WordPress file permissions are a hotly debated topic, and you will find tons of advice (quite a bit of it incorrect) online. WordPress file permissions protect your site’s files and directories from unauthorized access by hackers. In most cases, a good web host or a developer will set the WordPress file permissions once, and you rarely have to consider them again. Web Expert Rajesh Goutam advise caution when altering permissions though, and recommend that you always take a backup of your site beforehand.
Basically, WordPress file permissions are authority roles assigned to users to manage website’s files & folders. So, it is important to set correct permissions to the files and folders. WordPress permissions play an integral role in the overall security of your WordPress website.
One of the practical ways of securing your website is to Set Correct File or folder Permissions in WordPress. However, changing wordpress file permissions can throw up error. In this article you will learn more about WordPress file permissions, their functioning, and How to Fix File and Folder Permissions Error in WordPress via Cpanel, FTP & .htaccess.
File and folder permissions error in WordPress is one of the most common errors seen while running a WordPress website. It can be very frustrating when you receive this error. Incorrect WordPress File Permissions can prevent users from interacting with the managed website, as it affects creating files and updating files’ settings.
According to web Expert Rajesh Goutam If you run across this error, you will know what the problem is right away. WordPress will return a warning message when you try to access your website (something similar to Unable to create directory).
Making sure your permission settings are critical to keep your WordPress site safe. After all, you don’t want regular users to have access to your WordPress core files.
File permissions set who has the authority to read, write, and execute the files that make up your website. Set them incorrectly and you end up leaving easy access to the important data/files of your website and the security can be easily jeopardized. In the worst-case scenario, a hacker may also add spam or infect your website with a WordPress malware redirect hack we will discuss that later.
To apply any kind of changes it’s important that WordPress should have the proper privileges.
Make sure to Set Correct File Permissions For WordPress, if the permissions are set wrong, you can’t do anything on your website. File and Folder Permissions error in WordPress can appear in different messages, depending on the action you want to take, such as “403 forbidden error” or “not eligible to do this task.” The error message directly signifies the wrong permission settings. Due to the wrong file and folder permissions, you can also get WordPress Upload Failed To Write File To Disk Error or HTTP Error while uploading new images.
Some of the other common errors include:
- Pluggable.php File Errors in WordPress
- 503 Service Unavailable Error in WordPress
- WordPress Stuck in Maintenance Mode
- Parse Error: Syntax Error Unexpected in WordPress
- WordPress Not Sending Email
- Error Establishing a Database Connection in WordPress
But, you don’t need to be worried sick.
What are WordPress file permissions – How do they Work?
According to web Expert Rajesh Goutam When you have file permissions, you are setting who all can access that file. Usually, they look like a three-digit number or in case you are using FTP (File Transfer Protocol) or SSH (Secure Shell Access) they have an amalgamation of letters or hyphens to make changes to WordPress file authorizations.
It begins with defining who has the right to access a file, and there are three options for this –
- User – Someone who is the administrator of your website.
- Group – Various other users of your website including – Subscribers, Editors, Contributors, and various other user roles.
- World – Anyone on the internet.
Besides, there are other three varied types of actions that the user, group, and world can make –
- Read – The provision of only viewing the contents of the file.
- Write – File can be changed.
- Execute – Contents of the file like a program, a script can be run.
Finally, the file permissions are put together as three numbers organized in a particular order –
- First Number – Permissions that are offered to the user.
- Second Number – Access is provided to the group.
- Third Number – Authorizations that are offered to the world.
Now, here is the turn for the numbers.
Each number corresponds to a set level of authorization or an amalgamation of authorization.
For all possible levels of authorization, a specific number is denoted as follows –
- 0 is for no access at all.
- 1 is for executing.
- 2 is for writing.
- 3 is for writing and executing.
- 4 is for reading.
- 5 is for reading and executing.
- 6 is for reading and writing.
- 7 is for reading, writing, and executing.
You may find it hard to remember what the numbers actually mean as far as WordPress file permissions are concerned. So, this is a helpful method through which you can remember.
All you need to remember is that –
- 0 will mean there is no excess.
- 1 is for the execution.
- 2 means write.
- 4 is for reading.
When you have finalized the permissions you want to give, your next move should be to add them, and the final outcome will be the number of correct file authorization you want to set.
For instance – If you are looking for both read and write access, you are going to add four and two to get six.
If you are eyeing to read, write, and carry out authorizations, then you will be adding four, two, and one together to get seven.
The moment you have the number of the level of access you want to allow, you will have to organize them as per the authorization order as mentioned below –
- The user enjoys the authorization to read and write.
- The group enjoys authorization to read.
- The world also has the access to read.
This comes handy when you access the files with the help of a hosting provider. However, the file permissions may be different when you use Secure Shell Access or File Transfer Protocol. They, generally, will comprise of hyphens and letters.
Pretty much like the numbered file permissions mentioned above, the same three permission options will apply in an identical order – user, group, and world.
One of the major differences is that the structure is set into four groupings –
- First Group – The type of file
- Second Group – User authorization
- Third Group – Group authorization
- Fourth Group – Authorization for the world
There are some options for these groupings and they are discussed as below –
A hyphen (–) – Lack of access, or as far as the first grouping is concerned, it mainly denotes a regular file.
r – Read
w – Write
x – Execute
d – This stands for Directory, which is just an option for the first grouping, and moreover it is not used frequently for WordPress file authorizations.
In the context of the above-mentioned example, let us have a look at the breakdown of the file permissions that will be set.
In the context of the above-mentioned example, let us have a look at the breakdown of the file permissions that will be set.
Example | – | rwx | rw- | r- |
What grouping actually means | File type | Read, write, and execute an authorization for the user. | Read, write, and execute an authorization for the group. | Read, write, and execute an authorization for the world. |
Description of the example | Stands for a regular file | Read, write, and execute an authorization for the user. | Group is provided the access to read and write. | The World only has the authorization to read. |
755
All Folders – As per this, a user is allowed to read, write, and execute. Read and execute access is provided to the group and others are not provided any provision.
644
All .php files – As per this, a user is allowed to read and write. Groups and others only enjoy the provision of reading the files. This way whosoever is accessing the files will not be able to make changes to the files, this right will only be enjoyed by the owner.
440
Wp-config.php (public_html folder) – The wp_config is actually the configuration file of your WordPress. Since it is considered one of the important files, make sure you have protected it with 400/440 permission. Here, both the user and the server does not enjoy any permission to edit. And others are not authorized to even read.
644
Idex.php ((public_html folder) – 644/444 is the permission for index.php. Setting 444 permission will end up adding extra security where the admin enjoys the right to write or execute any action.
If you overlook the aspect of setting permissions for file and folders, you may end up jeopardizing the loop. This way, the hacker will get easy access to your account.
Moreover, the hacker will gain access to read, write, and execute your website’s important files. This will allow the hacker to use your website wrongly and your website settings will also be changed and eventually, the hacker will plant backdoor in wordpress site.
Besides, not having effective file authorizations allow the hacker to inject malicious codes that may get your wordpress hacked and infected with malware, which could arise further complications for your SEO too.
Recommended WordPress File Permissions
For wp-content
This particular folder holds all the plugins and themes and it also uploads them to your WP account. Generally, if you make changes to the files, you may come across some error and may damage your website as well.
If you have opted for apt protection, you will ensure that the hackers don’t access the content provided by the users. The correct WP file authorization for this particular folder will be 755 and it is mandatory that the files within the folder has 644. This way, you will ensure that only you, as an owner, have the authority to write anything within the folder.
For wp-concludes
This folder comprises of all the key files required for the smooth functioning of both WP and API. The required authorization for this folder is 755.
For wp-content/uploads:
The writing privileges to files should only be enjoyed by the user. However, it is important that wp-content is writable by www-data as well. This is easily done; you need to give write access to wp-content for a group. You also need to mention 755 and the user should be added to www-data.
Whatever you have uploaded to your website, wp-content will contain all these uploads and most importantly it requires apt protection. Apt authorization for this file is 755.
For all the files
In WordPress, suitable authorization for all files should be 644. This means that the user will have the authorization to read and write, as far as groups and others are concerned, they can only read the files. This will ensure that only the owner can make changes.
For All Folders
Recommended authorization for all the folders is 755. This empowers the user to read, write, and implement authorization and implement authorization for groups and others.
For wp-config.php
The wp-config has all the information about database connection and base configuration, this is the reason it is considered as one of the important files in the whole directory. The apt authorization for this file is 600.. This means that the user and the groups enjoy the authorization to read and others will not enjoy the privilege of accessing it.
Correct file Permission for the PHP file in the wp-root
Wp-root has the blank file, this is where the whole directory is hidden. Without this file, the whole file directory will not have any cover. The advised file authorization will be 444. As per this authorization, everybody gets the authorization to read, including the user and group.
Relative Path | Suggested Permissions |
/ | 755 |
wp-includes | 755 |
wp-admin | 755 |
wp-admin/js | 755 |
wp-content | 755 |
wp-content/themes | 755 |
wp-content/plugins | 755 |
wp-content/uploads | 755 |
wp-config.php | 600 |
.htaccess | 644, or 600. |
Changing File Permissions Using FTP?
With the help of programs or FTP clients, the permission settings for a file or a folder can be changed easily. This is done using a function present in the menu of the program, called chmod or set permissions. When the files and folders are viewed and opened in an FTP client, there is a column beneath the Authorization label, that is what will matter.
For every single file, an amalgamation of hyphens and letters are used in the corresponding permission.
For instance –rwxrw-r–. You can easily decode the authorization. The first hyphen represents the permission used for a particular file. The letters – r, w, and x represent that you, as a user, have the right to read, write, and execute the authorization for the file.
The following three characters symbolize that the group of users can only read and write permission. Here, the hyphen denotes that there is no permission for a particular user or a group. As for the last three characters, they represent that others only can read the files, they cannot write or execute it.
Making changes to these permissions is quite simple; you need to right-click on the files. Once you have done this, you need to go to the menu and make a selection for the option of “Set Permissions”.
Changing File Permissions Using cPanel
With cPanel File Manager, it is easy to see the authorization for different files.
- To change the authorization of the files, you need to right-click on the files, followed by selecting “Change Permission”.
- You will see a checkbox where you can easily make a selection for the boxes and adjust for the authorization.
- When you are done, you just need to confirm the changes you have made.
Remember, every hosting provider is unique. If you are looking to fix WordPress file and folder permissions through Plesk, cPanel, or any other control panel used by your host, go through the documentation of your host on how you can carry out changes.
Fix WordPress File permissions With Plugin
- Install and enable the All In One WP Security & Firewall plugin.
- In the left menu, hover over “WP Security”.
- Select the “Filesystem Security” menu item.
- You’ll get a list of critical files and folders that it checks the permissions for.
- You can use the “Set Recommend Permissions” button to change it to the plugin’s recommendations.
How WordPress file and folder permissions affect security
By design, web servers (especially those that run on Linux) are designed to have multiple users. This is necessary to perform many operations, but is also a security risk. Therefore, to protect files and directories from being accessed, changed, or run by just anybody, permissions are created.
There are two interleaved concepts with respect to file permissions: roles and permissions. Security concerns mostly arise with respect to group owner and world permissions.
We are most concerned about making sure that the world or public doesn’t have write permissions for files and directories. This is because we don’t want anyone to modify files and directories on our site. Similarly, we don’t want certain files to be executable or even readable by the wider public, like wp-config.php. It contains the database credentials for our site, so having it open for everyone to read is catastrophic for your site, and a gilt-edged invitation for malware.
Common misconceptions about file permissions
It is not always better to have very restrictive settings for security because that will render your site unusable. Hitting a balance between being sensible and paranoid is key.
WordPress roles of user, group, and world are often confused with user account roles, like administrator and contributors. User account roles deal with privileges on wp-admin, and indicate control over things like plugins, posts, or themes. Whereas when we speak of file permissions, we are talking about the files and directories on the server. If you think about it, the credentials used to log into wp-admin and those used for FTP are completely different. That is because the two things are vastly different.
If you login to the admin account of your site, you still cannot access your wp-config.php file from a browser. From the server perspective, you are a public or world account. If you logged into your server using FTP however, you are easily able to see the wp-config.php file. In fact you can not only read it, but modify its contents as well. This is because your FTP account is a user that either owns the wp-config.php file, or has the permissions to read and modify it.
Conclusion
We hope that this primer on WordPress file permissions was helpful. WP file permissions are an important cog in WordPress security, and are often discussed in the context of WordPress hardening.
FAQs
How do I change permissions on a WordPress site?
You can change WordPress file and directory permission either through cPanel, FTP, or SSH. Using either cPanel or FTP, navigate to the file in question, right-click, and set the permissions desired. If you are using SSH, you can use the chmod command to set the permissions.
How do I fix WordPress file and folder permissions?
To fix file and folder permissions in WordPress, you need to access the files on your site server. There are 3 ways to do this: using cPanel, FTP, or SSH. Once you have accessed the files, you can navigate to the correct directory, and set the WordPress permissions correctly.
What are 755 permissions?
755 permissions mean that the owner user has full permissions of read, write, and execute. The group owner and all other users have only read and execute permissions.
What permissions should WordPress files have?
WordPress files should have a maximum of 644 as their permission number. Anything laxer than this constitutes a security hazard.