Wordpress Security

WordPress File Permissions – How To Fix [GUIDE]

WordPress File Permissions

Key Takeaways

  • Understanding WordPress Permissions: WordPress file permissions play a crucial role in the security and functionality of your website. They dictate who can read, write, and execute files on your server.
  • Three WordPress Permission Types: There are three main types of permissions:
    • Read (r): Allows the file to be read.
    • Write (w): Allows the file to be modified.
    • Execute (x): Allows the file to be executed as a program.
  • Numeric Values: Permissions are often represented by numeric values, such as 755 or 644. Understanding these values is essential for setting correct file permissions in WordPress.
  • Recommended WordPress Permissions:
    • Directories: 755
    • Files: 644
  • Security Implications: Incorrect WordPress file permissions can lead to vulnerabilities, making your site susceptible to hacks. Always ensure you set permissions as recommended.
  • Changing WordPress Permissions: Tools like FTP clients or cPanel’s File Manager can be used to modify file permissions. Plugins like “WordPress File Permissions Plugin” can also assist in this process.
  • WordPress Automatic Updates: Ensure that your WordPress file permissions allow for automatic updates, enhancing security and functionality.
  • Server Environment: The server environment, whether Linux or another OS, can influence the default file and folder permissions. Always check and adjust based on your hosting environment.
  • Troubleshooting: If you encounter issues like “WordPress inconsistent file permissions” or problems with theme updates, rechecking and resetting file permissions should be your first step.
  • Backup: Before making any changes to your file permissions, always take a backup of your WordPress site to prevent any potential data loss.

An Introduction

This comprehensive guide on “WordPress File Permissions” provides in depth understanding and importance of proper file permission settings in WordPress. It explains that file permissions determine who can access, modify or execute certain files and folders on a WordPress website. This article highlights that incorrect file permissions can lead to security vulnerabilities and negatively impact the functionality of a website. Various types of file permissions – 755 for folders and 644 for files, which are the recommended permissions by most hosting providers, but cautions that in certain cases, more restrictive permissions may be required.

This article also explains how to change file permissions using various methods such as cPanel, FTP clients, and the command line. Additionally,we have covered the use of plugins for managing file permissions, including their pros and cons, and provided recommendations on the best practices for file permission management.

Overall, Lets get started and learn, how WordPress users can secure their website and prevent potential security issues. We have emphasized the importance of understanding and properly setting file permissions to ensure the smooth operation of a WordPress website.

TL;DR – In most cases, a good web host or developer will set the WordPress file permissions once, and you rarely have to worry about them again. WordPress file permissions keep your site’s files and directories secure from unauthorized access by hackers. You should always take a backup of your site before altering permissions, and be careful when altering permissions.

WordPress File Permissions And Site Security

One of the practical ways of securing your website is to Set Correct File or folder Permissions in WordPress. However, changing wordpress file permissions can throw up error. In this article you will learn more about WordPress file permissions, their functioning, and How to Fix File and Folder Permissions Error in WordPress via Cpanel, FTP & .htaccess.

File and folder permissions error in WordPress is one of the most common errors seen while running a WordPress website. It can be very frustrating when you receive this error. Incorrect WordPress File Permissions can prevent users from interacting with the managed website, as it affects creating files and updating files’ settings.

If you run across this error, you’ll know what the problem is right away. WordPress will return a warning message when you try to access your website (something similar to Unable to create directory).

Making sure your permission settings are critical to keep your WordPress site safe. After all, you don’t want regular users to have access to your WordPress core files.

Set them incorrectly and you end up leaving easy access to the important data/files of your website and the security can be easily jeopardized. In the worst-case scenario, a hacker may also add spam or  infect your website with a WordPress malware redirect hack.

Is Your Site Safe & Secure? Check It Now

To apply any kind of changes it’s important that WordPress should have the proper privileges.

Make sure to Set Correct File Permissions For WordPress, if the permissions are set wrong, you can’t do anything on your website. File and Folder Permissions error in WordPress can appear in different messages, depending on the action you want to take, such as “403 forbidden error” or “not eligible to do this task.” The error message directly signifies the wrong permission settings. Due to the wrong file and folder permissions, you can also get WordPress Upload Failed To Write File To Disk Error or HTTP Error while uploading new images.

Some of the other common errors include:

But, you don’t need to be worried sick.

WordPress File Permissions – How do they Work?

When you have file permissions, you are setting who all can access that file. Usually, they look like a three-digit number or in case you are using FTP (File Transfer Protocol) or SSH (Secure Shell Access) they have an amalgamation of letters or hyphens to make changes to WordPress file authorizations.

It begins with defining who has the right to access a file, and there are three options for this –

  •   User – Someone who is the administrator of your website.
  •   Group – Various other users of your website including – Subscribers, Editors, Contributors, and various other user roles.
  •   World – Anyone on the internet.

Besides, there are other three varied types of actions that the user, group, and world can make –

  •   Read – The provision of only viewing the contents of the file.
  •   Write – File can be changed.
  • Execute – Contents of the file like a program, a script can be run.

Finally, the file permissions are put together as three numbers organized in a particular order –

  •   First Number – Permissions that are offered to the user.
  •   Second Number – Access is provided to the group.
  •   Third Number – Authorizations that are offered to the world.

Now, here is the turn for the numbers.

Each number corresponds to a set level of authorization or an amalgamation of authorization.

For all possible levels of authorization, a specific number is denoted as follows –

  • 0 is for no access at all.
  • 1 is for executing.
  • 2 is for writing.
  • 3 is for writing and executing.
  • 4 is for reading.
  • 5  is for reading and executing.
  • 6 is for reading and writing.
  • 7 is for reading, writing, and executing.

You may find it hard to remember what the numbers actually mean as far as WordPress file permissions are concerned. So, this is a helpful method through which you can remember.

All you need to remember is that –

  • 0 will mean there is no excess.
  • 1 is for the execution.
  • 2 means write.
  • 4 is for reading.

When you have finalized the permissions you want to give, your next move should be to add them, and the final outcome will be the number of correct file authorization you want to set.

For instance – If you are looking for both read and write access, you are going to add four and two to get six.

If you are eyeing to read, write, and carry out authorizations, then you will be adding four, two, and one together to get seven.

The moment you have the number of the level of access you want to allow, you will have to organize them as per the authorization order as mentioned below –

  •   The user enjoys the authorization to read and write.
  •   The group enjoys authorization to read.
  •   The world also has the access to read.

This comes handy when you access the files with the help of a hosting provider. However, the file permissions may be different when you use Secure Shell Access or File Transfer Protocol. They, generally, will comprise of hyphens and letters.

This is what you will see –

-rwxrw-r–

Pretty much like the numbered file permissions mentioned above, the same three permission options will apply in an identical order – user, group, and world.

One of the major differences is that the structure is set into four groupings –

  •   First Group – The type of file
  •   Second Group – User authorization
  •   Third Group – Group authorization
  •   Fourth Group – Authorization for the world

There are some options for these groupings and they are discussed as below –

A hyphen (–) – Lack of access, or as far as the first grouping is concerned, it mainly denotes a regular file.

r – Read

w – Write

x – Execute

d – This stands for Directory, which is just an option for the first grouping, and moreover it is not used frequently for WordPress file authorizations.

In the context of the above-mentioned example, let us have a look at the breakdown of the file permissions that will be set.

Example       –     rwx     rw-       r-
What grouping actually means File type Read, write, and execute an authorization for the user. Read, write, and execute an authorization for the group. Read, write, and execute an authorization for the world.
Description of the example Stands for a regular file Read, write, and execute an authorization for the user. Group is provided the access to read and write. The World only has the authorization to read.

WordPress File Permissions

  • 755

All Folders – As per this, a user is allowed to read, write, and execute. Read and execute access is provided to the group and others are not provided any provision.

  • 644

All .php files – As per this, a user is allowed to read and write. Groups and others only enjoy the provision of reading the files. This way whosoever is accessing the files will not be able to make changes to the files, this right will only be enjoyed by the owner.

  • 440

Wp-config.php (public_html folder) – The wp_config is actually the configuration file of your WordPress. Since it is considered one of the important files, make sure you have protected it with 400/440 permission. Here, both the user and the server does not enjoy any permission to edit. And others are not authorized to even read.

  • 644

Idex.php ((public_html folder) ­– 644/444 is the permission for index.php. Setting 444 permission will end up adding extra security where the admin enjoys the right to write or execute any action.

If you overlook the aspect of setting permissions for file and folders, you may end up jeopardizing the loop. This way, the hacker will get easy access to your account.

Moreover, the hacker will gain access to read, write, and execute your website’s important files. This will allow the hacker to use your website wrongly and your website settings will also be changed and eventually, the hacker will plant backdoor in wordpress site.

Besides, not having effective file authorizations allow the hacker to inject malicious codes that may get your wordpress hacked and infected with malware, which could arise further complications for your SEO too. [Also Read – “This Site May Be Hacked” message in Google].

Let STOP here for a while before proceeding further. Have you checked your website already? Is it malware infected due to incorrect file permissions? Then, you should read our post on How to remove malware from wordpress

Recommended WordPress File Permissions

For wp-content

This particular folder holds all the plugins and themes and it also uploads them to your WP account. Generally, if you make changes to the files, you may come across some error and may damage your website as well.

If you have opted for apt protection, you will ensure that the hackers don’t access the content provided by the users. The correct WP file authorization for this particular folder will be 755 and it is mandatory that the files within the folder has 644. This way, you will ensure that only you, as an owner, have the authority to write anything within the folder.

For wp-concludes

This folder comprises of all the key files required for the smooth functioning of both WP and API. The required authorization for this folder is 755.

For wp-content/uploads:

The writing privileges to files should only be enjoyed by the user. However, it is important that wp-content is writable by www-data as well. This is easily done; you need to give write access to wp-content for a group. You also need to mention 755 and the user should be added to www-data.

Whatever you have uploaded to your website, wp-content will contain all these uploads and most importantly it requires apt protection. Apt authorization for this file is 755.

For all the files

In WordPress, suitable authorization for all files should be 644. This means that the user will have the authorization to read and write, as far as groups and others are concerned, they can only read the files. This will ensure that only the owner can make changes.

For All Folders

Recommended authorization for all the folders is 755. This empowers the user to read, write, and implement authorization and implement authorization for groups and others.

For wp-config.php

The wp-config has all the information about database connection and base configuration, this is the reason it is considered as one of the important files in the whole directory. The apt authorization for this file is 600.. This means that the user and the groups enjoy the authorization to read and others will not enjoy the privilege of accessing it.

Correct file Permission for the PHP file in the wp-root

Wp-root has the blank file, this is where the whole directory is hidden. Without this file, the whole file directory will not have any cover. The advised file authorization will be 444. As per this authorization, everybody gets the authorization to read, including the user and group.

Relative Path Suggested Permissions
/ 755
wp-includes 755
wp-admin 755
wp-admin/js 755
wp-content 755
wp-content/themes 755
wp-content/plugins 755
wp-content/uploads 755
wp-config.php 600
.htaccess 644, or 600.

How to Fix WordPress File & Folder Permissions Error?

Fixing files and folder permissions for wordpress requires you to set proper permissions . Here we will talk about how to set or change file or folder permissions on your wordpress for maximum security. This will also help you fix any error occurred due to incorrect file or folder permissions..

A quick way to change wordpress file permissions:

For example, I copied the whole ‘themes’ folder from local to server, replaced the old one on server. Then I have to carefully manipulate the chown and chmod:

# dive into 'wp-content' folder, 
# where contains 'themes' folder.
cd /A/CERTAIN/PATH/wp-content

# change privilege of 'themes'
sudo chmod 775 themes 

# ATTENTION! For I am currently using 
# 'Bitnami WordPress Production-Ready 
# Stack Deployment On AWS' solution, 
# I confirmed before replacing 'themes', 
# the original group is 'root' and 
# owner is 'daemon'. So please confirm 
# yours before do this step.
#
# This step is to change 'themes' OWNERGROUP 
# to 'root' and OWNER to 'daemon'.
sudo chown -R root:daemon themes 

# dive into 'themes'
cd themes

# change all files to 664
sudo find . -type f -exec chmod 664 {} + 

# change all folders to 775
sudo find . -type d -exec chmod 775 {} + 

Changing File Permissions Using FTP?

With the help of programs or FTP clients, the permission settings for a file or a folder can be changed easily. This is done using a function present in the menu of the program, called chmod or set permissions. When the files and folders are viewed and opened in an FTP client, there is a column beneath the Authorization label, that is what will matter.

For every single file, an amalgamation of hyphens and letters are used in the corresponding permission.

For instance –rwxrw-r–. You can easily decode the authorization. The first hyphen represents the permission used for a particular file. The letters – r, w, and x represent that you, as a user, have the right to read, write, and execute the authorization for the file.

The following three characters symbolize that the group of users can only read and write permission. Here, the hyphen denotes that there is no permission for a particular user or a group. As for the last three characters, they represent that others only can read the files, they cannot write or execute it.

Making changes to these permissions is quite simple; you need to right-click on the files. Once you have done this, you need to go to the menu and make a selection for the option of “Set Permissions”.

Changing File Permissions Using cPanel

With cPanel File Manager, it is easy to see the authorization for different files.

  •   To change the authorization of the files, you need to right-click on the files, followed by selecting “Change Permission”.
  •   You will see a checkbox where you can easily make a selection for the boxes and adjust for the authorization.
  •   When you are done, you just need to confirm the changes you have made.

Remember, every hosting provider is unique. If you are looking to fix WordPress file and folder permissions through Plesk, cPanel, or any other control panel used by your host, go through the documentation of your host on how you can carry out changes.

Changing File Permissions Using SSH

You also have the option of fixing WordPress permissions with an SSH client of your choice.

You need to enter the below-mentioned command to fix WordPress permissions for folders –

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

This is where you need to be cautious that you have successfully updated “/path/to/your/wordpress/install/“ with the actual path of the folder on your server.

Fixing WordPress file permissions for all files can be easily done using the following command –

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Again, you need to ensure that you have updated “/path/to/your/wordpress/install/“ with the actual path of the file. If you want, you also have the provision of changing 644.

If you are looking to change the permission for the wp-config.php file, you can use the following command for the suggested change as cited earlier –

chmod 600 wp-config.php

Fix WordPress File permissions With Plugin

  • Install and enable the All In One WP Security & Firewall plugin.
  • In the left menu, hover over “WP Security”.
  • Select the “Filesystem Security” menu item.
  • You’ll get a list of critical files and folders that it checks the permissions for.
  • You can use the “Set Recommend Permissions” button to change it to the plugin’s recommendations.

Check for incorrect WordPress File Permissions

Our Security scanner is designed to harden and lock down your WordPress site. We help you scan and Find the incorrect file and directory permissions of key areas of the site and take required measures to secure your website from future attacks.

Wrap Up

In case, you have set up your account all by yourself, chances are you may have overlooked this step. Since this is one of the important steps for the aforesaid reasons, overlooking this step can pose a threat to your account.

If you are still not able to fix WordPress file permissions or you are facing any other WordPress-related issue, you can get in touch with our expert support team to help you out. Get premium 24×7 support.

 

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)

Tags: change file permissions in WordPress Changing File Permissions Correct file permissions for WordPress Folder Permissions Error in WordPress Set Correct File Permissions WordPress WordPress File Permissions WordPress Permissions