WordPress file permissions: Various components and files and their appropriate permissions
Correct file permissions for wp-content
wp-content stores all the themes, plugins and uploads to your WordPress account. Allowing random modifications to these files may cause errors to your site. Hence, set proper permissions to restrict editing by users in this folder. The correct WordPress file permission for this folder would be 755, and all the files within the folder must have 644. This will ensure your website’s safety as no one can write anything within the folder except the owner.
Correct file permissions for wp-includes
wp-includes is where all the core files reside. In addition to core files, it also includes all the other important files that are necessary for the proper functioning of the WordPress admin and API. Protect this folder by allowing editing permission to the owner only, i.e, the permission of 755.
Correct file permission for wp-content/uploads:
The wp-content/uploads file contains all your uploads to the website. Generally, only the owner should have editing access to files. However, wp-content is an exception. It needs to be writable by www-data too. That is, we need to allow the server writing access. Set 755 permission and add the user to the www-data group. Or, use ‘su’ temporarily to change the user to www-data. The appropriate permission for this file can be 755.
Correct file permissions for all the files
The appropriate permission for all files in WordPress should be 644. This means that the users have read and write permissions and groups and others can only read the files. This will ensure that no one accessing the files can alter them, apart from the owner.
Correct file permissions for all folders
The safe permission of all the folders is 755. This means permission to read, write and execute for the user; only read & execute access to the group and none at all to others.
Correct file permissions for wp-config
The wp-config is the configuration file of your WordPress and is one of the most sensitive files in the entire directory. Protect this with permission of 400. This means even the user and the server has no right to edit, whereas others can not even read.
Correct file permission for the PHP file in the wp-root
PHP file in the wp-root is a blank file that hides the entire directory. Without this, the entire file directory will be bare for all to see. The suggested file permission for this PHP file is 444. It is permission to read-only for all, including the user and the group.
Files/Folders | Permissions |
wp-content | 755 |
wp-includes | 755 |
All .php files | 644 |
All folders | 755 |
wp-config.php (public_html folder) | 400 |
index.php (public_html folder) | 444 |
This is precisely how file & folder permissions should be set in your WordPress.