According to W3Tech, WordPress is used by more than 60% of website owners. Likewise, people are also more aware than ever of website security threats and how important it is to take proper website security measures. For instance, an SSL/TLS certificate for a secure HTTPS connection and installing security plugins for increased website security are no longer new tactics but rather common best practices.
No doubt, secure hosting providers like WordPress Hosting and good website security measures make a difference. Still, it’s equally important to have appropriate WordPress file and folder permissions (something that gets overlooked).
Files and folders that are easily accessible are vulnerable to hackers, and attackers can exploit them. W. Having proper WordPress Files and Folder permissions is surely something you need to know about.
Here’s How to Set Proper WordPress File Permissions
There are three different ways to change file permissions:
- Change WordPress File Permissions Using cPanel
- Change WordPress File Permissions Using SFTP
- Change WordPress File Permissions Using Server’s Terminal
Change WordPress File Permissions Using cPanel
- First, login into your cPanel hosting account.
- Select and open File Manager
- Once you open File Manager, select and open the root folder named public_html.
- Once the public_html folder opens, scroll down and find the critical folders and files of which you want to set permissions, and simply right-click on it and select Change Permissions:
- Lastly, set the file permissions accordingly:
Change WordPress File Permissions Using SFTP
SFTPs (Secure File Transfer Protocol) like FileZilla is another option you can use to change your WordPress file permissions. STFP is a software that connects your WordPress site server to your local computer for accessing its folders and files. Start with downloading and installing an FTP client like Filezilla onto your computer. And, once you do, you can start working on WordPress file permissions by going through the below mentioned steps:
Enter SFTP login details and establish a secure connection by clicking the Quickconnect button.
- Once the login is successful, all the files and folders will get loaded on the right panel. From that, select and open the public_html folder. It’ll show all files and folders of the website.
- Select and right-click on the folder or file you want to set file permissions for and select the option ‘File permissions…’
- Change file attributes window will open and in that change the permissions accordingly and click ‘OK’ button to save changes.
Change WordPress File Permissions Using Server’s Terminal
Changing file permissions through an FTP client and cPanel has the benefit of an interface that makes it convenient. However, if you’re an experienced developer, have access to your server’s terminal, and want to use the command for changing file permissions, you can use the chmod command to change the WordPress file or folder permission mode.
sudo chmod 644 <file>
Here, chmod is a UNIX command that means “change mode” on a file. Henceforth, it’s used for changing the permission modes of files and folders. For example, you can make use of the below command for changing file permission to 644:
sudo find . -type f -exec chmod 644 {} +
Or to change all your folders to 755:
sudo find . -type d -exec chmod 755 {} +
Note:
You’ll be accessing the website’s backend and making a change in vital WordPress files and folders. Henceforth, it’s recommended that you take a complete backup of your website using a good backup tool such as CodeGuard backup. So, even if your site breaks down due to a mistake, you’ve got a backup that can help you fix your WordPress site quickly.
Here’s What WordPress File Permission Means
Put simply, file permission is instructions that tell who will have rights to access and modify files and folders of your WordPress site. Furthermore, you’re allowed to alter permissions or restrict users from accessing such files and folders.
- There are three types of users: User, Group, and World.
- And there are three types of permissions: Read, Write and Execute.
In other words, File permissions are the combination of three numbers.
Three different numbers are entered for the User, Group, and World in the Permission section in the above image. And, every number represent a certain level of permission that’s granted for the corresponding user:
- 0 – No Access
- 1 – Execute
- 2 – Write
- 4 – Read
And, these are entered in combination based on the role… For example:
- 3 – (2 + 1) Is for Write & Execute
- 5 – (4 + 1) Is for Read & Execute
- 6 – (4 + 2) Is for Read & Write
- 7 – (4 + 3) Is for Write & Execute
You won’t need to set file permissions to 777 and give the world full permission to read, write and execute your files because it can lead to hackers editing your files. Furthermore, a hacker can redirect your site visitors to other malicious websites, launch attacks on other websites (DDoS) or dupe your customers.
At the same time, you won’t even need to set permissions to 000 or 444 because WordPress requires permission to execute or modify files. For instance, it’ll need access to specific files and folders whenever you install any plugin or theme.
And, if you only set read-only access for everyone, WordPress theme and installed plugins will stop functioning, which means it’ll break your WordPress site.
Here’s What These Users & Permissions Mean
- User – Administrator of your WordPress website.
- Group – People with different roles such as contributors, subscribers, editors, and more.
- World – Anyone on the Internet. For example, your site visitor.
In other words, the WordPress administrator (User) can decide which rights should be given to World and Group. For example, what they can access and what they can modify. Also, when it comes to permissions, there are three different types of permissions for all kinds of users, and they are:
- Read (R) – Allows only viewing of the file’s content.
- Write (W) – Allows modification of the file’s content.
- Execute (X) – Allows running codes within the file.
Let’s understand this further with an example – you want to grant your site editors access to the file wp-config.php to view the file occasionally, but you don’t want them to do any editing to it. (wp-config.php is a necessary WordPress file that can break your whole website if anything goes wrong.)
Henceforth, you can offer your site editors (also called a Group) permission to Read the file and nothing more than that.
WordPress Files & Folders We Recommend Changing the Permissions For
Below are some of the essential WordPress files and folders that we recommend changing its permission.
Folder: wp-admin
Given Permissions for:
- Group & World – Read, Execute
- User – Read, Write & Execute
Folder: wp-includes
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Folder: wp-content
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Folder: wp-content/plugins
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Folder: wp-content/themes
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Folder: wp-config.php
Given Permissions for:
- Group & World – Read
- User – Read & Write
Folder: wp-content/uploads
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Folder: .htaccess
Given Permissions for:
- Group & World – Read
- User – Read & Write
Be Careful While Changing WordPress Files & Folders Permissions
Before changing WordPress files and folders permissions, you should be aware of which files and folders require protection and why.
WordPress includes different files and folders and among them some important ones that need protection are:
- wp-admin
- wp-includes
- wp-content
- wp-content/themes
- wp-content/plugins
- wp-content/uploads
- wp-config
- .htaccess
These files and folders are essential for the website because it includes data that allows your site to work correctly.
For example, the wp-config file includes all the information about your site database, such as the name, password, visitor’s critical information, etc. Hence, whoever has access to read the wp-config file can use that file to break into the site database.
Due to this, it’s recommended to allow only the most trusted person for reading or modifying the wp-config file and others that are similar to it.
Common Examples of WordPress File Permissions Mode
| Mode | Str Perms | Description |
|---|---|---|
| 0400 | -r——– | The owner is set to read-only, and the other doesn’t have any permission, which is 0. |
| 0407 | -r—–rwx | The owner is set to read-only and, the other has read, write & execute. And, Group is not granted any permission. |
| 0444 | -r–r–r– | All are set to read-only, which is 4. |
| 0470 | -r–rwx— | The owner is set to read-only, Group is set to read, write and execute. And others aren’t granted any permission. |
| 0477 | -r–rwxrwx | Owner has been set to permission with 4 (read-only), and Other & Group is set to read, write and execute (7) |
| 0600 | -rw——- | The owner has been set to read-only. And, Group & Others don’t have any permission. |
| 0607 | -rw—-rwx | The owner has been set to read-only. Group hasn’t been given any permission, and Others is set to read, write and execute. |
| 0666 | -rw-rw-rw- | All are set to read and write only. |
| 0670 | -rw-rwx— | The owner is set to read and write only. And others have no permission. |
| 0677 | -rw-rwxrwx | The owner is set to read and write only. And, other & Group is set to read, write and execute. |
Issues Commonly Faced Due to Incorrect or Bad WordPress File Permissions
It often happens that inexperienced people try to change WordPress file permissions and unsurprisingly this leads to errors. If any professional developer builds your site, they already change permissions accordingly, so it doesn’t require any change. However, if you make a change and create an issue, we recommend retrieving the site backup you created before making the change.
Three commonly faced errors at the time of changing WordPress file permissions are mentioned below. If you’re facing a similar issue, we recommend making changes accordingly through cPanel or SFTP to fix permissions for WordPress files.
Not Able to Install a Theme or Plugin
Themes and plugins are stored in wp-content/theme and wp-content/plugin folders, respectively. And, if you made any mistake while changing permissions or permissions aren’t correct, then it’s likely you won’t be able to install any plugin or theme, and you’ll come across an error message like below:
‘The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.’ or ‘Missing temporary folder.’
To install any plugin or theme, both the folders must have Write permission. And, to resolve, you’ve to go to the backend of the website. Lastly, change the permission of both the folders as shown below:
Folder: wp-content/plugins
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Folder: wp-content/themes
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Not Able to Upload Any Media File
Sometimes it happens that at the time of uploading a video or an image file, you encounter the error message “Unable to create directory wp-content/uploads.” It means your WordPress site folder wp-content/uploads isn’t writable. It’s the folder where all your site’s videos and images are stored, so to resolve this error message, you’ll need to change permissions of the wp-content/uploads folder to:
Folder: wp-content/uploads
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
Cache Plugin Shows an Error
When you’re trying to clear your website cache, you may encounter an error:
Your cache directory () did not exist and couldn’t be created by the web server. Check permissions.
Whenever someone installs a cache plugin on the website, it creates files that are stored within the wp-content/cache folder. And, due to incorrect permissions, the plugin will show an above error message.
To resolve, you need to set the below-mentioned permission:
Folder: wp-content/cache
Given Permissions for:
- Group & World – Read & Execute
- User – Read, Write & Execute
What’s the Correct Permission for the wp-config.php File?
Below is the right permission for the wp-config.php file:
- Group & World – Read
- User – Read & Write
Furthermore, wp-config.php is among the essential WordPress files. Different from another folder like Uploads, you won’t need to change the permission of the wp-config.php file often. Also, an attacker can locate an openly readable wp-config.php file and trace database login credentials from which they can inject malware. Therefore, it’s recommended to have proper permission for the wp-config.php file.
Wrapping Up
Setting correct WordPress file permissions is essential, and it does help make your site secure, but if you don’t follow security measures that help protect your site from cyber threats, you can become a victim. So, it’s recommended that you set WordPress file permissions along with other security measures that can help you prevent other attacks such as malware or DDoS. For instance, brute force attacks can be prevented by limiting incorrect login attempts.
FAQ
What to Do if You Can’t Change WordPress File Permissions?
If you can’t change WordPress file permissions, you’ll need to contact your hosting provider because they may have kept restrictions. Though if you’re using shared or VPN hosting, it’s likely, you won’t face such issues.
Also, be careful as changing WordPress file permissions is like a double-edged sword that can make your site insecure if anything goes wrong.
What Are the Correct File Permissions for WordPress Files Like php.cgi and php.ini?
There’s no need to access or modify files such as php.cgi and php.ini. So, it’s recommended to make these files unreadable. Also, caching and firewall plugins require access to these files for operating without issues. So, you must ensure WordPress folder permissions are correctly set, or else plugins will not operate properly.
Why Shouldn’t We Change All WordPress Files & Folders Permission to Ready Only?
In theory, it makes sense to change WordPress file permissions to read-only, and yes, it’ll reduce the risk of getting hacked or making a mistake. It has a drawback though, such as you won’t be able to add or update themes, plugins, and the WordPress core. Nor you’ll be able to upload new media files like a video or an image. Furthermore, limiting access to files and folders can have unexpected consequences.
For example, caching and firewalls require access to some files, and without correct WordPress file permissions, these plugins will fail to work correctly.