WordPress file permissions are crucial to the safety of your site. And yet they are the last things that come to your mind when you think about websites security. Earlier we spoke of various security measures that can help you secure your site but if the file permission is not correctly set, most security measures can be easily bypassed. Apart from making the website vulnerable, wrong file permission can also lead to different types of errors. For instance, visitors may see a blank screen (called the White Screen of Death), or uploading images to your site becomes impossible, etc. Since setting the right WordPress file permissions is vital to the well-being of your site, in this post we will look at how to set up the right file permissions for your WordPress site.
WordPress has a well-defined folder structure with wp-admin, wp-content, and wp-includes folders forming the core of your WordPress website. All the components that make your site such as posts, images, themes, plugin are stored in those folders (check this handy guide to understanding WordPress folders and database). Every folder is associated with a set of permissions that determines “who” has access to “what” on your site. Before proceeding with how to up WordPress file permissions correctly, let’s try and understand about “users” and “groups” because they are closely related with file permission.
What Are WordPress Users & Groups?
A user is simply an account on your server. Every time you transfer files using FTP you are using your user account on your server. Depending on your need, you can assign users to one group or the other. Group constitutes a set of users. And one user can belong to one or more group. But not everyone in the same group shares the privileges.
Privilege here stands for permission. The owner of a specific group will enjoy full permission but other members of the same group may have restricted permission.
Based on ownership, users can be divided into three segments:
- The Owner: The one who enjoys full privilege
- Group: A set of users who have varying privilege of a WordPress file or folder
- World/Other Users: These users are not owners nor are they part of any group
Every user enjoys different privileges or permission but what are these permissions?
What are WordPress File Permissions?
Every file in WordPress is associated with these set of permissions. These permissions dictate “who” can do “what” with a file. For every file, you can specify what actions a user, group and other can take. WordPress file permissions are as follows:
- Read a file determines if a user can view the content of the file
- Write (modify) a file determines if a user can add codes, delete codes in a file
- Execute (run) a file determines if a user can execute permissions correspond to the code that you add to a file
Each of these actions can be performed by users, groups and the world (or other users). Every action stands for 3 bits. If a user or group or others have all the file permissions (read, write, and execute), then it adds up to 9 bits. And in this way, a file permission becomes a three digit number such as 644.
Besides files, WordPress also constitutes directories. Like files, directories also have permissions associated with them.
WordPress Directory Permission
Permission in directories are as follows:
- Read a file determines if a user can only view the content of the directory
- Write a file determines can create a file or delete a file in the directory
- Execute a file: It determines if a user has access to the directory
Using the right permission for each and every file and directory is vital to the security of the site. For instance, a file like “wp-config” should be set to read-only permission for most users because it’s an extremely important file and fiddling with it without the necessary knowledge can spell disaster.
Changing WordPress File Permissions
To change WordPress file permissions, you need to access your File Manager from your web host cPanel.
Your File Manager offers an interface to help you alter permission of files and folders.
Simply choose the specific permission you want to implement on them.
You can also modify permission through your server’s terminal. But that may be difficult for people without any programming knowledge.
Default WordPress File Permissions
Permissions may differ from host to host but the general rule of thumb is:
- wp-config should be 660 (users and groups can read and write)
- All files should be 664 (users and groups can read and write; others can only read)
- And all folders should be 775 (users and groups can read and write; others can only read and execute)
Over to You
A good security practice for any WordPress site is to make all files and folder read-only. It’ll prevent a hacker from altering files and folders or even uploading malicious scripts. Although this can reduce the chances of an attack it also causes a lot of usability issues. Every time you want to modify a file, you’ll have to revert to the original permission to complete the task at hand. Moreover, making the entire site read-only can lead to can cause strange errors when updating a WordPress plugin, themes or even the core. Hence, running updates on staging sites can help determine if the update will cause any trouble. If it does, you take appropriate measures. Despite its shortcomings, setting all WordPress files and folders to read-only is an effective way of preventing hackers from fiddling with your site.