Setting proper WordPress file permissions is essential to ensure the security of you website. But, the default settings aren’t enough.
File permissions set who can read, write, and execute the files that make up your website. If you set them incorrectly, you could be leaving access open to your files and hackers could edit them and add spam, or malware.
Not to worry!
Below are details on WordPress file permissions, their inner workings, and how to fix WordPress permissions including the .htaccess permissions WordPress recommends you use for the security of your site.
How WordPress File Permissions Work
File permissions set who has access to a file and the type of access they have with a set of rules. They look like a three digit number, or a combination of letters and hyphens if you’re using File Transfer Protocol (FTP), or Secure Shell access (SSH) to edit WordPress file permissions.
It all starts with defining who can access a file, and there are three options:
- User – The administrator of your site
- Group – Other users of your site such as editors, contributors, subscribers, and other user roles
- World – Anyone on the internet
There are also three different kinds of actions that the user, group, and world can make:
- Read – The ability to only view the file’s contents
- Write – File can be altered
- Execute – File’s contents such as a program, or script can be run
Then, the file permissions are organized as three numbers in this specific order:
- First number – Permissions that are given to the user
- Second number – Access is granted to the group
- Third number – Permissions that are given to the world
Now for the numbers.
Each number corresponds to a level of permission or a combination of permissions.
There’s a number for all possible levels of file permissions, as follows:
- 0 – No access at all
- 1 – Execute
- 2 – Write
- 3 – Write, and execute
- 4 – Read
- 5 – Read, and execute
- 6 – Read, and write
- 7 – Read, write, and execute
It may be tricky to memorize what all those numbers mean when it comes to WordPress file permissions. So, here’s a little trick to help you remember.
All you need to keep in mind is that:
- 0 means no access
- 1 is for execute
- 2 means write, and
- 4 is for read
When you choose which permissions you want to grant, add them up, and the result will be the number of the correct file permission you want to set.
For example, if you want to read and write access, you would add four and two together to get six.
If you wanted to read, write, and execute permissions, then you would add four, two, and one to get seven.
Once you know the number of the level of access you want to grant, you would need to organize them according to the permissions order as mentioned above.
For example, a file permission of 644 would mean:
- The user has read, and write permissions.
- Read access is given to the group.
- The world also has read access.
This is useful when you’re accessing your files through your hosting provider, but you may notice file permissions look different when you use FTP, or SSH. They look like a set of letters and hyphens.
Here’s an example of what you’ll see:
Similar to the numbered file permissions as explored above, the same three permission options apply in the same order: User, group, and world.
One of the differences is that the structure is set up into four groupings:
- First grouping – The file type
- Second grouping – Permissions for the user
- Third grouping – Group Permissions
- Fourth grouping – Permissions for the world
The first grouping is just one character in length. Each of the other three groupings are three characters in length.
The options for all these groupings are outlined below:
- – (a hyphen) – No access, or in the case of the first grouping, it means a regular file
- r – Read
- w – Write
- x – Execute
- d – Directory, which is only an option for the first grouping, and isn’t typically used for WordPress file permissions
So, for the example above, below is a breakdown of the file permissions that would be set.
|Meaning of the Grouping||The type of file||Read, write, and execute permissions for the user||Read, write, and execute permissions for the group||Read, write, and execute permissions for the world|
|Explanation of the Example||Denotes a regular file||User has read, write, and execute permissions||Group has read, and write access||World has only read permissions|
The Recommended WordPress File Permissions
If you don’t set your WordPress file permissions properly, you could inadvertently grant more access to people that aren’t supposed to have the permissions that are set for them. This could authorize them to make changes you don’t want.
That being said, none of your WordPress file permissions should be set to 777, or “-rwxrwxrwx” if you’re using FTP, or SSH. This would give everyone full access to the file which is incredibly unsafe.
This would be devastating .htaccess permissions WordPress wouldn’t care for because anyone could potentially edit the file to redirect your site to one with a phishing attack, malware, or spam, for example.
On the flip side, you also don’t want any of your WordPress file permissions set to 444, or “-r–r–r–“ in FTP, or SSH clients. That would mean everyone can only view the files, including WordPress. This would break your site because WordPress often needs permission to safely modify, or execute certain files.
For example, when it comes to .htaccess permissions, WordPress wouldn’t be able to do things you had previously set up such as load your site with SSL encryption, let the security plugin you use actually keep your site safe, or countless other scenarios.
But, if you can’t use these file permissions for your WordPress site, then what level of access should you grant for your files, exactly? What are the .htaccess permissions WordPress recommends? What about other files?
The WordPress Codex recommends the following:
- Folders – 755
- Files – 644
- wp-config.php – 600
- .htaccess – 644, or 600
Now that you know what WordPress file permissions you should use, how do you fix WordPress permissions for your site?
How to Fix WordPress Permissions
As long as your server is Linux, or Unix-based, you can fix WordPress file permissions through your hosting provider, FTP, or SSH.
Fix WordPress Permissions with Your Host
Every hosting provider is a bit different so if you want to fix WordPress file permissions through cPanel, Plesk, or whatever control panel you host uses, consult your hosting provider’s documentation for the details on how to make the changes.
Fix WordPress Permissions with FTP
To fix WordPress permissions using FTP and the popular FileZilla client, start by successfully establishing a connection with your server.
Then, find the file where you want to fix WordPress permissions and right-click on it, and select the File permissions option.
A window should appear where you can either check the boxes for the corresponding permissions you want to set, or you can enter the numeric value into the applicable field.
When you’re happy with your changes, click the OK button to save your file permission.
So, if you wanted to set the .htaccess permissions WordPress recommends, you would check the following boxes:
- Owner permissions – Read, and write boxes checked
- Group permissions – Read box checked, and
- Public permissions – Read box checked
Alternatively, you could set the .htaccess permissions WordPress would consider the most secure with these boxes checked:
- Owner permissions – Read, and write boxes checked
- Group permissions – No boxes checked, and
- Public Permissions – No boxes checked
It may also be helpful to note that if you want to set the same permissions for several files or folders at one time, you can highlight the ones you want, then right-click once, and select the File permissions option on the list.
For further details, check out FileZilla Client Tutorial.
Fix WordPress Permissions with SSH
You can also fix WordPress permissions with your preferred SSH client.
To fix WordPress permissions for folders, enter the command below:
Just be sure to update “/path/to/your/wordpress/install/“ with the actual folder path on your server. You can also change the “755” permission to what you prefer.
You can also fix WordPress permissions for all files with this command:
Again, be sure to update “/path/to/your/wordpress/install/“ with your real file’s path. You can also update “644” if you want.
To change the permissions for the wp-config.php file, use this command for the recommended change as previously mentioned:
You can also use the .htaccess permissions WordPress recommends with this line:
If you want, you can change “600” to “644” if you prefer.
By now you know how WordPress file permissions work, how to fix WordPress permissions for folders, and files. You also know what levels of access to set including specifics like the .htaccess permissions WordPress recommends.
While setting proper file permissions isn’t the only update you should make to ensure the security of your site, it’s certainly a crucial first step that should definitely be taken.
How do you prefer to fix WordPress permissions? Do you prefer to use the “644,” or “600” .htaccess permissions WordPress recommends? Share your thoughts in the comments below.