How to Set Correct Permissions for OJS/OMP: A Complete Guide

Setting proper file and directory permissions is a critical step when deploying or maintaining your Open Journal Systems (OJS) and Open Monograph Platform (OMP) installation. Misconfigured permissions can result in a range of issues—from broken features and failed uploads to serious security vulnerabilities. Whether you’re self-hosting on a dedicated server or using a shared hosting environment, it’s essential to ensure that your OJS files are accessible only in the way they are meant to be. If you are the editor team that does not have any capability of setting this permission, you can skip this tutorial as it should be handled by expert team. All of this configuration already setup by openjournaltheme.com or OJT team in our OJS hosting package or openjournaltheme.com Support Service

This step is one of important matter to be setup for OJS/OMP/OPS can be used without any issue or as it related to the security of those platform. For more information read it here : How to secure OJS

In this article, we’ll break down how file permissions work in Linux, how to apply them properly for OJS/OMP/OPS, and what variations may be needed depending on your hosting type.

Why Setting Directory and Files Permissions Matter in OJS

PKP Platform including OJS, OMP and OPS relies on being able to read, write, and cache files in specific directories. If these directories are not writable by the web server, this correct directories permission used by these features such as:

  • File uploads,
  • PDF generation,
  • Cache management,
  • Plugin installation, and
  • Locale updates

…may fail silently or throw errors. On the other hand, if you’re too permissive, you could open your site to unauthorized access, defacement, or data leaks.

Key Directories That Require Special Attention

For a standard OJS installation, make sure the following directories are writable by the web server:

  • files_dir (defined in config.inc.php)
  • cache/
  • public/

Optionally writable (use with caution for plugin or locale updates):

  • config.inc.php
  • plugins/
  • Locale XML files (locale/en_US/locale.xml, etc.)

All other core OJS files should be read-only by the web server.

Understanding Linux File Permissions

Linux permissions use two key concepts:

  • Ownership (user and group)
  • Permission bits (read, write, execute)

Each file or directory has:

  • A user (owner)
  • A group (often the web server group like www-data)
  • And a set of permissions for:
    • User (u)
    • Group (g)
    • Others (o)
drwxr-x--- cache/ → 750 (User: read/write/execute, Group: read/execute, Others: none)
  • r = read
  • w = write
  • x = execute (required for directories to access their contents)

For more detail on reading this, you can check the article : Understanding Linux Permission Concept

Example Setup for Dedicated Hosting

On a dedicated VPS or server, you usually have full control. A recommended setup for directory permission might be:

Web-writable directories:

sudo chown -R apache:www-data cache/ public/ [files_dir]
sudo chmod -R 750 cache/ public/ [files_dir]

Web-readable only directories:

sudo chown -R myuser:www-data [core OJS files]
sudo chmod -R 750 .

Files

  • Web-writable files: 640 (owner read/write, group read)
  • Non-writable files: 644 or 640 depending on the need

⚠️ Never set permissions to 777. This gives full control to all users and is a security risk.

Configure OJS directory permission in shared host

While it’s technically possible to run OJS on shared hosting environments like those using cPanel or DirectAdmin, we do not recommend this approach. Shared hosting often involves multiple applications—such as WordPress and other CMS platforms—running under the same user environment. This shared structure significantly increases the security risk, as a vulnerability in one application could potentially compromise the entire hosting account, including your OJS installation.

For enhanced data privacy, system performance, and security, we strongly recommend using a VPS (Virtual Private Server). A VPS provides better isolation, custom configuration options, and full control over the server environment—ideal for journals that prioritize long-term stability and secure access to sensitive academic data. While VPS hosting comes with slightly more complexity in setup and maintenance, the benefits far outweigh the risks associated with shared hosting. For starting point on securing OJS, you can read our article : How to Secure OJS/OMP/OPS

Alternatively, to make things even easier, you can choose our managed OJS hosting at OpenJournalTheme.com. All of our hosting plans come with Guardian AI Security Monitoring and OJT Advanced Security protocols, designed specifically to protect OJS/OMP from common threats while ensuring fast and reliable performance. It’s the easiest way to run a professional, secure journal—no technical expertise required.

However let us elaborate on configure the OJS concept of setting up permission in shared host. In the shared host the most crucial purpose it can be configure to restrict users from changing ownership (chown). In such cases:

  • The web server usually runs under your user account.
  • You can still secure your files by denying “world” access:
chmod -R o-rwx .

You may also need to disable plugin uploads or updates if your host does not support safe directory permissions. Always consult your host’s documentation.

Quick Summary

ComponentOwnerPermissionsNotes
files_dirapache:www-data750Writable by web server
cacheapache:www-data750Required for caching
publicapache:www-data750Holds images and site assets
Core filesmyuser:www-data750 or 755Read-only, no write unless necessary
Config filemyuser:www-data640Set writable only during setup
Plugins directorymyuser:www-data750 (optional)Writable only if installing plugins via UI

Final Tips on configuring directories permission in OJS/OMP/OPS

  • Always backup before changing permissions.
  • Set correct permissions after installing or upgrading OJS.
  • Use SSH access rather than FTP to maintain proper control.
  • Regularly scan for unexpected permission changes (especially if multiple admins have access).
  • For better control and automation, consider using deployment scripts or tools like Ansible.

Conclusion

Setting correct file permissions for OJS is more than a technical step—it’s a fundamental part of protecting your data, ensuring system stability, and avoiding unexpected errors. Whether you’re running OJS on your own server or using shared hosting, taking the time to configure permissions properly will help keep your journal platform running smoothly and securely.

Need help with your OJS setup or hosting? At OpenJournalTheme.com or OJT Team provides secure, optimized hosting with best-practice permissions and full support for OJS and OMP platforms.

About the Author
user-avatar

Project Manager

Hendra here, I love writing about OJS and share knowledge about OJS. My passion is about OJS, OMP platform and doing some research on creating innovated products for that platform to help publisher to improve their publication.

Leave a Comment

Your email address will not be published. Required fields are marked *

Open Journal Theme

Need More Services  or Question?

Openjournaltheme.com started in 2016 by a passionate team that focused to provide affordable OJS, OMP,  OPS,  Dspace, Eprints products and services. Our mission to help publishers to be more focus on their content research rather than tackled by many technical OJS issues.

Under the legal company name :
Inovasi Informatik Sinergi Inc.

Secure Payment :

All the client’s financial account data is stored in the respective third-party site (such as Paypal, Wise and Direct Payment).
*Payment on Credit card can be done by request
Your financial account is guaranteed protection. We never keep any of the clients’ financial data.

Index