: Is making my PHP files read-only a useful security measure? Up until now I've been "protecting" my website's PHP files by making them read-only with chmod. Is this a useful security tactic?

@Rambettina238

If you also make the PHP files owned by some user other than the one that Apache runs as, then yes, you have blocked off one potential attack scenario. If you leave them owned by the Apache user then an attacker with Apache-level privileges (an example of this would be code injection or a remote file inclusion) would be able to chmod the files and edit them anyway.

This doesn't block off any other attack scenarios such as an attacker guessing your SSH password or finding a flaw that gives him root access.

If an attacker managed to get Apache-level privileges to your server but couldn't edit PHP files due to the ownership and permissions, it's likely that they would either do what they can to achieve their goals (say, upload a new script to the uploads directory or plant a .htaccess file somewhere) or use what access they have to escalate their privileges until they can edit the files.

If it's causing you to not update Wordpress as often as you should, then it's probably decreasing overall security. Out of date Wordpress is far worse than writable PHP files owned by the Apache user.

Vote Up Vote Down

@Gretchen104

Linux has the notion of security groups, so you can set a file read-only to one group, but not another. It is going to be easier for an attacker to pretend to be any user, rather than users with more privilege, like root. If they manage to pretend to be a user with lesser privileges then they are not going to be able to chmod the files, whereas if you've left them writable to all users, then they can modify them.

So it's a good thing to do, but certainly not the only thing you can do.

Vote Up Vote Down