For the past couple of days, I’ve been combating spam links on some of the blogs I manage. And these aren’t your run-of-the-mill comment and trackback links. These links had been inserted right on the theme files themselves. Some were even inserted in admin files. Some on the blog posts!

This made me think and rethink file permissions of WordPress theme files. One of the advantages of having them set to 777 (or writeable to the group) is that you can easily manage editing themes directly via the WordPress interface. However, that opens up security holes–other people might be able to access your files, and possibly insert some malicious scripts.

Locking these for write access only to you, but read-only to the rest of the world (i.e., 644) will help prevent hack attacks. However, you’d have to edit theme files via FTP, cPanel file manager, or even via SSH (if you have access). That’s not as convenient as having everything easily accessible via the WP dashboard.

I’d go for the more secure option. In fact, I’d make sure to restrict not only my theme files, but all other files on the server to the extent possible. And did I mention that it’s really important to do regular upgrades on your blog software and plugins?

Any other thoughts on this?