Setting proper file and directory permissions is a critical step when deploying or maintaining your Open Journal Systems (OJS) and Open Monograph Platform (OMP) installation. Misconfigured permissions can result in a range of issues—from broken features and failed uploads to serious security vulnerabilities. Whether you’re self-hosting on a dedicated server or using a shared hosting environment, it’s essential to ensure that your OJS files are accessible only in the way they are meant to be. If you are the editor team that does not have any capability of setting this permission, you can skip this tutorial as it should be handled by expert team. All of this configuration already setup by openjournaltheme.com or OJT team in our OJS hosting package or openjournaltheme.com Support Service
This step is one of important matter to be setup for OJS/OMP/OPS can be used without any issue or as it related to the security of those platform. For more information read it here : How to secure OJS
In this article, we’ll break down how file permissions work in Linux, how to apply them properly for OJS/OMP/OPS, and what variations may be needed depending on your hosting type.
Table of Contents
Why Setting Directory and Files Permissions Matter in OJS
PKP Platform including OJS, OMP and OPS relies on being able to read, write, and cache files in specific directories. If these directories are not writable by the web server, this correct directories permission used by these features such as:
- File uploads,
- PDF generation,
- Cache management,
- Plugin installation, and
- Locale updates
…may fail silently or throw errors. On the other hand, if you’re too permissive, you could open your site to unauthorized access, defacement, or data leaks.
Key Directories That Require Special Attention
For a standard OJS installation, make sure the following directories are writable by the web server:
files_dir
(defined inconfig.inc.php
)cache/
public/
Optionally writable (use with caution for plugin or locale updates):
config.inc.php
plugins/
- Locale XML files (
locale/en_US/locale.xml
, etc.)
All other core OJS files should be read-only by the web server.
Understanding Linux File Permissions
Linux permissions use two key concepts:
- Ownership (user and group)
- Permission bits (read, write, execute)
Each file or directory has:
- A user (owner)
- A group (often the web server group like
www-data
) - And a set of permissions for:
- User (u)
- Group (g)
- Others (o)
drwxr-x--- cache/ → 750 (User: read/write/execute, Group: read/execute, Others: none)
r
= readw
= writex
= execute (required for directories to access their contents)
For more detail on reading this, you can check the article : Understanding Linux Permission Concept
Example Setup for Dedicated Hosting
On a dedicated VPS or server, you usually have full control. A recommended setup for directory permission might be:
Web-writable directories:
sudo chown -R apache:www-data cache/ public/ [files_dir]
sudo chmod -R 750 cache/ public/ [files_dir]
Web-readable only directories:
sudo chown -R myuser:www-data [core OJS files]
sudo chmod -R 750 .
Files
- Web-writable files:
640
(owner read/write, group read) - Non-writable files:
644
or640
depending on the need
⚠️ Never set permissions to 777. This gives full control to all users and is a security risk.
Configure OJS directory permission in shared host
While it’s technically possible to run OJS on shared hosting environments like those using cPanel or DirectAdmin, we do not recommend this approach. Shared hosting often involves multiple applications—such as WordPress and other CMS platforms—running under the same user environment. This shared structure significantly increases the security risk, as a vulnerability in one application could potentially compromise the entire hosting account, including your OJS installation.
For enhanced data privacy, system performance, and security, we strongly recommend using a VPS (Virtual Private Server). A VPS provides better isolation, custom configuration options, and full control over the server environment—ideal for journals that prioritize long-term stability and secure access to sensitive academic data. While VPS hosting comes with slightly more complexity in setup and maintenance, the benefits far outweigh the risks associated with shared hosting. For starting point on securing OJS, you can read our article : How to Secure OJS/OMP/OPS
Alternatively, to make things even easier, you can choose our managed OJS hosting at OpenJournalTheme.com. All of our hosting plans come with Guardian AI Security Monitoring and OJT Advanced Security protocols, designed specifically to protect OJS/OMP from common threats while ensuring fast and reliable performance. It’s the easiest way to run a professional, secure journal—no technical expertise required.
However let us elaborate on configure the OJS concept of setting up permission in shared host. In the shared host the most crucial purpose it can be configure to restrict users from changing ownership (chown
). In such cases:
- The web server usually runs under your user account.
- You can still secure your files by denying “world” access:
chmod -R o-rwx .
You may also need to disable plugin uploads or updates if your host does not support safe directory permissions. Always consult your host’s documentation.
Quick Summary
Component | Owner | Permissions | Notes |
files_dir | apache:www-data | 750 | Writable by web server |
cache | apache:www-data | 750 | Required for caching |
public | apache:www-data | 750 | Holds images and site assets |
Core files | myuser:www-data | 750 or 755 | Read-only, no write unless necessary |
Config file | myuser:www-data | 640 | Set writable only during setup |
Plugins directory | myuser:www-data | 750 (optional) | Writable only if installing plugins via UI |
Final Tips on configuring directories permission in OJS/OMP/OPS
- Always backup before changing permissions.
- Set correct permissions after installing or upgrading OJS.
- Use SSH access rather than FTP to maintain proper control.
- Regularly scan for unexpected permission changes (especially if multiple admins have access).
- For better control and automation, consider using deployment scripts or tools like Ansible.
Conclusion
Setting correct file permissions for OJS is more than a technical step—it’s a fundamental part of protecting your data, ensuring system stability, and avoiding unexpected errors. Whether you’re running OJS on your own server or using shared hosting, taking the time to configure permissions properly will help keep your journal platform running smoothly and securely.
Need help with your OJS setup or hosting? At OpenJournalTheme.com or OJT Team provides secure, optimized hosting with best-practice permissions and full support for OJS and OMP platforms.