When it comes to WordPress security, file permissions are often overlooked by beginners. However, configuring them correctly is one of the most fundamental steps in protecting your website from hackers and malware.
If your permissions are too loose, anyone can modify or delete your critical site files. If they are too strict, your site might break, and you won’t be able to upload images or install plugins.
This guide will help you understand how WordPress file permissions work and the exact settings you need to keep your site both secure and functional.
What Are File Permissions?
Every file and folder on your web server has a set of permissions that dictates who can read, write, or execute them.
These permissions are represented by a three-digit number (e.g., 644 or 755). Each digit represents a specific user group:
- First digit: The Owner (usually your WordPress site/server user).
- Second digit: The Group (other users on your server).
- Third digit: The Public (anyone visiting your website).
A higher number means more access. For example, 777 gives everyone on the internet the ability to read, modify, and execute a file. You should never use 777 on a WordPress site.
The Recommended WordPress File Permissions
To balance security and functionality, WordPress has officially recommended file permission settings.
Folders and Directories: 755 or 750
All directories (folders) should be set to 755 (or sometimes 750, depending on your hosting environment).
- This allows the owner to read, write, and execute.
- The group and public can only read and execute (meaning they can view your site but cannot modify your folders).
- Key directories include:
/wp-admin/,/wp-includes/, and/wp-content/.
Standard Files: 644 or 640
All standard WordPress files should be set to 644 (or 640).
- This allows the owner to read and write (modify) the files.
- The group and public can only read them.
- Examples include:
.htaccess,index.php, and theme/plugin files.
The wp-config.php File: 440 or 400
Your wp-config.php file is the most sensitive file on your entire website because it contains your database credentials.
- It should be set to stricter permissions, such as 440 or 400.
- This ensures that other users on the server and the public cannot read or write to this file under any circumstances.
How to Change File Permissions
If you need to fix your file permissions, there are two common ways to do it.
Method 1: Using cPanel File Manager
If your web host provides cPanel, this is often the easiest method.
- Log in to your hosting cPanel and open the File Manager.
- Navigate to your WordPress root directory (usually
public_html). - Right-click on the file or folder you want to change and select Change Permissions.
- Check the appropriate boxes to reach the desired number (e.g., 644) and click Save.
Method 2: Using an FTP Client (FileZilla)
You can also use an FTP client to change permissions in bulk.
- Connect to your server using FileZilla.
- Select all the folders (or files) in your WordPress directory.
- Right-click and choose File permissions.
- Enter the numeric value (e.g.,
755for directories). - To do this in bulk, check the box that says “Recurse into subdirectories” and select “Apply to directories only” (or files only). Click OK.
What Happens If Permissions Are Wrong?
Incorrect file permissions usually result in one of two scenarios:
- Permissions are too strict: You might see errors like “403 Forbidden,” fail to upload images to your media library, or be unable to update plugins and themes.
- Permissions are too loose: Hackers can easily inject malicious code into your theme files, hijack your site, or steal your database credentials.
Conclusion
Understanding and applying the correct WordPress file permissions is a crucial part of your website’s security posture. Take a few minutes to connect to your server and verify that your folders are set to 755, your files to 644, and your wp-config.php to 400 or 440. This simple check can save you from a devastating security breach.