The default permission scheme should be:
755644Avoid having any file or directory set to 777. 777 means global access. Usually only cache files have this permission.
Via command line you can run the following commands to change permissions recursively:
1# For Directories:
2find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
3
4# For Files:
5find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
You should set these permissions
600 -rw------- /home/user/wp-config.php
604 -rw----r-- /home/user/cgi-bin/.htaccess
600 -rw------- /home/user/cgi-bin/php.ini
711 -rwx--x--x /home/user/cgi-bin/php.cgi
100 ---x------ /home/user/cgi-bin/php5.cgi
Run these commands to set them. Might have to re-check the paths for php/cgi files…
1chmod 604 .htaccess;
2chmod 600 wp-config.php;
3chmod 600 php.ini cgi-bin/php.ini;
4chmod 711 cgi-bin/php.cgi;
5chmod 100 cgi-bin/php5.cgi;
Add the following to .htaccess
1# SECURING wp-config.php
2# http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php
3<files wp-config.php>
4order allow,deny
5deny from all
6</files>
7
8# SECURING wp-includes
9# http://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes
10# Block the include-only files.
11<IfModule mod_rewrite.c>
12RewriteEngine On
13RewriteBase /
14RewriteRule ^wp-admin/includes/ - [F,L]
15RewriteRule !^wp-includes/ - [S=3]
16RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
17RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
18RewriteRule ^wp-includes/theme-compat/ - [F,L]
19</IfModule>
20
21# SECURING xmlrpc.php
22# https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
23# Prevent Brute forcing via xmlrpc.php by allowing ONLY localhost access xmlrpc.php
24# (some other plugin using xmlrpc e.g. Yoast might have an issue, check the log files, read up)
25<files xmlrpc.php="">
26Order Deny,Allow
27Deny from all
28Allow from 192.0.64.0/18
29Satisfy All
30ErrorDocument 403 http://127.0.0.1/
31</files>