Customizing WordPress permissions when creating new site

[danawhittle]

What is the best approach if I want all WordPress folders to be 0755 and all files to be 0644 (aside from the CLI) whenever a new site is created? Is there any way to pre-configure this?

[s-a-s-k-i-a]

There's no pre-create hook for site permissions in CloudPanel — clpctl site:add:php runs with fixed defaults and there's no flag in the command spec for permissions. So this has to happen either right after site:add or via filesystem-level defaults.

Three options depending on how much you want to automate:

1. Post-creation script — simplest if you provision sites with clpctl:

#!/usr/bin/env bash
set -euo pipefail

SITE_USER="$1"
DOCROOT="/home/${SITE_USER}/htdocs"

# 0755 for directories, 0644 for files
find "${DOCROOT}" -type d -exec chmod 0755 {} \;
find "${DOCROOT}" -type f -exec chmod 0644 {} \;

# Make sure ownership is the site user, in case anything was placed by root
chown -R "${SITE_USER}:${SITE_USER}" "${DOCROOT}"

Run it as ./fix-perms.sh <site-user> after each clpctl site:add:php. Stays portable, no system-level changes.

2. ACL defaults — applies to anything created afterwards under the docroot:

# After site creation, once per site:
setfacl --default --modify u::rwx,g::rx,o::rx /home/<site-user>/htdocs
setfacl --default --modify m::rx /home/<site-user>/htdocs

--default ACLs propagate to newly-created entries inside the directory — so any file the site user (or WP-CLI / a deploy script) writes from then on will inherit 0644-ish perms automatically. Directories inherit the default for sub-directories, files get the file mask. Existing files aren't retroactively changed — that's still the find loop above. ACLs survive chmod and don't get wiped on package updates.

3. umask for the site user — narrower than ACLs, only affects files the site user creates via shells / SSH / cron:

echo 'umask 022' >> /home/<site-user>/.bashrc

A umask 022 gives 0755 dirs and 0644 files for everything that user creates. Won't affect files placed by PHP-FPM (FPM has its own working environment), package extractors, or anything that explicitly chmods afterwards. For PHP-written files (uploads, WP-generated files like .htaccess rewrites), WordPress itself respects FS_CHMOD_DIR / FS_CHMOD_FILE constants in wp-config.php:

define( 'FS_CHMOD_DIR',  0755 );
define( 'FS_CHMOD_FILE', 0644 );

That's what to combine with options 1 or 2 if your sites are WordPress — together they cover the full create-path on a stock CloudPanel install.

For provisioning at scale, options 1+2+the wp-config constants together give you deterministic perms without needing CloudPanel itself to grow a hook.