WordPress File Permissions: Complete Beginner’s Guide

Are you worried that hackers can exploit your WordPress files and break into your website?

We wish we could tell you that there is nothing to worry about, but unfortunately, hackers exploit incorrect file permissions and access WordPress files all the time.

File permissions define who can read, write, and execute the files that make up your WordPress site. If these permissions are set incorrectly, unauthorized users and hackers could edit them, insert spam content, and inject malware.

This will enable them to take control of your site and run malicious activities such as defacing your site, spamming your customers, and stealing confidential information.

Luckily, you can avoid all this by setting the correct file permissions for your WordPress files. In this guide, we show you how to set the right file permissions for different WordPress files. This will make your website much more secure against hackers.

Understanding The WordPress File Structure

To set file permissions, you first need to understand what needs protection. Your WordPress site comprises many folders and files that contain components of your site such as configurations, themes, plugins, posts, media, and so on.

If you visit the backend of your site, you’ll find that your files and folders are structured in a certain way. For instance, all the content of your website can be found in a folder called wp-content. Inside this folder, files pertaining to the plugins on your site can be found inside a folder called plugins. Check our guide on WordPress files structure and database.

By default, WordPress has three core folders:

  • wp-admin
  • wp-includes
  • wp-content

The core files include:

  • wp-config
  • .htaccess

These are the most important folders and files as they contain data and settings that are critical to the functioning and appearance of your WordPress website.

For example, the wp-config file contains information about the database, including the database name, hostname, username, and password. It is also used to define advanced options for WordPress.

You should allow only trusted users to read and modify this file, but it definitely shouldn’t be viewable by the public. If the permissions for wp-config file are set to be accessible by the world, then hackers can steal your database credentials and use it to hack your site.

Similarly, each file and folder mentioned above plays a critical role on your site and you need to protect them by setting the correct file permissions.

What Are WordPress File Permissions?

File permissions are a set of rules that determine ‘who’ can access ‘what’ on your WordPress site. For instance, you can set who has access to the wp-admin folder and in what capacity, meaning if they can just view the folder or make modifications as well.

There are three types of users that can access your files and folders:

  1. User – This is the owner or administrator of the WordPress site.
  2. Group – This denotes a set of users who have roles on your sites such as subscriber, contributor, or editor.
  3. World – This is the general public or rather, anyone on the internet.

Now, as we mentioned earlier, each type of user doesn’t need full permission to view your files and folders. Granting the world full access to sensitive files could be disastrous!

You need to grant different levels of permissions to different types of users depending on the level of trust you have with that particular user. There are three levels of permissions you can grant to users:

  1. Read (R) – This gives a user the ability to view a file.
  2. Write (W) – The user can alter and edit the file.
  3. Execute (X) – The user can run scripts and programs inside a file or folder.

By setting the correct files and folders permissions, you can prevent hackers from accessing confidential data and from altering crucial files.

File permissions are set as a three-digit number and to set the correct number, you need to learn what each number signifies.

What are File Permission Numbers?

File permissions are a combination of three numbers:


From left to right, the numbers are in order of the permissions granted to the type of WordPress user – user, the group, and the world.

Each number denotes a specific level of permission granted to the corresponding user:

  • 0 – No access
  • 1 – Execute
  • 2 – Write
  • 4 – Read

The rest of the numbers are a combination of 1, 2, and 4.

  • 3 – (2+1) Write and execute
  • 5 – (4+1) Read and execute
  • 6 – (4+2) Read and write
  • 7 – (4+3) Read, write and execute

You would not want all file permissions to be set to 777 and grant the whole world access to read, write, and execute your files. This grants write permissions which means a hacker can edit your files to redirect your visitors to other sites, launching bigger attacks on another website (DDoS), and spam and defraud your customers, among a host of other things. You can check our guide on how to stop DDoS attacks.

At the same time, you can’t set everyone’s permission to 000 or 444 either. This is because WordPress often requires permission to execute files or modify them. When you install plugins and themes, they need access to certain files and folders in order for you to be able to use them.

If you grant read-only access to everyone, WordPress and many plugins and themes won’t be able to function. Such WordPress permission settings will break your WordPress website.

So what are the recommended WordPress file permissions?

Recommended File Permissions in WordPress

Here are the recommended file permissions that you can set for your WordPress site.

  • wp-admin: 755
  • wp-content: 755
    • wp-content/themes: 755
    • wp-content/plugins: 755
    • wp-content/uploads: 755

How to Change File Permissions on WordPress

Changing your file permissions is relatively simple. But before you proceed, we strongly recommend taking a backup of your WordPress site. Any modifications to the backend of WordPress is risky and can lead to a broken site. You can use backup plugins like BlogVault to take a backup of your site. In case anything goes wrong, you can restore your site back to normal.

To set permissions, you need to access your WordPress folders and files. You can do this in two ways:

1. Change WordPress file permissions using cPanel

Step 1: Log in to your web hosting account and navigate to ‘manage your hosting’ and select cPanel. (This may vary between hosts. Please check with your hosting provider.)


Step 2: Inside cPanel, select File Manager.


Step 3: Open the root folder called public_html and you’ll find your WordPress website’s files and folders inside.

Step 4: Right-click on the folder or file you want to set permissions for and select change permissions.


Note: You can modify permissions on individual files. You can also select multiple folders and files, and change permissions for all of them together.

Step 5: Select the permissions you want and choose ‘Change permissions’ to save your changes.

Your file permissions will be changed now. In case you don’t have access to cPanel, you can still change your file permissions using FTP (File Transfer Protocol).

2. Change WordPress file permissions using FTP

FTP is a software you can use to connect to your WordPress website’s server in order to access its folders and files. To use FTP, you need to download an FTP client like Filezilla. Once you have this installed, we can begin.

Step 1: Enter your FTP credentials and establish a connection by selecting ‘Quickconnect’.


Step 2: Files and folders will populate in the panel on the right. Open the public_html folder. Here, you will find your website’s files and folders.

Step 3: Right-click on the file or folder you wish to set permissions for and choose ‘File permissions’.


Step 4: Here, you can change the permissions and select ‘OK’ to save your changes.


That’s it! Your file permissions are changed and have been set correctly.

Final Thoughts

Correcting permissions for your files is a step in the right direction in securing your WordPress website. Now, hackers won’t be able to exploit your WordPress files.

That said, hackers have a million tricks up their sleeves to break into your site. To name just a few, they use brute force attacks, SQL injections, and XSS hacks to exploit your WordPress site.

To get proper protection against hackers, you need a reliable WordPress security plugin. Once activated on your site, it will scan and monitor your website’s activity regularly. It will also proactively detect suspicious behavior and block hackers before they can access your site.

Protect your WordPress Website With MalCare!


Melinda is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Melinda distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap