WordPress Security

How to Fix WordPress File or Folder Permissions – Step by Step Procedure

Updated on: August 8, 2021

How to Fix WordPress File or Folder Permissions – Step by Step Procedure

When we talk about securing our WordPress account, we tend to discuss the security of plugins and extensions mostly. Securing plugins and extensions is no doubt an important aspect of it. But, ignoring WordPress file permissions altogether can be immensely dangerous for your WordPress website.

To begin with, let us know what WordPress file permissions are. WordPress file permissions are basically permissions to manage who can do what to your website’s files & folders. Not to mention, securing the right permissions adds to your site’s security and makes you less vulnerable.

Still, more often than not users ignore them after setting up the initial configuration.

How will you check if your website has correct files & folder permissions? The manual process would mean hours of slogging in front of your PC. Who has time for that? No one.

So, there must be a better process; and there is. Just run a scan with the WP Hardening plugin. It will flag all the files & folders in your website that have vulnerable permissions.

Wordpress File/Folder Permissions
The WP-Hardening plugin flags vulnerable file permissions in a website

Recommended WordPress File Permissions

Wordpress File/Folder Permissions

Not setting files and folder permissions could allow an attacker to easily exploit the loop, this, in return could give them unauthorized access to your account.

It could also wrongly allow users to read, write and execute sensitive files on your site. Using which they can alter your site settings and even plant backdoors.

In addition to this, poor permissions let hackers inject malicious codes that could run certain malware on your WP site.

Thus, with suitable file permissions, you can not only add an additional level of security to your account but also protect it against possible attacks by unauthorized people.

Related Guide – Complete Step by Step Guide to WordPress Security (Reduce the risk of getting hacked by 90%)

Apart from security reasons, wrong file permissions can also cause errors in accessing and executing these files. There are services and servers that need certain sets of permissions to work efficiently on/with your website.

Without them, they will throw error messages on your screen and can even harm your site. Thus, for the proper functioning of different services, you need to give them the appropriate authorization.

You can set file permissions either by FTP or chmod. I have mentioned both these methods below:

How to Set WordPress File Permissions Using FTP

Watch this video for a quick fix!

Fix WP file & folder permissions

By using FTP clients or programs, you can easily change the permission settings for a file or folder. The function to do it is called chmod or set permissions which can be found in the program menu.

  • When you open and view the files and folders in an FTP client, the column under the Permissions label is the one we would work upon.
  • For each file, a combination of letters and hyphens is used in the corresponding permission. One example of this is –rwxrw-r–. Users can easily decode the permission as such; the first hyphen stands for the permission being used for a file, and the letters r, w, and x represent that the user respectively has read, write and execute permissions for the file. The next three characters mean that the group of users has only read and write permissions. The hyphen means that the particular user or group has no permissions to execute the file. The last three characters represent that others can only read the files, but not write or execute it.
  • You can simply change these permissions by right-clicking on the files and selecting the option “Set permissions” from the menu.

Check our detailed blog on Commonly Hacked WordPress files and how it affects your WordPress Website.

How to Set WordPress File Permissions Using cPanel

Through the cPanel File Manager, you can see the different files and their permissions.

  • Right-click on the files you wish to change the permissions of and then select “Change Permission“.
  • A checkbox will pop up where you can select the boxes and adjust the permissions.
  • Once done, confirm the changes, and you are good to go.

WordPress file permissions: Various components and files and their appropriate permissions

list of wordpress file permissions
WordPress file permission list screenshot

Recommended File Permissions for wp-contents

This folder stores all the themes, plugins, and uploads to your WordPress account. Generally editing the files may cause errors and damage to the site. Protecting this folder will ensure that attackers cannot access the content supplied by the user. The correct WordPress file permission for this folder would be 755, and all the files within the folder must have 644. Thus, this will ensure that no one can write anything within the folder except the owner.

Recommended File Permissions for wp-includes

This folder includes all the core files and all the files that are necessary for the proper functioning of WordPress admin and API. The suitable permission for this folder is 755.

Recommended File Permissions for wp-content/uploads

Apart from the user, no one should have writing privileges to files. However, wp-content has to be writable by www-data too. This can be done by giving wp-content write access for a group by specifying 755 and then adding the user to the www-data group. Or, using ‘su’ temporarily change to the user to www-data. the wp-content/uploads file contains all your uploads to the website and thus needs to be protected. The appropriate permission for this file can be 755.

Recommended File Permissions for all the files

The appropriate permission for all files in WordPress should be 644. This means that the users have read and write permissions and groups and others can only read the files. This will ensure that no one accessing the files can alter them, apart from the owner.

Recommended WordPress folder permissions

The suggested permissions for all the folders are 755. This translates to read, write, and execute permissions for the user and only read and execute permissions for groups and others.

Related Guide – WordPress Hack Removal

Recommended file permissions for wp-config

The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate permission for this file will be 400/440. This means that the user and groups have permission to only read and others will not be able to access the file.

Correct file permission for the PHP file in the wp-root

This blank file present in the wp-root hides the entire directory, and without this file, the entire file directory will be naked. The suggested file permission will be 444. This permission gives reading authority to all, including the user and the group.

All .php files644
All folders755
wp-config.php (public_html folder)400/440
index.php (public_html folder)444/644

Here’s a video that you need to follow step-by-step to secure your WordPress site completely.


WordPress file permissions are necessary for securing your account. If you have set up your account on your own, then it’s possible that you might have ignored this step. As already discussed, this is one crucial step for the aforementioned reasons. Ignoring this step could pose a potential threat to your account.

Besides file permissions, there are other security to-dos that you should definitely follow. To make the process simpler, you can use the WP Hardening plugin by Astra. WP Hardening is a one-click security fixer tool for your WordPress website. You can fix 12+ security areas (admin & API security, information disclosure, server hardening, etc.) with this plugin with just a toggle of a button.

To ensure even advanced security, deploy Astra on your website. At Astra, we strive to make the web a more secure place with our ‘Suite’ of security tools, which includes — WAF (Web Application Firewall), Malware Scanner, VAPT (Vulnerability Assessment and Penetration Testing), IP/Country blocking and of course malware cleanups among various other features.

How does Astra Firewall work?
How Astra Web Application Firewall protects your WordPress website

Tags: , , , , ,

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
5 years ago

In your post you have written the wp-includes folder will have 644 permission, but it will not work to load the site. it gives not found an error in the browser. Please suggest If am wrong…

Naman Rastogi
5 years ago
Reply to  Jignesh

Hi Jignesh,
Thanks for reaching out.

WordPress recommends stricter permissions

Code for wp-includes folder:
“`# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

# BEGIN WordPress“`

Please do let me know if you have any questions.

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany