WordPress file permissions play an integral role in the overall security of your WordPress website, which is why you should be sure to get them right. In this post, we’ll cover eight things to know about WordPress file permissions, including what they mean, how they’re determined, and recommendations.
Whether you’re a blogger or business owner, the simplicity of WordPress means that it is the most popular CMS system by far. If you are going to use the platform, though, you should give WordPress security the attention it deserves. While there are many different factors to consider, setting up the correct file permissions should be one of the top items on your agenda.
What are WordPress File Permissions?In a nutshell, WordPress file permissions determine who can access the files on your WordPress site. File permissions are essentially a way to organize and manage files and folders that live on your website’s server (where your website resides).
8 Things to Know About File Permissions
When it comes to understanding and setting up file permissions on your WordPress site, there are a few important things to know.
1. File Permissions Impact Your Site’s Security
The first thing to understand about file permissions is how they impact your website’s security. Failure to set file permissions correctly can put your WordPress website and your site’s visitors at significant risk.
Without the right file permissions, hackers can gain access to your admin account and potentially your entire server. This may allow them to read, write and execute sensitive files, including the addition of malicious codes that run malware inside the backend of your site.
On a separate note, if your WordPress site is used by several users (such as contributors of blog posts or news pieces), the right file permissions prevent the threat of internal mistakes (honest or otherwise) while also offering a layer of protection for them against attackers too.
While file permissions aren’t the only key element of WordPress security best practices, they ensure the right execution of files, making them a key aspect of the site’s function.
2. Read, Write & Execute: How File Permissions are Determined
Servers consist of directories (or folders) and files. Permissions can be created that dictate who can “read (r)”, “write (w)”, and “execute (x)” a specific file and/or directory. There are slight differences between rwx permissions when it comes to file permissions versus directory permissions.
File Permissions Codes
- Read (r) permissions declare if the user has authority to read the file.
- Write (w) permissions declare if the user has the authority to write or modify the file.
- Execute (x) permissions declare if the user has the authority to run the file and/or execute it as a script. It is important to note that a file is not granted delete permissions.
Directory Permissions Codes
- Read (r) permissions declare if the user has the authority to access the contents of the identified folder/directory.
- Write (w) permissions declare if the user has the authority to add or delete files that are contained inside the folder/directory.
- Execute (x) permissions declare if the user has the authority to access the actual directory and perform functions and commands, including the ability to delete the data within the folder/directory.
3. File Ownership
Now before we dive into understanding the proper permissions that should be set for a WordPress site, it is important to learn about the different forms of ownership of a file.
- The user who is the owner of the file and/or the user that created the file is known as the User.
- The user or users who belong to a group the file and/or directory is part of is known as the Group. A group is a defined classification of a set of users. An example of a group might be users that have access to FTP.
- The user or users who are not an owner and do not belong to an identified group are known as Others.
Take a look at the illustration below to see how these ownership roles and permission settings come together to declare who has what authority to do or see something relating to the files on your server.
4. File Permission Numbers and Codes: What They Mean
It may be helpful to understand that there is a method to the madness in the numbers that appear as part of the permissions settings. Those numbers relate to the read, write, and execute permissions. These point values are actually derived from the binary system that are foundational to computer systems (1s and 0s).
- Read (r) permissions have a point value of 4
- Write (w) permissions have a point value of 2
- Execute (x) permissions have a point value of 1
No matter what combination of read, write, and execute permissions you assign to a file or directory, it is easy to figure out what of the three permissions have been assigned. For example:
- If you see the number “6“, you automatically should know that the ONLY numbers (4, 2, 1) that you can combine to get the value 6 are the numbers 4 and 2. Therefore the number 6 represents the read and write permissions being assigned.
Now in that image above, you will see that file and directory permissions come in 3-digit numbers. This is where the ownership comes into play. The first number refers to the User. The second number refers to the Group. And the final number refers to Others.
So now we can break down the file permission number of 644 to be as follows:
- The owner of the file can read (r) (4 value) and write (w) (2 value) for a total of 6 value.
- The group that is attached to the file can only read (r) (4 value) for a total of 4 value.
- Everyone else can only read (r) (4 value) for a total of 4 value.
So when you see the number 7, you should immediately know that all three permissions (4+2+1) have been granted to that ownership group. If you see the number 3 then you know that for some strange reason someone set the permissions of the file to have writing and executing permissions (2+1) but no ability to read the file.
5. Understanding Common File Permission Codes
Just like the example in the previous section, a string of three numbers is often used to indicate file permissions. Specifically, when using the chmod, octal numbers are used.
Some of the most common file permission numbers include:
- 755 means that the owner can do anything while others can read and execute but may not alter the file. This is ideal for public files.
- 644 means you can read and write while others can read only.
- 711 means that the only can do anything with the file while others can only execute.
- 700 means that you can do anything while others have no access. This is best used for private directories and items within the backend.
- 600 means that you can read and write while other users have no access. This is ideal for private text files.
- 444 means that everyone can read.
Here’s how to understand how file permission numbers are set:
- The first number is for the user.
- The second is for group.
- The third is for other.
These eight numbers are used to express permissions:
- 0 for no permissions
- 1 for execute
- 2 for write
- 3 for execute and write
- 4 for read
- 5 for execute and read
- 6 for write and read
- 7 for execute, write, and read
Combining these numbers in the specific order gives you the three-digit numbers you’ll see when setting file permissions.
6. How to Configure WordPress File Permissions: FTP and cPanel
Before actively setting file permissions, you must first know which client you use for the management of your website’s files. There are commonly two main solutions: FTP and cPanel.
Using an FTP client, you’ll want to set the permissions of the file or folder by using chmod or set permissions from the menu. Simply open the files and folder. From there, the Permissions column will be clearly indicated.
On each file, a sequence of letters and hyphens are displayed. In characters, you can see any (singular or combined) of the following. Again, to recap, these letters represent the following actions:
- The letter ‘r’ to indicate the user can Read the file,
- The letter ‘w’ to indicate the user has Write permissions,
- The letter ‘x’’ to indicate the user may Execute permissions.
- A hyphen ‘-’ to indicate no permissions.
They will be presented in a certain way to show the settings for individual groups and users. From the menu on the FTP client, simply click Set Permissions to make the necessary changes.
Using cPanel’s file manager is equally easy. Once inside the portal, you can click Change Permission to bring up a popup box that shows a number of checkboxes. From here, you simply need to tick and untick the right permissions for the appropriate users and groups in relation to each file and folder.
7. WordPress File Permission Recommendations
When handling your WordPress site, there are a number of different file types and folders that may require alterations to the permissions for internal and external security measures.
WordPress File Permission Suggestions
Correct File Permissions for the wp-content Folder
The WP-content folder houses the data relating to the themes, plugins, and uploads to your WordPress account. Editing the files within this folder will significantly impact the website, making it a target for prospective hackers.
Setting the permission of the folder so that only the owner can write and execute permissions is vital.
To do this, set the wp-content folder permissions to 755 and the files inside to 644 to provide the right protection against unauthorized access.
Correct File Permissions for wp-includes
The WP-includes folder stores the core files needed for the API and functioning of your site.
The wp-includes folder needs to be set to 755.
Correct File Permissions for Folders
Setting to a 755 is usually the best option for all other folders as this gives you full access while the access to others is limited.
Correct File Permissions for wp-config
The wp-config file is where base configuration and database connection information are stored, making it one of the most important files of all.
Use a 444 permission to users and groups to read the file but not write or execute. This is also the right permission choice for the PHP file within the Wp-root.
8. How to Use the iThemes Security Plugin to Check Your WordPress File Permissions
iThemes Security is a WordPress security plugin designed to harden and lock down your WordPress site. The File Permissions setting lists file and directory permissions of key areas of the site.
From the iThemes Security plugin menu, visit the Settings page, then click Tools. Locate the Check File Permissions section.
Click the Run button to see your file permission. iThemes Security will then give you a report of the status of your permissions.
Wrapping Up: WordPress File Permissions Explained
Protecting your WordPress site with the right security is absolutely vital. With the right file permissions set, you can be sure that your website isn’t open to attacks caused by unauthorized edits to files. Likewise, users won’t accidentally cause problems by making simple errors.
When your file permissions are supported by the other WordPress security best practices, such as having a WordPress security plugin like iThemes Security, your WordPress site will carry greater protection than ever.
The Best WordPress Security Plugin to Secure & Protect WordPress
WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
Each week, the team at iThemes team publishes new WordPress tutorials and resources, including the Weekly WordPress Vulnerability Report. Since 2008, iThemes has been dedicated to helping you build, maintain, and secure WordPress sites for yourself or for clients. Our mission? Make People’s Lives Awesome.