WordPress File Permissions: Complete Security Guide

Understanding File Permissions

File permissions control who can read, write, and execute files on your server. In WordPress, incorrect permissions can either lock you out of your own site or, more dangerously, allow attackers to modify critical files and inject malicious code.

Every file and directory has three permission levels: owner, group, and public. Each level can have read (r), write (w), and execute (x) permissions, represented numerically as 4, 2, and 1 respectively.

Permission Numbers Explained

Common Permission Values

• 755 - Owner can read/write/execute; others can read/execute
• 644 - Owner can read/write; others can only read
• 600 - Only owner can read/write
• 400 - Only owner can read (most restrictive)

Breaking Down the Numbers

Each digit represents: owner, group, public. The values are:

• 4 = Read
• 2 = Write
• 1 = Execute

Add them together: 7 (4+2+1) = full access, 5 (4+1) = read and execute, 4 = read only.

Recommended WordPress Permissions

Directories: 755

All WordPress directories should be set to 755:

find /path/to/wordpress -type d -exec chmod 755 {} ;

Files: 644

All WordPress files should be set to 644:

find /path/to/wordpress -type f -exec chmod 644 {} ;

wp-config.php: 400 or 440

This critical file should have the most restrictive permissions:

chmod 400 wp-config.php

Use 440 if your server setup requires group read access.

.htaccess: 644

The .htaccess file needs to be readable by the web server but not writable by others.

Checking Current Permissions

Via Command Line

ls -la /path/to/wordpress

This displays permissions in the format: drwxr-xr-x (directory with 755 permissions).

Via FTP Client

Most FTP clients like FileZilla show permissions in their file listings. Right-click files to modify permissions.

Via cPanel File Manager

Select a file, click "Permissions" or "Change Permissions" to view and modify.

Common Permission Mistakes

Setting 777 Permissions

Never use 777 (full access for everyone). This allows any user on the server to read, write, and execute files, making your site extremely vulnerable.

Overly Restrictive Permissions

Setting permissions too strict (like 000) can break your site. WordPress needs to read files to function.

Wrong Ownership

Files should be owned by your user account, not root. Wrong ownership can prevent WordPress from functioning properly.

Upload Directory Considerations

wp-content/uploads

The uploads directory needs write permissions for WordPress to save uploaded files. Use 755 for the directory. WordPress will create files with 644 permissions.

Protecting Uploads from Execution

Even with correct permissions, protect uploads from PHP execution using .htaccess:

<Files *.php>
deny from all
</Files>

Plugin and Theme Updates

Automatic Updates

WordPress needs write access to update plugins and themes. If updates fail with permission errors, verify the web server user owns the files or use FTP credentials in wp-config.php.

Manual Updates

When updating manually via FTP, ensure uploaded files have 644 permissions and directories have 755.

Shared Hosting Considerations

suEXEC and FastCGI

On shared hosting with suEXEC, PHP runs as your user account. Permissions can be more restrictive since you own the process.

Standard mod_php

With traditional mod_php, the web server user (www-data or apache) needs access. Files may need group read permissions.

Fixing Permission Problems

Reset All Permissions

# Directories
find /path/to/wordpress -type d -exec chmod 755 {} ;

# Files
find /path/to/wordpress -type f -exec chmod 644 {} ;

# wp-config.php
chmod 400 /path/to/wordpress/wp-config.php

Fix Ownership

chown -R youruser:yourgroup /path/to/wordpress

Conclusion

Correct file permissions are fundamental to WordPress security. Use 755 for directories, 644 for files, and 400 for wp-config.php. Regularly audit permissions and never use 777 for any files or directories.