This article was originally published on this site

Are you trying to figure out the proper WordPress permissions for files and folders? Or are you confused about the whole idea of WordPress permissions in the first place?

WordPress file permissions are essential to your site’s security and functioning, so you must understand them. If you’re using WordPress hosting, your host has almost certainly configured things for you already, but it’s still helpful to understand these concepts if you run into any issues.

So whether you’ve never heard of file permissions or you’re just looking for the correct file permissions for WordPress, we’ve got you covered in this post. If you’re already familiar with file permissions, you can click the second link to jump straight to the optimal file permissions for WordPress.

This post is 100% focused on WordPress file permissions and how to use them to secure your site. If you’re more interested in controlling WordPress user permissions, please check out our WordPress user roles and capabilities article.

What Are File Permissions?

In a nutshell, file permissions control how different users can interact with the files on your WordPress site’s server. More specifically, file permissions control who can read, write, and execute files:

  • Read: The ability to read the contents of a file.
  • Write: The ability to alter a file.
  • Execute: The ability to “use” a file (e.g. execute a script).

What Are Users?

There are three different “types” of users:

  • Owner: The assigned owner of the file or directory.
  • Group: Members of the group that owns the file or directly.
  • Public: All users other than the file owner or members of the group.

Each file or folder is owned by a specific user or a particular group. Each user can be a member of multiple groups, but they can have only one primary group.

For example, when you connect to your site via SFTP, you are using a user account on your server, and that user account belongs to one or more groups, depending on how your server is configured.

Note: Most people don’t need to grasp the “users” concept because your host configures all of this for you. However, understand it is essential to learn the functioning of file permissions. If you feel a little lost in this section, know that in most cases, your host has appropriately set up users for your server environment.

With file permissions, you can control what each type of user (Owner, Group, Public) can do to the files and folders on your server (Read, Write, Execute).

In general, owners of the file should have the most permissions; users who belong to the same group would have the same or fewer permissions; public users would have the same or fewer permissions than the group:

Owner > Group > Public

The idea of file permissions is very similar to the WordPress roles and capabilities system. If you’re the Administrator of your site, you have more control than an Editor. Administrators can install new plugins, for example, but an Editor cannot.

Similarly, an Editor has a lot more control than an anonymous visitor to your site, even if the Editor doesn’t have as much power as a full Administrator. For instance, an Editor can edit other people’s blog posts and publish new blog posts, but an Editor can’t install new plugins.

What Do the Numbers in File Permissions Mean?

File permissions are represented by a three-digit number called a permission mode. For example, 777 or 440.

Each digit in the number corresponds to what a specific user can do:

  • First digit: Controls what an Owner can do.
  • Second digit: Controls what user accounts in the user’s Group can do.
  • Third digit: Controls what everyone else can do (Public).

Each digit in the permission mode is the sum of the numbers assigned to each action:

  • Read: 4
  • Write: 2
  • Execute: 1

If you want to grant no permissions, use the number 0.

Again, the number you see in the permissions mode is the sum of all the permissions that an entity has. For example, if the Owner can Read (4) and Write (2), the permission mode would be 6 (4+2).

Or, if an owner has all three permissions, it would be 7 (4+2+1).

Thus, 777 is the most permissive configuration. It means that:

  • First digit – 7 – Owner can Read (4), Write (2), and Execute (1)
  • Second digit – 7 – Group can Read (4), Write (2), and Execute (1)
  • Third digit – 7 – Public can Read (4), Write (2), and Execute (1)

For this reason, you’ll pretty much never want to set any permissions to 777 on your WordPress site. We’ll talk more about this below.

If you want to play around with this idea, you can use the chmod calculator tool to see how the numbers change as you assign different permissions to different users.

What Do the Letters in File Permissions Mean?

While you’ll probably encounter the number format most often, you’ll also sometimes see file permissions represented by letters and dashes.

For example:

rwxr--r--

Here’s how this format works:

  • r = Read permissions
  • w = Write permissions
  • x = Execute permissions
  • (hyphen) = No permissions

There are nine characters total—the first three apply to the Owner, the next three apply to the Group, and the last three apply to the Public.

In this format, the equivalent of 777 would be rwxrwxrwx.

Why Are WordPress File Permissions Important?

Because file permissions control what different users can do to the files on your server, they play a critical role in WordPress security.

Imagine if you set all of your site’s files and folders to 777. That would mean that anyone can create new files, modify existing files, delete existing files, execute scripts, and more. People could add malicious scripts to your site and execute them, which would quickly lead to all kinds of issues. That would be a nightmare!

However, file permissions are a balancing act, and if you’re too restrictive, your site would also stop working.

For example, if you set your permissions to 000, your WordPress site would stop functioning entirely because your site wouldn’t even be able to read any of the files on your server.

For that reason, the optimal file permissions for WordPress are always going to fall somewhere between 000 (no one has any permissions) and 777 (everyone has all the permissions).

File permissions can also be tricky, though, because even within more realistic scenarios, you still might encounter problems. For instance, 444 is a very secure setup for your site’s .htaccess file.

However, if you do set it up like this, you’re probably going to run into issues with some plugins that need to be able to write to your site’s .htaccess file (such as caching plugins like WP Rocket and W3 Total Cache).

So if you’re using one of those plugins that need write access, you might need to switch to a slightly more permissive 644 or even 666, depending on how your web server is configured.

Why Do You Need to Change WordPress File Permissions?

The short answer is that most people don’t need to change file permissions manually.

If you installed WordPress using your host’s auto-installer, any good host should automatically set up the optimal file permissions for you as part of that setup process. If you use the WordPress installer here at Kinsta, for instance, you can be confident that we’re setting up the correct file permissions—that’s part of what we do as a managed WordPress host to make your life easier.

So, if you use your host’s auto-installer and your WordPress site is working fine, you probably don’t need to tinker around with your site’s file permissions.

However, issues might come into play if you manually installed WordPress yourself. You may also experience trouble with file permissions during plugin installation and use, like our caching plugin example from the previous section.

The Correct File Permissions for WordPress

In this section, we’ll talk about the correct file permissions for WordPress. Then, if you need a helping hand, we’ll show you how to change them in the next section.

First, it’s important to note that the optimal file permissions depend in part on how your hosting environment is configured. What’s optimal and secure for one environment won’t necessarily be so for other environments; this is especially true for shared hosting using suEXEC.

In general, a good rule of thumb to account for this is to start with the least permissive configuration and only add permissions as needed to make things work. For example, when talking about the wp-config.php file, you’ll see values anywhere from 400 to 644. If you’re not sure where to start, you can begin with 400, as long as you recognize that this setup might cause problems with your server configuration, and you might need to make it more permissive if you run into problems.

And no matter what, you should never set the permissions for anything to 777 (unless you’re an expert and have an excellent reason for doing so).

Default File Permissions for Most WordPress Files/Folders

In general, the correct file permissions for WordPress should be as follows:

  • Files: 644
  • Folders: 755

However, there are a few specific exemptions that are important to note:

  • wp-config.php file
  • .htaccess file
  • nginx.conf file

wp-config.php Permissions

Your site’s wp-config.php file is a super-sensitive file containing your site’s database credentials and a bunch of other important information.

A good starting point for the wp-config.php file is 644, which is what we use at Kinsta. However, you’ll find a lot of other recommendations here, including 640 and 600. To lock it down more, some people even use 444.

However, if you use 444, you might cause problems, as many WordPress plugins rely on write access for the wp-config.php file.

.htaccess Permissions

Your site’s .htaccess file is another vital configuration file that deserves special attention.

A good starting point for .htaccess permissions is 644, which is what the WordPress Codex recommends. Some developers also recommend 444. However, if you use 444, it might restrict plugins that need to write to the .htaccess file (such as most caching plugins).

Note: If you’re hosting with Kinsta, you won’t have a .htaccess file as we use Nginx webserver for improved performance. .htaccess files are only a feature on Apache webservers.

You don’t have to worry about .htaccess permissions if you’re hosting at Kinsta because there’s no .htaccess file in the first place.

nginx.conf Permissions

The same .htaccess file permissions also apply to nginx.conf, which is the main configuration file if your host uses an Nginx webserver (as Kinsta does).

Here at Kinsta, we use 644 for this nginx.conf file. Some developers also recommend 444.

How to Quickly Check WordPress File Permissions

If you want a quick, non-technical way to check your site’s file permissions to see if you have any issues, you can use the free iThemes Security plugin at WordPress.org.

You can also use FTP or cPanel File Manager, which we’ll show you in the next section—we’re first just sharing this plugin as a quick way to detect potential issues.

Once you’ve activated the plugin, go to Security → Settings and click the Show Details button under File Permissions:

How to open file permissions tool

Location of file permissions tool in WordPress

Here, you’ll find your current WordPress file permissions and how they compare to iThemes Security’s recommended file permissions. You can see that iThemes recommends 444 for the wp-config.php file and the nginx.conf or .htaccess file (Kinsta uses Nginx, which is why you see nginx.conf, but you would see .htaccess if your host uses Apache).

Remember, though, that 444 will cause conflicts with some plugins, so you might want to avoid using it.

How to check WordPress file permissions with iThemes Security

An iThemes Security feature in WordPress comparing existing file permissions with suggested permissions settings

If you don’t want to continue using the plugin post-setup, we recommend deleting it after you’re finished.

How to Edit WordPress File Permissions

Now, let’s talk about how you can change your WordPress site’s file permissions if needed. There are several different methods that you can use—we’ll show you three ways to do it:

  • FTP
  • cPanel File Manager
  • SSH/Terminal

FTP

If you know how to use FTP/SFTP to connect to your server, any quality FTP client should let you quickly change file permissions. We’ll show you how it works using FileZilla, a popular free and open source client.

Once you’ve connected to your server using SFTP, right-click on the file/folder you want to edit and choose File permissions:

How to change file permissions using FTP

How to change file permissions using FTP in FileZilla

Then, you can either use the checkboxes or enter the number directly:

How to enter new file permissions

How to enter new file permissions using FileZilla

cPanel File Manager

If your host provides cPanel, you can use cPanel’s File Manager tool to edit WordPress file permissions.

In cPanel File Manager, right-click on the file/folder you want to edit and choose Change Permissions:

How to change file permissions using cPanel File Manager

How to change file permissions using cPanel File Manager

Then, check the relevant boxes to assign permissions. As you do so, you’ll see the totals change at the bottom:

How to enter new file permissions using cPanel

How to enter new file permissions using cPanel

Command Line

If you feel comfortable working from the command line, you can also change your site’s file permissions using chmod. We like using this chmod calculator to get the proper permissions quickly.

Summary

Proper WordPress file permissions are an essential part of creating a secure, well-functioning site. But you don’t need to worry about file permissions much because most hosts will properly configure everything if you use the host’s auto-installer tool. That’s true at Kinsta as well.

However, if you’re manually installing WordPress, or if something has messed up your original file permissions, you might need to edit your site’s file permissions.

In general, the WordPress directory permissions should be 755, and WordPress file permissions should be 644. Some crucial exceptions include your site’s wp-config.php file and your server .htaccess or nginx.conf file, which some recommend making slightly less permissive.

And no matter what, make sure you’re never setting file permissions to 777 on a live site (even if you know what you’re doing). Doing so would open up your site and your server to colossal security vulnerabilities.

Do you still have any questions about WordPress file permissions? Ask us in the comments!


If you enjoyed this article, then you’ll love Kinsta’s WordPress hosting platform. Turbocharge your website and get 24/7 support from our veteran WordPress team. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our plans