Setting the file permissions on your server can help improve the security of your site. The permissions that are used may vary based on your server configuration, your level of access, and the way you intend to use your Backdrop site.

Choosing Permissions Level

There are two common configurations of file permissions for Backdrop:

  • Looser permissions: Where the web server user and the owner of the files is the same.
  • Stricter permissions: Where the web server user (commonly www-data or apache) cannot write files. A separate user account (accessed via FTP or SSH) owns the files.

In many cases, the level of permissions that should be set on the files is determined by the level of active maintenance you perform, and on what servers your site resides. If you wish to use the built-in user interfaces for installing and updating modules, the looser permissions are required. And if you are using shared hosting (such as Bluehost, A2 Hosting, Namecheap, GoDaddy, or many others), then looser permissions may be your only choice, because on most shared hosts the web server and the FTP/SSH user are the same.

If you manage your site's code with a version control system (such as Git) and you have full administrative abilities on your server, then stricter permissions are recommended.