Astra saved my website from the dreaded Japanese SEO hack. Have used Astra for my website's security ever since & super happy to see dozens of attacks being stopped & the support I've received Ingrid Kjelling
Owner, IK Photography

[Lesson 4] Understand And Fix WordPress File Permissions In 5 Minutes

WordPress file permissions: Various components and files and their appropriate permissions

list of wordpress file permissions


Correct file permissions for wp-content

wp-content stores all the themes, plugins and uploads to your WordPress account. Allowing random modifications to these files may cause errors to your site. Hence, set proper permissions to restrict editing by users in this folder. The correct WordPress file permission for this folder would be 755, and all the files within the folder must have 644. This will ensure your website’s safety as no one can write anything within the folder except the owner.

Correct file permissions for wp-includes

wp-includes is where all the core files resides. In addition to core files, it also includes all the other important files that are necessary for the proper functioning of WordPress admin and API. Protect this folder by allowing editing permission to the owner only, i.e, a permission of 755.

Correct file permission for wp-content/uploads:

The wp-content/uploads file contains all your uploads to the website. Generally only the owner should have editing access to files. However, wp-content is an exception. It needs to be writable by www-data too. That is, we need to allow the server a writing access. Set 755 permission and add the user to www-data group. Or, use ‘su’ temporarily to change the user to www-data. The appropriate permission for this file can be 755.

Correct file permissions for all the files

The appropriate permission for all files in WordPress should be 644. This means that the users have read and write permissions and groups and others can only read the files. This will ensure that no one accessing the files can alter them, apart from the owner.

Correct file permissions for all folders

The safe permission all the folders is 755. This means a permission to read, write and execute for the user; only read & execute access to the group and none at all to others.

Correct file permissions for wp-config

The wp-config is the configuration file of your wordpress and is one of the most sensitive files in the entire directory. Protect this with a permission of 400. This means even the user and the server has no right to edit, whereas other can not even read.

Correct file permission for the PHP file in the wp-root

PHP file in the wp-root is a blank file that hides the entire directory. Without this the entire file directory will be bare for all to see. The suggested file permission for this PHP file is 444. It is a permission of to read only for all, including the user and the group.

All .php files644
All folders755
wp-config.php (public_html folder)400
index.php (public_html folder)444

This is precisely how file & folder permissions should be set in your WordPress.

Secure WordPress Site Email Course

WordPress Security Lessons

Rock solid security, amazing support

Super Secure My Business