My old 1.2.4 site was hacked - lots of rogue files scattered about. Front Page was (default from host) enabled and PHP was 4.4.3 - either of which, or neither, could have been the source of the problem.

OK, now I am building a replacement on a new server - zen 1.3.7 and I want it locked down. I am aware of the security recommendations in the FAQ/ Wiki.

I found the following on this forum somewhere, cannot relocate it:

"Folders should be 755, and files 644 except for the two configure.php files - set to 755 or 777 during the installation. After the install is complete reset to 444 or 400 on an Apache based server.

If you can't install with those permissions then you don't have the server set up correctly."

Thing is there are hundreds and hundreds of files set to 755. Should I reset each one to 644 (in file manager, slowly by hand), or would that mess something else up? Seems that if they needed to be 644 then they would already be 644??? And anyway the problem last time was added files in existing folders that were set to 755.

I suspect that once the hacker sees that I have closed his playground he will take it as a challenge to get back in.