When you install WordPress (3.9.1 currently) manually through the zip file over at wordpress.org, you're given a folder structure, I've outlined it below but I've only gone two folders deep to illustrate my question.
In IIS7, the default user is IUSR
What I'd like to know is, what permissions should I give this file structure so that logged in users can upload files, update plugins as well as the core (with new releases) via the WordPress administration area... without opening up hack holes.
Is it safe to allow IUSR these permissions on the entire structure? (X, not checked on, O, checked on)
- [X] Full Control
- [O] Modify
- [O] Read & Execute
- [O] List Folder Contents
- [O] Read
- [O] Write
- [X] Special Permissions
I'm afraid that if I open up this gate, that it'll allow hackers to exploit my server's file system within this website, potentially opening up more dangerous possibilities. I've read into their suggesstions over at http://codex.wordpress.org/Changing_File_Permissions but this document outlines Linux settings, not IIS. I can't seem to find one for IIS.
/* Begin File Structure
/wordpress/
/wp-admin/
/css/
/images/
/includes/
/js/
/maint/
/network/
/user/
/wp-content/
/plugins/
/themes/
/wp-includes/
/Certificates/
/css/
/fonts/
/ID3/
/images/
/js/
/pomo/
/SimplePie/
/Text/
/theme-compat/
*/
Looking at this file structure, it seems that in order to allow people who are logged into the administration area of the website to upload files, update the core, add/remove plugins, I'd have to give the whole thing crazy amounts of access giving anyone the ability to upload anything if they find a loophole in WP's code.
