page\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":138,"url":"https:\/\/hosting-marketers.com\/news\/2009\/11\/19\/register_globals-on-servers-with-suexec\/","url_meta":{"origin":426,"position":4},"title":"register_globals on servers with SuExec","author":"Admin","date":"November 19, 2009","format":false,"excerpt":"First of all allowing register_globals on, on a server is real stupid, it is a security risk that no hosting company should accept, but sometimes for old scripts it is necessary to have it on, in this case should be enabled on the customer account on the .htaccess file or\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":663,"url":"https:\/\/hosting-marketers.com\/news\/2018\/03\/27\/how-to-run-python-scripts\/","url_meta":{"origin":426,"position":5},"title":"How to run Python scripts","author":"Admin","date":"March 27, 2018","format":false,"excerpt":"How to run Python scripts If you wish to run Python scripts in your hosting account, you can create and edit them in two ways: either in cPanel or via SSH. To create and edit Python script in cPanel use the following steps:\u00c2\u00a0 1. Log in to your\u00c2\u00a0cPanel: 2. Go\u2026","rel":"","context":"In "Hosting Marketers News"","block_context":{"text":"Hosting Marketers News","link":"https:\/\/hosting-marketers.com\/news\/category\/hosting-marketers-news\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/comments?post=426"}],"version-history":[{"count":1,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/426\/revisions"}],"predecessor-version":[{"id":427,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/posts\/426\/revisions\/427"}],"wp:attachment":[{"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/media?parent=426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/categories?post=426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hosting-marketers.com\/news\/wp-json\/wp\/v2\/tags?post=426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}