Are you trying to figure out the proper WordPress permissions for files and folders? Or are you confused about the whole idea of WordPress permissions in the first place?
WordPress file permissions are essential to your site’s security and functioning, so you must understand them. If you’re using WordPress hosting, your host has almost certainly configured things for you already, but it’s still helpful to understand these concepts if you run into any issues.
So whether you’ve never heard of file permissions or you’re just looking for the correct file permissions for WordPress, we’ve got you covered in this post. If you’re already familiar with file permissions, you can click the second link to jump straight to the optimal file permissions for WordPress.
Prefer to watch the video version?
What Are File Permissions?
In a nutshell, file permissions control how different users can interact with the files on your WordPress site’s server. More specifically, file permissions control who can read, write, and execute files:
- Read: The ability to read the contents of a file.
- Write: The ability to alter a file.
- Execute: The ability to “use” a file (e.g. execute a script).
What Are Users?
There are three different “types” of users:
- Owner: The assigned owner of the file or directory.
- Group: Members of the group that owns the file or directly.
- Public: All users other than the file owner or members of the group.
Each file or folder is owned by a specific user or a particular group. Each user can be a member of multiple groups, but they can have only one primary group.
For example, when you connect to your site via SFTP, you are using a user account on your server, and that user account belongs to one or more groups, depending on how your server is configured.
Note: Most people don’t need to grasp the “users” concept because your host configures all of this for you. However, understand it is essential to learn the functioning of file permissions. If you feel a little lost in this section, know that in most cases, your host has appropriately set up users for your server environment.
With file permissions, you can control what each type of user (Owner, Group, Public) can do to the files and folders on your server (Read, Write, Execute).
In general, owners of the file should have the most permissions; users who belong to the same group would have the same or fewer permissions; public users would have the same or fewer permissions than the group:
Owner > Group > Public
The idea of file permissions is very similar to the WordPress roles and capabilities system. If you’re the Administrator of your site, you have more control than an Editor. Administrators can install new plugins, for example, but an Editor cannot.
Similarly, an Editor has a lot more control than an anonymous visitor to your site, even if the Editor doesn’t have as much power as a full Administrator. For instance, an Editor can edit other people’s blog posts and publish new blog posts, but an Editor can’t install new plugins.
What Do the Numbers in File Permissions Mean?
File permissions are represented by a three-digit number called a permission mode (e.g. 777, 440).
Each digit in the number corresponds to what a specific user can do:
- First digit: Controls what an Owner can do.
- Second digit: Controls what user accounts in the user’s Group can do.
- Third digit: Controls what everyone else can do (Public).
Each digit in the permission mode is the sum of the numbers assigned to each action:
- Read: 4
- Write: 2
- Execute: 1
If you want to grant no permissions, use the number 0.
Again, the number you see in the permissions mode is the sum of all the permissions that an entity has. For example, if the Owner can Read (4) and Write (2), the permission mode would be 6 (4+2).
Or, if an owner has all three permissions, it would be 7 (4+2+1).
Thus, 777 is the most permissive configuration. It means that:
- First digit – 7 – Owner can Read (4), Write (2), and Execute (1)
- Second digit – 7 – Group can Read (4), Write (2), and Execute (1)
- Third digit – 7 – Public can Read (4), Write (2), and Execute (1)
For this reason, you’ll pretty much never want to set any permissions to 777 on your WordPress site. We’ll talk more about this below.
If you want to play around with this idea, you can use the chmod calculator tool to see how the numbers change as you assign different permissions to different users.
What Do the Letters in File Permissions Mean?
While you’ll probably encounter the number format most often, you’ll also sometimes see file permissions represented by letters and dashes.
For example:
rwxr--r--
Here’s how this format works:
- r = Read permissions
- w = Write permissions
- x = Execute permissions
- – (hyphen) = No permissions
There are nine characters total—the first three apply to the Owner, the next three apply to the Group, and the last three apply to the Public.
In this format, the equivalent of 777 would be rwxrwxrwx
.
Why Are WordPress File Permissions Important?
Because file permissions control what different users can do to the files on your server, they play a critical role in WordPress security.
Imagine if you set all of your site’s files and folders to 777. That would mean that anyone can create new files, modify existing files, delete existing files, execute scripts, and more. People could add malicious scripts to your site and execute them, which would quickly lead to all kinds of issues. That would be a nightmare!
However, file permissions are a balancing act, and if you’re too restrictive, your site would also stop working.
For example, if you set your permissions to 000, your WordPress site would stop functioning entirely because your site wouldn’t even be able to read any of the files on your server.
For that reason, the optimal file permissions for WordPress are always going to fall somewhere between 000 (no one has any permissions) and 777 (everyone has all the permissions).
File permissions can also be tricky, though, because even within more realistic scenarios, you still might encounter problems. For instance, 444 is a very secure setup for your site’s .htaccess file.
However, if you do set it up like this, you’re probably going to run into issues with some plugins that need to be able to write to your site’s .htaccess file (such as caching plugins like WP Rocket and W3 Total Cache).
So if you’re using one of those plugins that need write access, you might need to switch to a slightly more permissive 644 or even 666, depending on how your web server is configured.
Why Do You Need to Change WordPress File Permissions?
The short answer is that most people don’t need to change file permissions manually.
If you installed WordPress using your host’s auto-installer, any good host should automatically set up the optimal file permissions for you as part of that setup process. If you use the WordPress installer here at Kinsta, for instance, you can be confident that we’re setting up the correct file permissions—that’s part of what we do as a managed WordPress host to make your life easier.
So, if you use your host’s auto-installer and your WordPress site is working fine, you probably don’t need to tinker around with your site’s file permissions.
However, issues might come into play if you manually installed WordPress yourself. You may also experience trouble with file permissions during plugin installation and use, like our caching plugin example from the previous section.
The Correct File Permissions for WordPress
In this section, we’ll talk about the correct file permissions for WordPress. Then, if you need a helping hand, we’ll show you how to change them in the next section.
First, it’s important to note that the optimal file permissions depend in part on how your hosting environment is configured. What’s optimal and secure for one environment won’t necessarily be so for other environments; this is especially true for shared hosting using suEXEC.
In general, a good rule of thumb to account for this is to start with the least permissive configuration and only add permissions as needed to make things work. For example, when talking about the wp-config.php
file, you’ll see values anywhere from 400 to 644. If you’re not sure where to start, you can begin with 400, as long as you recognize that this setup might cause problems with your server configuration, and you might need to make it more permissive if you run into problems.
And no matter what, you should never set the permissions for anything to 777 (unless you’re an expert and have an excellent reason for doing so).
Default File Permissions for Most WordPress Files/Folders
In general, the correct file permissions for WordPress should be as follows:
- Files: 644
- Folders: 755
However, there are a few specific exemptions that are important to note:
- wp-config.php file
- .htaccess file
- nginx.conf file
wp-config.php Permissions
Your site’s wp-config.php file is a super-sensitive file containing your site’s database credentials and a bunch of other important information.
A good starting point for the wp-config.php file is 644, which is what we use at Kinsta. However, you’ll find a lot of other recommendations here, including 640 and 600. To lock it down more, some people even use 444.
However, if you use 444, you might cause problems, as many WordPress plugins rely on write access for the wp-config.php file.
.htaccess Permissions
Your site’s .htaccess file is another vital configuration file that deserves special attention.
A good starting point for .htaccess permissions is 644, which is what the WordPress Codex recommends. Some developers also recommend 444. However, if you use 444, it might restrict plugins that need to write to the .htaccess file (such as most caching plugins).
Note: If you’re hosting with Kinsta, you won’t have a .htaccess file as we use Nginx webserver for improved performance. .htaccess files are only a feature on Apache webservers.
You don’t have to worry about .htaccess permissions if you’re hosting at Kinsta because there’s no .htaccess file in the first place.
nginx.conf Permissions
The same .htaccess file permissions also apply to nginx.conf, which is the main configuration file if your host uses an Nginx webserver (as Kinsta does).
Here at Kinsta, we use 644 for this nginx.conf file. Some developers also recommend 444.
How to Quickly Check WordPress File Permissions
If you want a quick, non-technical way to check your site’s file permissions to see if you have any issues, you can use the free iThemes Security plugin at WordPress.org.
You can also use FTP or cPanel File Manager, which we’ll show you in the next section—we’re first just sharing this plugin as a quick way to detect potential issues.
Once you’ve activated the plugin, go to Security → Settings and click the Show Details button under File Permissions:
Here, you’ll find your current WordPress file permissions and how they compare to iThemes Security’s recommended file permissions. You can see that iThemes recommends 444 for the wp-config.php file and the nginx.conf or .htaccess file (Kinsta uses Nginx, which is why you see nginx.conf, but you would see .htaccess if your host uses Apache).
Remember, though, that 444 will cause conflicts with some plugins, so you might want to avoid using it.
If you don’t want to continue using the plugin after the setup, we recommend deleting it.
How to Edit WordPress File Permissions
Now, let’s talk about how you can change your WordPress site’s file permissions if needed. There are several different methods that you can use—we’ll show you three ways to do it:
- FTP
- cPanel File Manager
- SSH/Terminal
FTP/SFTP
If you know how to use FTP/SFTP to connect to your server, any quality FTP client should let you quickly change file permissions.
We’ll show you how it works using FileZilla, a popular free and open source client.
Once you’ve connected to your server using SFTP, right-click on the file/folder you want to edit and choose File permissions:
Then, you can either use the checkboxes or enter the number directly:
cPanel File Manager
If your host provides cPanel, you can use the cPanel’s File Manager tool to edit WordPress file permissions.
In the cPanel File Manager, right-click on the file or folder you want to edit and choose Change Permissions:
Then, check the relevant boxes to assign permissions. As you do so, you’ll see the totals change at the bottom:
Set the correct permissions, and you’re good to go!
Command Line
If you feel comfortable working from the command line, you can also change your site’s file permissions using chmod
. We like using this chmod calculator to get the proper permissions quickly.
Summary
Proper WordPress file permissions are an essential part of creating a secure, well-functioning site. But you don’t need to worry about file permissions much because most hosts will properly configure everything if you use the host’s auto-installer tool. That’s true at Kinsta as well.
However, if you’re manually installing WordPress, or if something has messed up your site’s original file permissions, you might need to edit your site’s file permissions.
In general, the WordPress directory permissions should be 755, and WordPress file permissions should be 644. Some crucial exceptions include your site’s wp-config.php file and your server’s .htaccess or nginx.conf file, which you can make slightly less permissive.
And no matter what, make sure you’re never setting file permissions to 777 on a live site (even if you know what you’re doing). Doing so would open up your site and your server to colossal security vulnerabilities.
Do you still have any questions about WordPress file permissions? Ask us in the comments!
Pardon my ignorance, but it looks like at Kinsta, the ssh user is the same as the PHP user. So basically, PHP, hence WordPress, can modify all the files because it owns all the files.
Apache runs under a different user www-data, that can be useful to prevent some files to be accessed, but still the major threat is PHP, not Apache. Or did I miss something?