When thinking about WordPress security, people rarely think about File Permissions. Most of the time, you think about installing a security plugin and calling it a day. And thatβs a great mindset to have, but there are other considerations to be mindful of.
Easily access files and folders are vulnerabilities that hackers can exploit, although in our experience this is rarely the case. Hackers tend to use other methods to gain control of your website. Nevertheless, it is good practice to have WordPress Permissions for files and folders locked down.
Or perhaps security is far from your mind, and you are here because you see an error, βwordpress you do not have sufficient permissions to access this pageβ, while uploading a file. That too is caused by incorrect file permissions.
Either way, by the end of this article, youβll learn not just how to set proper file permissions but also which files are important enough to require restricted access.
Before you make any changes though, create a backup of your website. File permissions can be tricky things to tinker with.
What are WordPress file permissions?
File permissions are a set of instructions that dictate who can access and modify WordPress files and folders. You can change permissions to give or restrict users from accessing files and folders.
For the purposes of this article, we will be using the term βuserβ to denote a person or collection of people who interact with files and folders. This is different from the WordPress users where we talk about the account and access privileges, and also distinct from the generic synonym for website visitors.
There are 3 types of users: User, Group and World; and 3 types of permissions: Read, Write, and Execute.
Who are these users, and what permissions are we talking about exactly?
- World β Anyone on the internet
- Group β A set of people with user roles like editors, contributors, subscribers, etc
- User β WordPress administrator
WordPress administrators (i.e. Users) can dictate what the World and Group can access and modify.
Now coming to permission, all users will be granted 3 different types of permissions:
- Read β They can only view the fileβs contents
- Write β They can modify the content of the file
- Execute β They can run codes in the file
Letβs say, you want to grant your editors access to the wp-config.php file. They need to view the file occasionally but you donβt want them to modify it. Itβs a crucial WordPress file and the smallest mistake can break your website.
So, youβd offer your editors (i.e. Group) access to Read the file. Nothing else.
How to set proper WordPress permissions?
Important: You are going to access the backend of your site and modify crucial WordPress files. Therefore, you absolutely need to take a complete backup of your website. If you do end up making a mistake, you can quickly restore your website to normal.
There are two ways in which you can change file permissions.
- Change WordPress file & folder permissions using cPanel
- Change WordPress file & folder permissions using FTP
Both methods will work the same way, regardless of which web host you use. However, there are web hosts who do not allow cPanel access; in which case you will need to use FTP.
1. Change WordPress permissions using cPanel
Step 1: Log in to your web hosting account and navigate to the cPanel > File Manager.
Step 2: Next, find the public_html folder. This is where your WordPress website is stored.
Step 3: Find the folders (also called directory) we have listed below, right-click, and choose Change Permissions.
Step 4: Next, fix WordPress permissions by following the instruction below β
- Folder: wp-admin
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-includes
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/themes
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/plugins
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/uploads
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-config.php
- Permissions:
- Group and World β Read
- User β Read, Write
- Permissions:
- Folder: .htaccess
- Permissions:
- Group and World β Read
- User β Read, Write
- Permissions:
2. Change WordPress permissions using FTP
Step 1: Download and install Filezilla into your local computer.
Step 2: Enter your FTP credentials and select Quickconnect.
If you donβt know what your FTP credentials are, ask your web host provider or find it yourself with the help of this article and these videos.
Step 3: When the connection is made, files and folders will start populating in the right panel on Filezilla. Select the public_html folder.
The public_html folder contains your WordPress website, and so all your WordPress files and folders will start appearing in the panel below.
Step 4: Find the folders we have listed below, right-click, and choose Change Permissions. Next, set the permissions for WordPress we have recommended below.
- Folder: wp-admin
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-includes
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/themes
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/plugins
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/uploads
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-config.php
- Permissions:
- Group and World β Read
- User β Read, Write
- Permissions:
- Folder: .htaccess
- Permissions:
- Group and World β Read
- User β Read, Write
- Permissions:
The reasoning behind our recommended WordPress file permissions
Before you start modifying the file permissions, itβs important to understand which files and folders need protection and why.
WordPress websites are made of many files and folders. The most important ones are:
- wp-admin
- wp-includes
- wp-content
- wp-content/themes
- wp-content/plugins
- wp-content/uploads
- wp-config
- .htaccess
These files and folders are extremely crucial for your website because they contain data that enables your website to function properly.
For instance, the wp-config file contains information about your database like the database name, password, etc. Anyone who has access to read wp-config can use it to break into your database. Therefore, only trusted users should be allowed to read and modify the wp-config file, and others like it.
Website security should never be taken lightly, and the best way to protect your website is by installing a security plugin. Check out MalCare, the best-in-class security plugin with a firewall, scanner and many more features to ensure your website remains safe.
Common issues caused by incorrect or bad file permissions
Unsurprisingly, incorrect or bad WP folder permissions can lead to errors. In fact, if an experienced WordPress developer set up your website for you, you probably do not need to alter the file permissions. However, if you are experiencing issues, then perhaps this section can help you resolve them.
Ideally, if you had a website backup, you wouldnβt need to troubleshoot errors like these. You could rollback to the last working version and restore your websiteβs functionality in an instant.
Weβve described the three most common errors caused by incorrect WordPress folder permissions below. To resolve them, you will need to either use cPanel or FTP to access the backend of your website. There are tutorials above to set permissions for all files; you can use the same methodology to apply these fixes as well.
1. Unable to install a plugin or theme
If your file permissions are incorrect, youβll find it challenging to install plugins and themes. You are likely to come across an error message like
βThe update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.β or βMissing temporary folder.β
Plugins and themes are stored in the wp-content/plugin and wp-content/theme folders, respectively.
To be able to install plugins and themes, both folders have to be writable. Go to the backend and set the following folder permissions for WordPress:
- Folder: wp-content/themes
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
- Folder: wp-content/plugins
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
2. Unable to upload a media file
When trying to upload an image or a video, you are encountering this error β βUnable to create directory wp-content/uploads.β
This means that your wp-content/uploads folder is not writable. It is where all your images and videos are stored. You need to set the following permissions:
- Folder: wp-content/uploads
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
3. Your cache plugins is throwing an error
When trying to clear the cache, you may encounter this β Error: Your cache directory () did not exist and couldnβt be created by the web server. Check permissions.
When you install a cache plugin on your site, it creates files which are then stored in the wp-content/cache folder. With incorrect permissions, this plugin will run into the above error. Go ahead and set the following permission.
- Folder: wp-content/cache
- Permissions:
- Group and World β Read, Execute
- User β Read, Write, Execute
- Permissions:
4. What is the proper permission for the wp-config.php file?
The proper permission for the wp-config.php file is:
- Group and World β Read
- User β Read, Write
wp-config.php is one of the most important WordPress files. Unlike the Uploads folder, for example, you donβt need to change wp-config.php often. Plus, an attacker could locate an operly readable wp-config.php file and extract database login credentials from there to inject malware. Hence it makes sense to remove write permissions for Group, and read and write permissions for World.
Was your wp-config file open to read? Then your website was vulnerable to attack. Scan your website now to check if malware has crept in without your knowledge.
What next?
While setting proper file permission for WordPress is helpful it wonβt secure your website in any major way. As we said earlier, a majority of hack attacks donβt need access to your files and folders.
The surest way to ensure that your website is secure is to install a security plugin like MalCare. Hackers canβt even reach your website without first encountering MalCareβs firewall. Moreover, it protects your website on different fronts. For instance, your login page is a favorite target among hackers. The plugin will protect this page from brute force attacks.
Like to give MalCare a spin? Sign up now.
FAQs
1. What if you canβt change the permissions?
If you canβt change your WordPress file permissions, then you need to talk to your web host. Earlier, we mentioned that managed web host services like WP Engine and Pantheon restrict access to important WordPress files and folders.
You wonβt face any such problems in shared hosting or VPS hosting. That said, having such control over your server is a double-edged sword. Incorrect permissions can make your website insecure.
2. In a shared hosting environment, wonβt restricting permissions prevent other users from accessing your files?
In a shared hosting environment, other users canβt view your files and folders. But this is not because of WordPress permissions. In shared hosting, while there are multiple websites on the same server, each website operates in an extremely restricted environment. One website wonβt even know if there is another website on the same server. Hence, one user cannot peek into the files and folders of another website.
3. What are the proper permissions for files like php.ini and php.cgi?
The proper permission for files like php.ini and php.cgi is to make them unreadable. You donβt really need to access or make modifications to these files. That being said, there are certain caching or firewall plugins that need access to these files to be able to operate properly. Without correct WordPress directory permissions, those plugins will malfunction.
4. What are the proper permissions for the Uploads file?
The proper permission for the uploads folder is:
- Group and World β Read, Execute
- User β Read, Write, Execute
All media files go into this folder. You need to ensure that itβs writable.
5. What are these numbers 644, 755, etc?
These numbers represent different file permissions on WordPress.
Hereβs what they mean:
0 β Means no access
1 β Means execute
2 β Means write
4 β Means read
You can combine these numbers like this:
2+1 β 3 meaning write and execute
4+1 β 5 meaning read and execute
4+2 β 6 meaning read and write
4+3 β 7 meaning read, write and execute
Letβs look at an example. Say you want to set permissions for the wp-content/uploads folder. Youβd want the Group and World to read and execute. The User to read, write, and execute. This is how the permissions would look in the number format:
- Group β Read, Execute β 4+1: 5
- World β Read, Execute β 4+1: 5
- User β Read, Write, Execute β 4+2+1: 7
When speaking of file permissions, the number system is a commonly used shorthand across all development environments.
6. Why not make all files and folders read-only?
In theory, making all your files and folders read-only will reduce the risk of making mistakes or getting hacked. Right? And to a certain extent, yes, that approach works.
There are certain types of hacks like Remote Code Execution which can be prevented by taking the read-only approach.
In fact, web host services like WP Engine and Pantheon restrict access to important WordPress files and folders to protect websites from hack attacks. Pantheon only keeps the wp-content/uploads folder writable.
That said, changing file permissions will do little to protect your website from a hack attack. In most cases, hackers donβt need file permission to be able to hack your site. Hence, changing file permission will not save you from WordPress hacks like XSS attacks, and SQL injection attacks, which constitute the vast majority of attacks.
Another major downside of going read-only is that you wonβt be able to add or update plugins, themes, and the WordPress core. You wonβt be able to upload any new media files.
Restricting access to files and folders can have many unintended consequences. Caching plugins and even firewalls need access to some of the files we listed above. Without the correct permissions firewalls and cache plugins will fail to function properly.
2 Comments