WordPress File Permissions: Complete Beginner’s Guide
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
WordPress file permissions are a hotly debated topic, and you will find tons of advice (quite a bit of it incorrect) online. WordPress also has an article about file permissions and how to set them to secure your site, but those instructions are hard to follow.
In this article, we have put together a complete guide to understanding WordPress permissions. Here you will find help on:
- Recommended WordPress file permissions to secure or harden your site
- Ways to change the WordPress file and directory permissions on your site safely
- Troubleshooting tips on how to resolve errors that commonly arise from incorrectly set WordPress file and folder permissions
TL;DR: WordPress file permissions protect your site’s files and directories from unauthorized access. We recommend that you backup your site before setting the recommended permissions. To prevent all unauthorized access, install MalCare. MalCare’s advanced firewall will protect your site from hackers.
What are WordPress file permissions
File permissions are access controls on WordPress files and directories, which specify who can read, write, and execute the files that make up your WordPress site.
If all users can modify files and directories, or even read them, it becomes a security hazard. WordPress permissions are security measures for systems that have multiple users, like servers.
How WordPress file permissions work
If you have seen a list of your WordPress files and directories in an FTP client or on cPanel, you would have seen 3 numbers or a string of 9 rwx letters alongside each. These are file permissions and are individually applied to each file and directory.
There are 2 interleaved aspects to file permissions: 1) types of permissions; and 2) roles. Both of these aspects work together to indicate how permissions are applied to files and directories.
Types of permissions
There are 3 types of file permissions in WordPress: read, write, and execute; and are denoted in 2 ways:
Permission | What it means | Numerical | Symbolic |
Read | User can view the contents of a file or directory, but not change anything | 4 | r |
Write | User allowed to modify the contents of a file or directory, but not execute it | 2 | w |
Execute | User allowed to run script files, or run scripts inside a directory | 1 | x |
No permission | User has no access to the file or directory | 0 | – |
Roles
There are 3 categories of roles: user owner, group owner, and world.
- User: A user is an individual or single account on the system, who owns the file or directory.
When you use an FTP client to log into your site server; you would need a login username and password. The username denotes the FTP user account. Similarly, web servers also use accounts to access files and directories, so although there is no ‘person’ as such behind the account, it is still considered a user.
- Group: A group is a set of users, and can also be designated as an owner. It is an expedient way to grant owner permissions to a collection of users.
- World: Every other user that doesn’t own the file or directory in question, nor is part of a user group.
These are the same roles across various systems, although they may use different nomenclature. For instance, in some systems, world could be public. The owner user is often referred to as user, which can be confusing. Rest assured, every time you see a set of WordPress file permissions, these are the roles they refer to.
Decoding permission numbers and symbols
Now that we have a basic idea about what each WordPress permission allows and the roles they apply to, the string of symbols and numbers may make a little more sense.
The user, the group, and the world roles each have to be assigned permissions for each file or directory. Thus, you may have noticed that there are 3 sets of symbols or that the 3 numbers sometimes go beyond 0, 1, 2, and 4.
In the symbolic schema, the first set of 3 symbols denote file permissions for the user, the next 3 for the group, and the last 3 for the world.
In the numeric schema, the first number denotes file permissions for a user, the second for the group, and the third for the world. However, in the numeric schema, the permission number is a sum of all available permissions for each role.
So while 0, 1, 2, and 4 are no access, read, write, and execute respectively, the rest mean the following:
- 3 = (2 + 1) = Write + Execute
- 5 = (4 + 1) = Read + Execute
- 6 = (4 + 2) = Read + Write
- 7 = (4 + 2 + 1) = Read + Write + Execute
Examples of WordPress permissions for a file or a directory:
User | Group | World | ||||||||
777 | rwxrwxrwx | Read | Write | Execute | Read | Write | Execute | Read | Write | Execute |
644 | rw-r–r– | Read | Write | – | Read | – | – | Read | – | – |
755 | rwxr-xr-x | Read | Write | Execute | Read | – | Execute | Read | – | Execute |
440 | r–r—– | Read | – | – | Read | – | – | – | – | – |
Recommended file permissions in WordPress
The way WordPress works—or indeed any system—is that files access each other to perform various tasks. Therefore, while 000 or 440 may be the safest file permissions, they are impractical.
Conversely, 777 is very dangerous as it leaves the file or directory open to modification by any user. Thus you will never find advice to set any core files to 777, and apart from a very few cases, no directories either.
Here are the recommended file permissions that you can set for your WordPress site:
- Root directory (usually public_html): 755
- wp-admin: 755
- wp-includes: 755
- wp-content: 755
- wp-content/themes: 755
- wp-content/plugins: 755
- wp-content/uploads: 755
- .htaccess: 644
- index.php: 644
- wp-config.php: 640
Generally, WordPress directory and folder permissions should be set to 755, and most file permissions need to be set to 644. These are also the file permissions that WordPress recommends you set for your site. These are also the permissions needed for WordPress auto update to function correctly. Stricter permissions will cause auto updates to fail.
It is important to note that file permissions are heavily dependent on the hosting setup for servers. One reason is because it matters which user account the web server process uses to interact with your site files.
For example, we recommend file permissions 640 for the wp-config.php file but this will not work on all hosts. In which case, you would need to revert to 644.
How to change WordPress file permissions
WordPress file permissions are conceptually simple but can be tricky to execute. We always recommend taking a backup before making any changes to your site backend. If anything the smallest thing goes sideways, the backup will save your site.
You can change or fix file permissions in WordPress at a file level and at a directory level, which will recursively affect file permissions for the contents of the directory as well. In all cases, you need to access your site files.
There are a few ways to access your site files and change or fix the WordPress permissions. You can choose whichever suits you.
Change file permissions Using cPanel
cPanel is the most widely used hosting control panel software, so we’ve used it for this tutorial. Your web host may use another software, such as Plesk or Webmin. The steps will largely correlate, even if the dashboards look different.
1. Log into your cPanel account. Either you will find a link on your web host dashboard, or you can type in /cpanel after your site URL.
2. Click on File Manager in the Files section.
3. Find the root directory of your site, and expand the directory to view its contents. Generally, the root directory is public_html.
4. All your site files and directories should now be visible in the explorer pane. One of the columns should be Permissions.
5. Right-click on a file or directory, and select Change Permissions from the dropdown menu.
6. This will open the permissions dialogue box, where you can set permissions as necessary.
7. Click on Change Permissions to save and exit.
Note: You can select multiple files and directories and change their file permissions at once.
Change WP file permissions using FTP
FTP is another means to connect with your site server to access files. You will need an FTP client to do this, if your web host doesn’t have an interface you can use. We have used Cyberduck for this tutorial, although FileZilla is another very popular FTP client.
1. Log into the site server with FTP credentials. You will need the server name or IP address, a username, and a password. In some cases, you may also need a port number.
2. Find the root directory, and open it. Most commonly, the root directory is public_html.
3. If your FTP client doesn’t automatically show the file permissions, you may need to enable that setting. Select the file or directory and right click to change the permissions. On Cyberduck, the permissions are under the Info menu.
4. Change the permissions using the checkboxes, or by entering the 3-digit numeric code.
Change WordPress permission Using SSH (chmod)
SSH uses the command-line interface to interact with files on the server. Therefore, things like permissions, which we can see easily through cPanel’s File Manager or using an FTP client, are not immediately visible on the command-line. So, there are a few more steps to change WordPress file permissions using SSH.
1. Log into your server from the command-line. We used macOS Terminal to log into our server.
2. Navigate to your site’s root directory. In our case, this was public_html.
3. Next, check the existing permissions of the files and directories. You can do this with the ls -l command.
Note: The leading dash in front of the file permissions indicates the type of file; files are denoted with a hyphen (-) and directories with a small case d. These are independent of the permissions.
4. Use the chmod command to change the permissions of a file or directory.
We created a temporary directory called temp, and created 2 sub directories in it, temp1 and temp2. Here you can see the permissions for both are 775, which are the default permissions for directories on this site.
Then, we changed the permissions of temp1 from 775 to 755. The syntax of the command is: chmod <permission> <file or directory name>.
As you can see by using the ls -l command again, the permissions of temp1 have changed for the group owner.
Setting permissions for an entire directory at once
Using the chmod command, you can also change permissions for a directory and all its contents in one shot. The syntax for this operation is: chmod -R <permission> <directory name>. The -R is used to indicate that the command needs to be executed recursively.
In this way, we can set the permissions of the temp directory and all its contents. We changed the permissions to 750.
However, we advise caution when using the recursive command. It can sometimes lead to undesirable results, so unless you are absolutely sure, stick to setting permissions individually.
Setting permissions for all the files and directories on your site
In keeping with our recommendations above, you might want a one-step process to set all the permissions for your site files and directories. You can use the following commands to set file permissions to 644 and directory permissions to 755.
- find . -type f -exec chmod 644 {} +
- find . -type d -exec chmod 755 {} +
Once these commands are executed, you will see a list of files and directories where the permissions were changed.
Understanding the umask value
In some articles, you may come across the command umask in the context of file permissions. The umask command, when executed, returns a value that is the offset for file permissions for a particular user account. The value is then offset from the default file permission 0666 and the default directory permission 0777 for all new files and directories created.
For example, when we executed the umask command, it returned a value of 0002. That means, every new file created will be assigned the permission number 666 offset by 002, which is 664. Similarly, every new directory created will be assigned the permission number 777 offset by 002, which is 775. This is not subtraction, but an offset for the world role.
There are ways to change the umask options both temporarily and permanently.
Change WP permissions Using a plugin
If you aren’t comfortable with cPanel, FTP, or SSH, you can also use a plugin like All in One WP Security to change certain WordPress file permissions.
1. Install and activate All in One WP Security from wp-admin.
2. Navigate to Filesystem Security under WP Security from the left menu bar.
3. The first tab File Permissions has a list of some WordPress core files and directories. The list shows the current file permission settings and the recommended ones. You can choose to set the permissions to the recommended ones by clicking the accompanying buttons.
The plugin shows a few directories and files only, and will only let you set the permissions to the recommended ones. Therefore, the scope of setting WordPress file permissions with this plugin is necessarily limited.
Video Tutorial:
When to change WordPress file and directory permissions
Changing file permissions can be a daunting task, so it is best to know when you really need to change them at all. In our experience, if an experienced developer or a web host installed WordPress for your site, you should largely leave the permissions alone.
Conversely, if you installed WordPress manually, it would be sensible to set the permissions to the ones we have recommended above. You may also need to change permissions if a plugin or theme throws an error. We’ll cover more specific cases in the next section.
Our advice is to always take a backup before making any changes to your site files. BlogVault provides the best WordPress backups. Additionally, when restoring a BlogVault backup, you can opt to keep the new file permissions, so you don’t have to set them up again.
Troubleshooting file and folder permission errors
WordPress file permissions can cause errors on occasion. Each hosting setup varies, so there is unfortunately no one-size-fits-all setting for permissions. Even in this article, we have tried to take the most common path to simplify file permissions for you, however there is the distinct possibility that you will run into errors.
Here are some common issues that WordPress sites can encounter because of file permissions:
Incorrect file permissions can crash a website
When setting file permissions for hardening your site for security reasons, it is natural to err on the side of caution. However, if you become overzealous when restricting access to say, the group owner, your site can crash.
This situation often occurs because the web server process needs a user account to execute code on your site. Generally, the user account isn’t the owner account, so it often is a part of the group owner. If the group owner doesn’t have sufficient permissions, then the web server process is stymied and will fail. Thus, your site crashes.
The solution is to set file permissions to the recommended ones mentioned above.
Incorrect file permissions can leave a site open to hacks
On the other side of the caution spectrum, we have the overly lax file permissions. We cannot sufficiently stress that file permissions 777 is a terrible idea. Just don’t do it.
Auto updates can fail if the permissions are too restrictive
WordPress requires access to wp-admin, wp-includes, and a host of other core files and directories for auto updates to work. We’ve mentioned this a few times in the article already, however a lot of admins choose to maintain strict permissions most of the time, and temporarily ease them up when WordPress needs to update automatically.
Some plugins require laxer permissions
The correct WordPress file permissions are fairly permissible, and shouldn’t throw up plugin or theme errors. If your file permissions are set to the recommended ones, and you still encounter errors that specify that the file permissions are too restrictive, we advise getting in touch with the plugin or theme developer to solve the issue. They may be able to explain why the laxer permissions are necessary, and you can then take a call on whether relaxing site security for the plugin or theme is advisable.
‘Required File Permissions to import the templates are missing.’
This is usually due to inconsistent file permissions, and is an error message often seen with Astra themes. Astra has provided a solution for the error in their documentation.
‘Missing a temporary folder’ error when trying to upload files to the site
WordPress requires a temporary folder in the wp-content directory to be able to upload files or even run updates to the core, plugins, or themes. If the temporary folder doesn’t exist, none of these operations work, and this error appears on the dashboard.
You can add a line of code to the wp-config.php file, and make sure it has the right permissions to be able to execute correctly. Read a full tutorial on resolving this issue.
‘You need to make this file writable before you can save your changes. See Changing File Permissions for more information.’
You may encounter this error when trying to edit theme files via WordPress Theme Editor. The error message appears when the process that is responsible for making changes doesn’t have sufficient write permissions. To figure out which account is being used by the relevant process, you would need to contact a developer or your web host for assistance.
403 forbidden error
The 403 forbidden error means that you do not have permission to access whatever it is you are trying to access. For instance, if we were to try and access the wp-includes directory from our browser, rather than an FTP account, we would see the 403 forbidden error. This is because, while accessing the directory through our browser, the permissions used are those of world, not of user or group.
Special users on WordPress
In some tutorials, you may come across users mentioned in the context of WordPress file permissions. This is by no means an exhaustive list, but we’ve covered a few of the most common ones:
Nobody
This is a special user that has no file access. We run our program with nobody to make sure that even if there is a hack, the hacker cannot access critical files and directories. For more information, check out this thread on StackExchange.
www-data
www-data is a special user account that is also a group. It is used to run the web server process, which shouldn’t have the same permissions as the owner.
How WordPress file and folder permissions affect security
By design, web servers (especially those that run on Linux) are designed to have multiple users. This is necessary to perform many operations, but is also a security risk. Therefore, to protect files and directories from being accessed, changed, or run by just anybody, permissions are created.
There are two interleaved concepts with respect to file permissions: roles and permissions. Security concerns mostly arise with respect to group owner and world permissions.
We are most concerned about making sure that the world or public doesn’t have write permissions for files and directories. This is because we don’t want anyone to modify files and directories on our site. Similarly, we don’t want certain files to be executable or even readable by the wider public, like wp-config.php. It contains the database credentials for our site, so having it open for everyone to read is catastrophic for your site, and a gilt-edged invitation for malware.
Common misconceptions about file permissions
It is not always better to have very restrictive settings for security because that will render your site unusable. Hitting a balance between being sensible and paranoid is key.
WordPress roles of user, group, and world are often confused with user account roles, like administrator and contributors. User account roles deal with privileges on wp-admin, and indicate control over things like plugins, posts, or themes. Whereas when we speak of file permissions, we are talking about the files and directories on the server. If you think about it, the credentials used to log into wp-admin and those used for FTP are completely different. That is because the two things are vastly different.
If you login to the admin account of your site, you still cannot access your wp-config.php file from a browser. From the server perspective, you are a public or world account. If you logged into your server using FTP however, you are easily able to see the wp-config.php file. In fact you can not only read it, but modify its contents as well. This is because your FTP account is a user that either owns the wp-config.php file, or has the permissions to read and modify it.
Conclusion
We hope that this primer on WordPress file permissions was helpful. WP file permissions are an important cog in WordPress security, and are often discussed in the context of WordPress hardening.
The best security you can give your WordPress site, though, is to install a top-notch security plugin like MalCare. With the combined power of a malware scanner, cleaner, and advanced firewall, MalCare is a complete security solution for your WordPress site.
FAQs
How do I change permissions on a WordPress site?
You can change WordPress file and directory permission either through cPanel, FTP, or SSH. Using either cPanel or FTP, navigate to the file in question, right-click, and set the permissions desired. If you are using SSH, you can use the chmod command to set the permissions.
How do I fix WordPress file and folder permissions?
To fix file and folder permissions in WordPress, you need to access the files on your site server. There are 3 ways to do this: using cPanel, FTP, or SSH. Once you have accessed the files, you can navigate to the correct directory, and set the WordPress permissions correctly.
What are 755 permissions?
755 permissions mean that the owner user has full permissions of read, write, and execute. The group owner and all other users have only read and execute permissions.
What permissions should WordPress files have?
WordPress files should have a maximum of 644 as their permission number. Anything laxer than this constitutes a security hazard.
Share it:
You may also like
What is WordPress Ransomware?
WordPress ransomware can shut down your site fast. Ransomware is a big problem. Experts say it will cost people $265 billion a year by 2031. In 2024, a report showed…
What is WordPress .htaccess Malware?
Is your WordPress site suddenly redirecting users to sketchy URLs? Or maybe your site is now crawling at a snail’s pace? Is it throwing up bizarre pop-ups? Sure, these could…
MalCare’s Atomic Security Shields Sites From Critical GiveWP PHP Object Injection Vulnerability
A critical level 10 vulnerability in the GiveWP plugin has been discovered and patched. This issue impacted over 100,000 sites. Hackers could exploit it to inject a PHP object, allowing…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.