Drupal File Permissions: A Complete Guide With Video Tutorial

Drupal is an open source PHP written content management system. In other words, the source codes in Drupal are rewritable by everyone. If the Drupal file permissions aren’t set properly, it becomes really convenient for hackers to gain access to these files and then manipulate them. Setting your file permissions right does not guarantee to shield you from all the attacks on your website, but it will definitely secure your website from some common attacks. Also, it is a great addition to the security measures already active on your website. Hence, we welcome you to this super helpful article on how to set secure File Permissions on your website.

What is Drupal File Permissions?

Contrary to popular belief, Drupal File permission is not a module, in fact, it is a set of drush commands on Drupal. These set of commands are bundled together for easy downloading with the help of drush DI command. The installation of these commands could be done by :

  • Downloading module to your ~/.drush folder, for example:
    drush @none dl file_permissions-8.x. You can also do the downloading any other way and then copy it to the folder ~/.drush .
  • Running drush cc drush to clear Drush cache.

To run the module, use command drush fp.

drupal file permission

How to Set Secure File Permissions in Drupal?

We already discussed that to keep your files secure, you need to have the best achievable Drupal file permissions handy.

But first, let us get this clear as to what permissions are to be given and to whom. Well, You need to give permissions to read(r), write(w) and execute(x) files and directories. This permission is more frequently converted to a code in which r=4, w=2, x=1. Technically there are three permissions need to be granted each for the owner, the group and the users. Generally, the creator of the file is the owner, the web server is the group and everyone else is the user. The complete power of setting the Drupal file permissions is reserved with the owner. Further, Drupal file permissions are set in each file and directory. (To know more about the process of these permissions visit Drupal.)

Coming to the issue of getting your security permissions in place, we need to set these permissions in a way so that only the owner (i.e. you) have the permissions to r, w & x while the group(web server) have the permissions to r,w & x and everyone else has no power at all.

Setting Drupal File Permissions by FTP program

For Directories

These are the File Permissions that we are going to set for your Drupal store.

For all directories, we’re going to set it to 770

Related Guide – Drupal Security Guide (Give Your Drupal website rock-solid security, Reduce chances of getting hacked by almost 90% )

Here’s how you can do it by an FTP program in these few Simple Steps:

  1. Log into your account Via FTP.
  2. Navigate to the folder where Drupal is installed. Ex: (/path/to/your/drupal/install/)
  3. Right click on the folder where your Drupal is installed, click the File Permissions option in the menu.
  4. Once you click on the option, a new window will open. In the Numeric value field, input the value “770”.
  5. Then enable the Recurse into sub-directories option. In the list seen below, select the checkbox titled “Apply to directories only”.
  6. Once ready, click the OK button.
  7. The process may take several minutes for a large number of files.

For Files

For All Files, we’re going to set it to 640

Here’s how you can do it

  1. Right click on the folder where your Drupal is installed, click the File Permissions option in the menu.
  2. Once you click on the option, a new window will open. In the Numeric value field, input the value “640”.
  3. Then enable the Recurse into subdirectories option. In the list seen below, select the checkbox titled “Apply to files only”.
  4. Once ready, click the OK button.
  5. The process may take several minutes for a large number of files.

Setting permissions by command

We can also change the settings for our Drupal website using commands. Here is how-

For directories

Use command-

ls -al


This set up will allow you (the owner) to read-write-execute, the server to read-execute and others to read-execute.

For files

Use command –

ls -al


This set up will allow you (the owner) to read-write, the server to just read and others to just read as well.

Fixing Drupal 8 permissions

Moving on to the permissions in the latest version of Drupal i.e. Drupal 8. The Taxonomy access control module is updated to a more nuanced version named Permissions by term module in Drupal 8. It offers extended powers to the admin to control the access of nodes on the basis of user & user’s role.

Features of Permission by term as listed on Drupal

To install the Permissions by term (pbt) module you can do either of the following:

  • The module can be installed via Drush or Drupal Console. E.g. with command Drush: drush en permissions_by_term -y
  • To do this manually, one can follow the process as: Download module from project page > Copy on your project’s “module” folder > Go to module management page (/admin/modules) and enable it.

Now, set the permissions for each user and each role in your website as required.

NOTE: The administrator with Id-(1) has access to all the nodes by default.

Drupal Settings PHP permissions

The settings.php file is where the database configuration is defined in Drupal. It resides inside the sites/default/files directory. For your Drupal site to run efficiently, you need to give Drupal the permissions to r,w & x in the directory and in settings.php.

The directory sites/default and the file setting.php should have permissions such that it is writable by the server. To achieve this run the following command-

For directory

ls -l sites/

Permission on sites/default should be 755 [drwxr-xr-x]:

ls -l sites/default/settings.php

For file

Permission on settings.php should be 644 [-rw-r–r–]:

chmod 644 sites/default/settings.php

Note: If you are in the same group as the web user, then changing the permissions to 664 will be sufficient.

Do the above mentioned set up for your Drupal file permissions and you are good to go. Hope this article was helpful for you.

Astra Security Suite for Drupal

Astra offers rock solid Web Application Firewall & Immediate Malware Cleanup for your Drupal website. Astra firewall is tailored for Drupal & stops attacks like SQL Injection, XSS, SEO Spam, Redirection Malware, SEO Spam, Bad Bots & 100+ attacks in real time.

Take an Astra Demo Now

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner