WordPress File Permissions How Do They Work?

Setting proper WordPress file permissions is essential to ensure the security of you website. But, the default settings aren’t enough.

File permissions set who can read, write, and execute the files that make up your website. If you set them incorrectly, you could be leaving access open to your files and hackers could edit them and add spam, or malware.

Not to worry!

Below are details on WordPress file permissions, their inner workings, and how to fix WordPress permissions including the .htaccess permissions WordPress recommends you use for the security of your site.

How WordPress File Permissions Work

File permissions set who has access to a file and the type of access they have with a set of rules. They look like a three digit number, or a combination of letters and hyphens if you’re using File Transfer Protocol (FTP), or Secure Shell access (SSH) to edit WordPress file permissions.

It all starts with defining who can access a file, and there are three options:

There are also three different kinds of actions that the user, group, and world can make:

Then, the file permissions are organized as three numbers in this specific order:

Now for the numbers.

Each number corresponds to a level of permission or a combination of permissions.

There’s a number for all possible levels of file permissions, as follows:

It may be tricky to memorize what all those numbers mean when it comes to WordPress file permissions. So, here’s a little trick to help you remember.

All you need to keep in mind is that:

When you choose which permissions you want to grant, add them up, and the result will be the number of the correct file permission you want to set.

For example, if you want to read and write access, you would add four and two together to get six.

If you wanted to read, write, and execute permissions, then you would add four, two, and one to get seven.

Once you know the number of the level of access you want to grant, you would need to organize them according to the permissions order as mentioned above.

For example, a file permission of 644 would mean:

This is useful when you’re accessing your files through your hosting provider, but you may notice file permissions look different when you use FTP, or SSH. They look like a set of letters and hyphens.

Here’s an example of what you’ll see:

Similar to the numbered file permissions as explored above, the same three permission options apply in the same order: User, group, and world.

One of the differences is that the structure is set up into four groupings:

The first grouping is just one character in length. Each of the other three groupings are three characters in length.

The options for all these groupings are outlined below:

So, for the example above, below is a breakdown of the file permissions that would be set.

Examplerwxrw-r–
Meaning of the GroupingThe type of fileRead, write, and execute permissions for the userRead, write, and execute permissions for the groupRead, write, and execute permissions for the world
Explanation of the ExampleDenotes a regular fileUser has read, write, and execute permissionsGroup has read, and write accessWorld has only read permissions

The Recommended WordPress File Permissions

If you don’t set your WordPress file permissions properly, you could inadvertently grant more access to people that aren’t supposed to have the permissions that are set for them. This could authorize them to make changes you don’t want.

That being said, none of your WordPress file permissions should be set to 777, or “-rwxrwxrwx” if you’re using FTP, or SSH. This would give everyone full access to the file which is incredibly unsafe.

This would be devastating .htaccess permissions WordPress wouldn’t care for because anyone could potentially edit the file to redirect your site to one with a phishing attack, malware, or spam, for example.

On the flip side, you also don’t want any of your WordPress file permissions set to 444, or “-r–r–r–“ in FTP, or SSH clients. That would mean everyone can only view the files, including WordPress. This would break your site because WordPress often needs permission to safely modify, or execute certain files.

For example, when it comes to .htaccess permissions, WordPress wouldn’t be able to do things you had previously set up such as load your site with SSL encryption, let the security plugin you use actually keep your site safe, or countless other scenarios.

But, if you can’t use these file permissions for your WordPress site, then what level of access should you grant for your files, exactly? What are the .htaccess permissions WordPress recommends? What about other files?

The WordPress Codex recommends the following:

Now that you know what WordPress file permissions you should use, how do you fix WordPress permissions for your site?

How to Fix WordPress Permissions

As long as your server is Linux, or Unix-based, you can fix WordPress file permissions through your hosting provider, FTP, or SSH.

Fix WordPress Permissions with Your Host

Every hosting provider is a bit different so if you want to fix WordPress file permissions through cPanel, Plesk, or whatever control panel you host uses, consult your hosting provider’s documentation for the details on how to make the changes.

Fix WordPress Permissions with FTP

To fix WordPress permissions using FTP and the popular FileZilla client, start by successfully establishing a connection with your server.

Then, find the file where you want to fix WordPress permissions and right-click on it, and select the File permissions option.

FileZilla file permission
You can change file permissions using FTP, and FileZilla.

A window should appear where you can either check the boxes for the corresponding permissions you want to set, or you can enter the numeric value into the applicable field.

When you’re happy with your changes, click the OK button to save your file permission.

htaccess permissions in WordPress
You can set WordPress file permissions with checkboxes, or by entering the numeric value.

So, if you wanted to set the .htaccess permissions WordPress recommends, you would check the following boxes:

Alternatively, you could set the .htaccess permissions WordPress would consider the most secure with these boxes checked:

It may also be helpful to note that if you want to set the same permissions for several files or folders at one time, you can highlight the ones you want, then right-click once, and select the File permissions option on the list.

For further details, check out FileZilla Client Tutorial.

Fix WordPress Permissions with SSH

You can also fix WordPress permissions with your preferred SSH client.

To fix WordPress permissions for folders, enter the command below:

Just be sure to update “/path/to/your/wordpress/install/“ with the actual folder path on your server. You can also change the “755” permission to what you prefer.

You can also fix WordPress permissions for all files with this command:

Again, be sure to update “/path/to/your/wordpress/install/“ with your real file’s path. You can also update “644” if you want.

To change the permissions for the wp-config.php file, use this command for the recommended change as previously mentioned:

You can also use the .htaccess permissions WordPress recommends with this line:

If you want, you can change “600” to “644” if you prefer.

In Conclusion

By now you know how WordPress file permissions work, how to fix WordPress permissions for folders, and files. You also know what levels of access to set including specifics like the .htaccess permissions WordPress recommends.

While setting proper file permissions isn’t the only update you should make to ensure the security of your site, it’s certainly a crucial first step that should definitely be taken.

How do you prefer to fix WordPress permissions? Do you prefer to use the “644,” or “600” .htaccess permissions WordPress recommends? Share your thoughts in the comments below.

Author's avatar

A copywriter, copy editor, web developer, consultant, course instructor and founder of WP Pros(e), Jenni McKinnon has spent the past 15 years developing websites and almost as long for WordPress. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.

0 comments
Add a comment
Your email address will not be published. All fields are required. Comment policy: We love comments and appreciate the time that readers spend to shader ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.

Get a Faster Website in a Few Clicks

Setup Takes 3 Minutes Flat

Get WP Rocket Now What are you waiting for?

{"cart_token":"","hash":"","cart_data":""}