Having the correct file permissions on your site is one of the most common areas overlooked by webmasters in not only preventing attacks, but in limiting the damage that can be done.

 Sure, if your root user is compromised what file permissions you have will be irrelevent, but a lot of website hacking is carried out under the web user - the user that apache (PHP) runs under. By limiting file access, and setting the correct permissions on files it is possible to limit the damage that can be done.

Take the C99 shell for instance. Once uploaded to a website, it runs under the webuser. If all files in that website are read only for the user it can be difficult for a hacker to change any of the files. He can see them - but editing them and inserting malicious code will be a hundred times harder.

Yes, there is a lot of work in setting up the file permissions. Generally if your site is static in nature and you rarely, if ever, edit files on the site then there is little need to have them write enabled for the web user. The only exception might be a website that needs write permissions on certain files or folders. Common examples include upload directories for files, template folders, cache folders and tmp folders that may be used by a script withing a website - SMARTY templating engine being one example in requiring write access to cache folders.  The plus side is that once you have your file permissions set up, you essentially limit what a hacker can do without them moving up a user level to a server administrator etc. It is for this reason that webservers, email servers, FTP servers etc should ever be running under root access.  This is a critical point to note. In fact, webservers should run under a different user/GID/UID than any other process. The same rules should be applied to any other servers running on your system.

By looking at file permissions on your websites you can greatly limit what is open to a hacker to change. Everyfile on your server should be write protected, except for those that need to be explicitly write enabled. A good method for establishing which files need to be write enabled is to first set all files to write protect. Even most basic testing on your website will reveal those files and directories that need write permissions (For example, uploading pictures to your website will fail if the destination folder is write protected). Invariably if you are using a script, the install instructions will tell you which files require write permissions.