Wordpress file permission

WordPress File or  Folder Permissions- Something that is easily forgotten

When we talk about securing our WordPress account, we surely discuss security plugins and extensions which is an important aspect but ignoring file permissions can be more dangerous than it seems. WordPress File permission manages who can do what to files and folders. This step is important since your WordPress account can be vulnerable if the permissions are not suitable for the file. However, WordPress file permissions are the least looked after features and users often ignore these after the initial configuration.

If the permissions are not appropriate for the files, then an attacker can easily exploit the loop and access your account and possibly take control of your site. Wrongly allowing users to read, write and execute files on your site will give them the opportunity to alter your site settings or plant backdoors. Moreover, they can also add codes which could run certain malware or compromise the security of your account and your site. With suitable file permissions, you can add an additional level of security to your account and protect it against attackers and unauthorized users.

Apart from security reasons, wrong file permissions can cause errors in accessing and executing files. There are services and servers that need certain sets of permissions and without them, they will throw up errors and may harm your site. Thus, for the proper functioning of all services, you need to give them the appropriate authorization.

How to set WordPress file permissions using FTP

By using FTP clients or programs, you can easily change the permission settings for a file or folder. The function to do it is called chmod or set permissions in the menu of the program.

  • When you open and view the files and folders in an FTP client, the column under the Permissions label is the one we would work upon.
  • For each file, a combination of letters and hyphens mention the corresponding. One example of this is –rwxrw-r–. Users can easily decode the permission as such; the first hyphen stands for the permission being used for a file, and the letters r, w, and x represent that the user has read, write and execute permissions for the file. The next three characters mean that the group of users has only read and write permissions. The hyphen means that the particular user or group has no permissions. The last three characters represent that others can only read the files, but not write or execute it.
  • You can simply change these permissions by right-clicking on the files and selecting the option “Set permissions” from the menu.

Check our detailed blog on Commonly Hacked WordPress files and How it affects your WordPress Website.

How to set WordPress file permissions using cPanel

Through the cPanel File Manager, you can see the different files and their permissions.

  • Right-click on the files you wish to change to permissions of and then select “Change Permission”.
  • A checkbox will pop up where you can select the boxes and adjust the permissions.
  • Once done, confirm the changes, and you are good to go.

WordPress file permissions: Various components and files and their appropriate permissions

list of wordpress file permissions
WordPress file permission list screenshot
  • Correct file permissions for wp-content: This folder stores all the themes, plugins and uploads to your WordPress account. Generally editing the files may cause errors and damage to the site. Protecting this folder will ensure that attackers cannot access the content supplied by the user. The correct WordPress file permission for this folder would be 755, and all the files within the folder must have 644. Thus, this will ensure that no one can write anything within the folder except the owner.
  • Correct file permissions for wp-includes: This folder includes all the core files and all the files that are necessary for the proper functioning of WordPress admin and API. The suitable permission for this folder is 644.
  • Correct file permission for wp-content/uploads: Apart from the user no one should have writing privileges to files. However, wp-content has to be writable by www-data too. this can be done by giving wp-content write access for a group by specifying 755 and then adding the user to www-data group. Or, using ‘su’ temporarily change to the user to www-data. the wp-content/uploads file contains all your uploads to the website and thus needs to be protected. The appropriate permission for this file can be 755.
  • Correct file permissions for all the files: The appropriate permission for all files in WordPress should be 644. This means that the users have read and write permissions and groups and others can only read the files. This will ensure that no one accessing the files can alter them, apart from the owner.
  • Correct file permissions for all folders: The suggested permissions for all the folders are 755. This translates to read, write and execute permissions for the user and only read and execute permissions for groups and others.
  • Correct file permissions for wp-config: The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate permission for this file will be 44. This means that the user and groups have permission to only read and others will not be able to access the file.
  • Correct file permission for the PHP file in the wp-root: This blank file present in the wp-root hides the entire directory, and without this file, the entire file directory will be naked. The suggested file permission will be 444. This permission gives reading authority to all, including the user and the group.
Files/Folders Permissions
wp-content 755
wp-includes 644
All .php files 644
All folders 755
wp-config.php (public_html folder) 444
index.php (public_html folder) 444

WordPress file permissions are necessary for securing your account. If you have set up your account on your own, then it’s possible that you have ignored this step. This is an important step for obvious reasons and ignoring this step is a potential hazard for your account. Apart from these steps you also need to focus on protecting your account from other attacks as well. This is where online web security services come in. Security services such as Astra protects your account on all fronts. Moreover, with regular security reports and advanced features, you can be sure of the security.

Also, check Top 10 Exploited WordPress plugins in 2018

Worried about WordPress security? Drop us a message on the chat widget and we’d be happy to help you fix it.

Firewall working
How Astra Web Application Firewall protects your WordPress website

 

Web Application Firewall Magento, Opencart Prestashop

Take an Astra demo now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Sovandeb

Your usual nerd with an avid interest in everything tech. If not writing then following up on cyber security news and preparing for my next article. If there is something new out there you can bet I will write about it.

2 Comments

  1. In your post you have written the wp-includes folder will have 644 permission, but it will not work to load the site. it gives not found an error in the browser. Please suggest If am wrong…

    • Naman Rastogi

      Hi Jignesh,
      Thanks for reaching out.

      WordPress recommends stricter permissions
      https://codex.wordpress.org/Hardening_WordPress#File_Permissions

      Code for wp-includes folder:
      “`# Block the include-only files.

      RewriteEngine On
      RewriteBase /
      RewriteRule ^wp-admin/includes/ – [F,L]
      RewriteRule !^wp-includes/ – [S=3]
      RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
      RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
      RewriteRule ^wp-includes/theme-compat/ – [F,L]

      # BEGIN WordPress“`

      Please do let me know if you have any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close