I agree with using a 0 for World permissions. But you need to keep the distinction from the recommended installation procedure, about some directories requiring write access, while others don’t need it.
Anyway, I don’t like our current permissions instructions. We should really make better ones, remove all “world” permissions, suggest a nice scheme where access happens from the Group bits, not the Owner bits. A few code tweaks would also be very beneficial in the area of permissions.
This is my favored set up these days:
sudo chown -R pgr:www-data .
sudo chmod -R 750 .
sudo chmod -R 770 cache custom modules themes data upload
sudo chmod 770 config_override.php 2>/dev/null
pgr is my individual user. I add it to the www-data group. This way I can edit files without breaking ownerships, and this way the web server actually uses that second digit (which varies between 5 and 7 for selected directories) instead of being owner and always using the first digit, which is always 7 - that defeats the purpose of trying to give write permissions only where strictly necessary.
Other users get nothing, not even read access. Read access to your config files is a huge security risk, there are DB admin passwords in clear text in there. We have some
.htaccess protection for that, when attackers need to go through the Web server, but not much security from threats inside the same server (different users).