Key Takeaways
Table of Contents [TOC]
An Introduction
This comprehensive guide on “WordPress File Permissions” provides in depth understanding and importance of proper file permission settings in WordPress. It explains that file permissions determine who can access, modify or execute certain files and folders on a WordPress website. This article highlights that incorrect file permissions can lead to security vulnerabilities and negatively impact the functionality of a website. Various types of file permissions – 755 for folders and 644 for files, which are the recommended permissions by most hosting providers, but cautions that in certain cases, more restrictive permissions may be required.
This article also explains how to change file permissions using various methods such as cPanel, FTP clients, and the command line. Additionally,we have covered the use of plugins for managing file permissions, including their pros and cons, and provided recommendations on the best practices for file permission management.
Overall, Lets get started and learn, how WordPress users can secure their website and prevent potential security issues. We have emphasized the importance of understanding and properly setting file permissions to ensure the smooth operation of a WordPress website.
TL;DR – In most cases, a good web host or developer will set the WordPress file permissions once, and you rarely have to worry about them again. WordPress file permissions keep your site’s files and directories secure from unauthorized access by hackers. You should always take a backup of your site before altering permissions, and be careful when altering permissions.
One of the practical ways of securing your website is to Set Correct File or folder Permissions in WordPress. However, changing wordpress file permissions can throw up error. In this article you will learn more about WordPress file permissions, their functioning, and How to Fix File and Folder Permissions Error in WordPress via Cpanel, FTP & .htaccess.
File and folder permissions error in WordPress is one of the most common errors seen while running a WordPress website. It can be very frustrating when you receive this error. Incorrect WordPress File Permissions can prevent users from interacting with the managed website, as it affects creating files and updating files’ settings.
If you run across this error, you’ll know what the problem is right away. WordPress will return a warning message when you try to access your website (something similar to Unable to create directory).
Making sure your permission settings are critical to keep your WordPress site safe. After all, you don’t want regular users to have access to your WordPress core files.
Set them incorrectly and you end up leaving easy access to the important data/files of your website and the security can be easily jeopardized. In the worst-case scenario, a hacker may also add spam or infect your website with a WordPress malware redirect hack.
Is Your Site Safe & Secure? Check It Now
To apply any kind of changes it’s important that WordPress should have the proper privileges.
Make sure to Set Correct File Permissions For WordPress, if the permissions are set wrong, you can’t do anything on your website. File and Folder Permissions error in WordPress can appear in different messages, depending on the action you want to take, such as “403 forbidden error” or “not eligible to do this task.” The error message directly signifies the wrong permission settings. Due to the wrong file and folder permissions, you can also get WordPress Upload Failed To Write File To Disk Error or HTTP Error while uploading new images.
Some of the other common errors include:
But, you don’t need to be worried sick.
When you have file permissions, you are setting who all can access that file. Usually, they look like a three-digit number or in case you are using FTP (File Transfer Protocol) or SSH (Secure Shell Access) they have an amalgamation of letters or hyphens to make changes to WordPress file authorizations.
It begins with defining who has the right to access a file, and there are three options for this –
Besides, there are other three varied types of actions that the user, group, and world can make –
Finally, the file permissions are put together as three numbers organized in a particular order –
Now, here is the turn for the numbers.
Each number corresponds to a set level of authorization or an amalgamation of authorization.
For all possible levels of authorization, a specific number is denoted as follows –
You may find it hard to remember what the numbers actually mean as far as WordPress file permissions are concerned. So, this is a helpful method through which you can remember.
All you need to remember is that –
When you have finalized the permissions you want to give, your next move should be to add them, and the final outcome will be the number of correct file authorization you want to set.
For instance – If you are looking for both read and write access, you are going to add four and two to get six.
If you are eyeing to read, write, and carry out authorizations, then you will be adding four, two, and one together to get seven.
The moment you have the number of the level of access you want to allow, you will have to organize them as per the authorization order as mentioned below –
This comes handy when you access the files with the help of a hosting provider. However, the file permissions may be different when you use Secure Shell Access or File Transfer Protocol. They, generally, will comprise of hyphens and letters.
This is what you will see –
-rwxrw-r–
Pretty much like the numbered file permissions mentioned above, the same three permission options will apply in an identical order – user, group, and world.
One of the major differences is that the structure is set into four groupings –
There are some options for these groupings and they are discussed as below –
A hyphen (–) – Lack of access, or as far as the first grouping is concerned, it mainly denotes a regular file.
r – Read
w – Write
x – Execute
d – This stands for Directory, which is just an option for the first grouping, and moreover it is not used frequently for WordPress file authorizations.
In the context of the above-mentioned example, let us have a look at the breakdown of the file permissions that will be set.
| Example | – | rwx | rw- | r- |
| What grouping actually means | File type | Read, write, and execute an authorization for the user. | Read, write, and execute an authorization for the group. | Read, write, and execute an authorization for the world. |
| Description of the example | Stands for a regular file | Read, write, and execute an authorization for the user. | Group is provided the access to read and write. | The World only has the authorization to read. |
All Folders – As per this, a user is allowed to read, write, and execute. Read and execute access is provided to the group and others are not provided any provision.
All .php files – As per this, a user is allowed to read and write. Groups and others only enjoy the provision of reading the files. This way whosoever is accessing the files will not be able to make changes to the files, this right will only be enjoyed by the owner.
Wp-config.php (public_html folder) – The wp_config is actually the configuration file of your WordPress. Since it is considered one of the important files, make sure you have protected it with 400/440 permission. Here, both the user and the server does not enjoy any permission to edit. And others are not authorized to even read.
Idex.php ((public_html folder) – 644/444 is the permission for index.php. Setting 444 permission will end up adding extra security where the admin enjoys the right to write or execute any action.
If you overlook the aspect of setting permissions for file and folders, you may end up jeopardizing the loop. This way, the hacker will get easy access to your account.
Moreover, the hacker will gain access to read, write, and execute your website’s important files. This will allow the hacker to use your website wrongly and your website settings will also be changed and eventually, the hacker will plant backdoor in wordpress site.
Besides, not having effective file authorizations allow the hacker to inject malicious codes that may get your wordpress hacked and infected with malware, which could arise further complications for your SEO too. [Also Read – “This Site May Be Hacked” message in Google].
Let STOP here for a while before proceeding further. Have you checked your website already? Is it malware infected due to incorrect file permissions? Then, you should read our post on How to remove malware from wordpress
This particular folder holds all the plugins and themes and it also uploads them to your WP account. Generally, if you make changes to the files, you may come across some error and may damage your website as well.
If you have opted for apt protection, you will ensure that the hackers don’t access the content provided by the users. The correct WP file authorization for this particular folder will be 755 and it is mandatory that the files within the folder has 644. This way, you will ensure that only you, as an owner, have the authority to write anything within the folder.
This folder comprises of all the key files required for the smooth functioning of both WP and API. The required authorization for this folder is 755.
The writing privileges to files should only be enjoyed by the user. However, it is important that wp-content is writable by www-data as well. This is easily done; you need to give write access to wp-content for a group. You also need to mention 755 and the user should be added to www-data.
Whatever you have uploaded to your website, wp-content will contain all these uploads and most importantly it requires apt protection. Apt authorization for this file is 755.
In WordPress, suitable authorization for all files should be 644. This means that the user will have the authorization to read and write, as far as groups and others are concerned, they can only read the files. This will ensure that only the owner can make changes.
Recommended authorization for all the folders is 755. This empowers the user to read, write, and implement authorization and implement authorization for groups and others.
The wp-config has all the information about database connection and base configuration, this is the reason it is considered as one of the important files in the whole directory. The apt authorization for this file is 600.. This means that the user and the groups enjoy the authorization to read and others will not enjoy the privilege of accessing it.
Wp-root has the blank file, this is where the whole directory is hidden. Without this file, the whole file directory will not have any cover. The advised file authorization will be 444. As per this authorization, everybody gets the authorization to read, including the user and group.
| Relative Path | Suggested Permissions |
|---|---|
| / | 755 |
| wp-includes | 755 |
| wp-admin | 755 |
| wp-admin/js | 755 |
| wp-content | 755 |
| wp-content/themes | 755 |
| wp-content/plugins | 755 |
| wp-content/uploads | 755 |
| wp-config.php | 600 |
| .htaccess | 644, or 600. |
Fixing files and folder permissions for wordpress requires you to set proper permissions . Here we will talk about how to set or change file or folder permissions on your wordpress for maximum security. This will also help you fix any error occurred due to incorrect file or folder permissions..
For example, I copied the whole ‘themes’ folder from local to server, replaced the old one on server. Then I have to carefully manipulate the chown and chmod:
# dive into 'wp-content' folder,
# where contains 'themes' folder.
cd /A/CERTAIN/PATH/wp-content
# change privilege of 'themes'
sudo chmod 775 themes
# ATTENTION! For I am currently using
# 'Bitnami WordPress Production-Ready
# Stack Deployment On AWS' solution,
# I confirmed before replacing 'themes',
# the original group is 'root' and
# owner is 'daemon'. So please confirm
# yours before do this step.
#
# This step is to change 'themes' OWNERGROUP
# to 'root' and OWNER to 'daemon'.
sudo chown -R root:daemon themes
# dive into 'themes'
cd themes
# change all files to 664
sudo find . -type f -exec chmod 664 {} +
# change all folders to 775
sudo find . -type d -exec chmod 775 {} + With the help of programs or FTP clients, the permission settings for a file or a folder can be changed easily. This is done using a function present in the menu of the program, called chmod or set permissions. When the files and folders are viewed and opened in an FTP client, there is a column beneath the Authorization label, that is what will matter.
For every single file, an amalgamation of hyphens and letters are used in the corresponding permission.
For instance –rwxrw-r–. You can easily decode the authorization. The first hyphen represents the permission used for a particular file. The letters – r, w, and x represent that you, as a user, have the right to read, write, and execute the authorization for the file.
The following three characters symbolize that the group of users can only read and write permission. Here, the hyphen denotes that there is no permission for a particular user or a group. As for the last three characters, they represent that others only can read the files, they cannot write or execute it.
Making changes to these permissions is quite simple; you need to right-click on the files. Once you have done this, you need to go to the menu and make a selection for the option of “Set Permissions”.
With cPanel File Manager, it is easy to see the authorization for different files.
Remember, every hosting provider is unique. If you are looking to fix WordPress file and folder permissions through Plesk, cPanel, or any other control panel used by your host, go through the documentation of your host on how you can carry out changes.
You also have the option of fixing WordPress permissions with an SSH client of your choice.
You need to enter the below-mentioned command to fix WordPress permissions for folders –
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \; This is where you need to be cautious that you have successfully updated “/path/to/your/wordpress/install/“ with the actual path of the folder on your server.
Fixing WordPress file permissions for all files can be easily done using the following command –
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \; Again, you need to ensure that you have updated “/path/to/your/wordpress/install/“ with the actual path of the file. If you want, you also have the provision of changing 644.
If you are looking to change the permission for the wp-config.php file, you can use the following command for the suggested change as cited earlier –
chmod 600 wp-config.php
Our Security scanner is designed to harden and lock down your WordPress site. We help you scan and Find the incorrect file and directory permissions of key areas of the site and take required measures to secure your website from future attacks.
In case, you have set up your account all by yourself, chances are you may have overlooked this step. Since this is one of the important steps for the aforesaid reasons, overlooking this step can pose a threat to your account.
If you are still not able to fix WordPress file permissions or you are facing any other WordPress-related issue, you can get in touch with our expert support team to help you out. Get premium 24×7 support.