File permissions are not on the mind of many beginners. When searching for a way to protect WordPress, most of them would try installing security plugins, hardening the login security, backing up the site, etc, while few may think of securing their files with the proper permissions.
However, if you want to dig deep into the WordPress security, you have to fully understand the file permissions you should use so as to protect your file system from being broken by hackers.
This tutorial will deliver a clear understanding of file permissions, analyze the importance, present the proper WordPress file permissions to use, and introduce the easy ways to change the permissions assigned to your files and directories. Hopefully, these details could help you improve the security of your WordPress site.
How to Understand File Permissions?
As the name indicates, file permissions are the permissions given to a file that determine who can do what with it. In terms of the “who”, there are three user groups including:
- User – The user that owns the file (In most cases this means you, the owner of the WordPress site).
- Group – The group of users that have been granted the access to the file, for example, your site members.
- World – Anyone else with internet connections, including your site visitors.
Then regarding the “what”, there are three actions each user group can take to a file or directory. These include:
- Read (4) – The ability to view the contents of a file or access the file names in a directory.
- Write (2) – The ability to write and modify a file. For directories, this means the capabilities to add and delete individual files in a directory.
- Execute (1) – The ability to execute a file and run the scripts in it. For directories, this means the user is allowed to access the files contained in them.
As you can see above, each action is given a digit value, and this is why file permissions are usually displayed in the form of a number string like “755” and “644”. To understand such a number string, you first need to know that the three digits suggest the permissions for different user groups.
- The first digit indicates the access granted to “User”.
- The second digit indicates the access granted to “Group”.
- The third digit indicates the access granted to “World”.
For each user group, then, the permissions are calculated based on the value of the actions. Below are all the possible combinations of actions and their values. The higher the value is, the more permissions the user gains. Note that 1, 2 and 4 are excluded as they have already been analyzed.
- 0 – The user is given no access to the file.
- 3 (2+1) – The user can (write + execute) the file. This value is put here just for a better understanding, and it is not actually used in the real life.
- 5 (4+1) – The user can (read + execute) the file.
- 6 (4+2) – The user can (read + write) the file.
- 7 (4+2+1) – The user has full privileges over the file, including reading, writing and executing the file.
Therefore, the maximum file permissions you can give is 777, which means everyone, including the “User”, “Group”, and “World” can do whatever to the file, while the least access (supposed not be 000 which is nonsense) is 444 with which all files can be read only.
If you are still a little confused about how the file permissions are granted, the example below should help.
Why Are the Proper File Permissions Important?
Theoretically, you can assign whatever permissions you like to your files and directories. However, you must pay much attention when making modifications because the file permissions are crucial to your site security and the proper function of some WordPress features and plugins.
If you give the “Group” and “World” excessive permissions to your website files, you are running the risk to expose your WordPress site to hackers and attackers because they can gain access to your files easily, modify them, and then damage your site in a short time. Keeping the permissions to the minimum possible is important for preventing your WordPress site from hacks.
However, if you give all files the same permissions which are the minimum you can think of, for example, 444, there should also be problems. A good example is that when installing themes and plugins, WordPress needs to access and write the files in the /wp-content/ directory. If the needed permissions are not given, you will have to upload the theme/plugin files manually.
As a conclusion, to guarantee both the site security and the functionality of WordPress, the file permissions must be appropriate. Now the problem is, what permissions are considered to be “appropriate”?
What File Permissions to Use for WordPress?
Depending on the server settings, the file permissions may be different from one server to another. If you have installed WordPress carefully, it’s probable that your files and directories are already gaining the proper file permissions to work. In such a case, you’d better not to mess with the permissions.
However, if errors occur on your site due to improper file permissions, you will need to check the permissions assigned to your files and directories to make sure they do not cause troubles. To save time and efforts, you can simply make the following changes to fix the common problems.
- Set the permissions for files as 644.
- Set the permissions for directories as 755.
If you want to go further to modify the permissions of some important WordPress files to harden the security, here are the suggestions.
- wp-config.php – The default permissions are 644, while you can lock down them to 600 so that no one except for the owner can access the file.
- .htaccess – The recommended permissions are 644 since WordPress needs to access it and update it, but you can still try 604 to make the file more secure.
- The /wp-admin/ and /wp-includes/ directories should always be writable by the “User” only. Do NOT give the write permission to anyone else.
Another important thing to remember is that you should never use 777, the most dangerous permissions ever, for any file or directory.
How to Modify the File Permissions?
There are multiple ways for doing this: using cPanel, FTP clients, or the command line (the chmod method). However, since the command line is suitable for experienced WordPress users only, we will introduce the two simple ways in below.
Note: File permissions exist on Unix and Linux servers only. You will not find them if your WordPress site is set up on a Windows server.
Use cPanel to modify file permissions
If you are using the file manager included in cPanel for file management, then you can follow the steps below to check and modify the permissions of your WordPress files and directories.
- Log into your cPanel account.
- Find “File Manager” and access the file/directory you want with it.
- Right-click the file/directory and click on “Change Permissions”.
- In the popup, check the permissions, or modify them as you want by ticking/un-ticking the corresponding checkbox for each action. At last, click on “Change Permissions” to save the changes.
Use an FTP client
Changing file permissions with FTP clients is also very easy. Let’s take FileZilla as an example. As soon as a connection is established, you can quickly locate the file or directory, right-click on it, and select the “file permissions” option on the bottom to access the permissions.
In the popup, you can change the permissions either by ticking the box before each action under the user groups, or by entering a number string in the “Numeric value” field.
If you don’t want to keep the changes, FileZilla also allows you to convert back to the default permissions by entering “xxx” for the numeric value.