WordPress File Permissions: How to Set Them Up Correctly in 2023
Looking for the optimal WordPress file permissions? Or confused about what file permissions even exist and why you need to care about them in the first place?
Anyway, we have the answers for you in this post because we are going to cover everything you need to know about WordPress file permissions.
We explain what file permissions are and why they are important. Then we’ll tell you correct file permissions for WordPress and show you how to change file permissions via FTP.
📚 Table of contents:
⚠️ Note – If you already know what file permissions are and are just looking for the optimal configuration for WordPress, we recommend Click here to find the optimal permissions.
What are file permissions?
File permissions pretty much do what the name says – they control them Permissions with which different types of users can interact files on your website’s server.
For example, file permissions control whether a specific type of user can edit a specific file or folder on your server.
There are three specific permissions:
- read – be able to view/read the contents of a file without modifying it.
- To write – be able to edit/change a file.
- Carry out – be able to use/execute a file. For example running a script.
File permissions control what “users” can do, but it’s not quite like “users” in the WordPress sense. Instead, they are users on your web server, typically configured by your hosting provider.
There are three types of users:
- owner – the entity assigned as the owner of a file or folder.
- group – Entities that are members of a group that owns the file or folder.
- Public – all other users.
Again, your hosting provider is responsible for setting up these user types. If you don’t fully understand it, that’s okay. Non-developers don’t really need to understand these details – we’re only sharing them because these are terms you’ll see when you read about file permissions.
In total you have nine different permission configurations because there are three user types and each user type has three potential permissions:
- owner can Read Writeand or carry out.
- group can Read Writeand or carry out.
- Public can Read Writeand or carry out.
When configuring your site, you typically specify the owner most permissions followed by groupand then Public should always have the least privileges.
For example, a typical configuration for WordPress files looks like this:
- owner can to read and to write.
- group can to read.
- Public can to read.
Why are WordPress file permissions important?
Having the correct WordPress file permissions is important for the security and functioning of your website.
Setting your file permissions too permissively can pose a security problem as users may be able to modify or run files/folders they shouldn’t have access to. For example, they could use this to inject malicious code on your website.
But at the same time, if you make your file permissions too restrictive, your website may not function properly. If certain users can’t even read files on your server, your WordPress site isn’t working.
For example, file permissions that are too strict can often cause problems with WordPress plugins, as the plugin may not have permission to modify certain files that it needs to edit.
For this reason, you usually specify file users some Permissions, but not all.
Does everyone have to set their file permissions?
To be honest, no. Most people will never need to interact with WordPress file permissions.
Why? Because if you choose a quality WordPress hosting provider, they should automatically configure WordPress to use the optimal file permissions for that host’s environment.
I’ve been using WordPress for over a decade and have never had to manually mess with file permissions. That’s because I’ve always relied on my host to do things for me.
However, that doesn’t mean there aren’t situations where you might need to tweak. Things can get mixed up in weird ways and checking file permissions is an important step in fixing many issues like: B. the error “403 Forbidden”.
- If you’re using quality WordPress hosting and don’t have a specific reason to think about your file permissions, you probably don’t need to do anything.
- If you’re trying to debug a specific issue/bug, or you’ve recently migrated a site from a local development environment to live hosting, you may need to manually intervene with your site’s file permissions.
What do the different numbers in the file permissions mean?
File permissions are usually represented by a series of three numbers – e.g
644. You may also see letters and hyphens like
rw-rw-r--but this format is less common.
Each digit in the three-digit sequence corresponds to a specific user type:
- First Digit – owner.
- Second Digit – User accounts in the owner’s groups.
- Third Digit – Public.
Then each action is assigned a number:
- read – 4
- To write – 2
- Carry out – 1
The number in each place is then the sum of the actions that user type can perform. For example, if the number in the first digit is “6”, which means that the owner (first digit) can read (4) and To write (2) … 4+2 is 6, hence the digit is 6.
If a specific user type has all permissions, the number would be 7 (4+2+1).
777 is the most permissive mode. This means that all three types of users can perform all three actions.
However, you should almost never set permissions on WordPress files
777. It’s a huge security risk – unless you absolutely know what you’re doing, you should never point a file or folder to it
What are the correct WordPress file permissions?
Now that you understand what file permissions are, let’s go through the optimal configuration for WordPress.
But first – I have to state that some of this depends on your hosting provider and how your host configured your server.
When in doubt, we recommend always following your host’s advice as they will better understand the optimal configuration for their environment.
That being said, the file permissions we share below should work for the vast majority of WordPress sites.
We cover the optimal file permissions for four different areas:
- WordPress files
- WordPress folder
The last two files are sensitive, so they deserve special attention.
WordPress file permissions
All WordPress files should
644 File Permissions, with the possible exception of the two files we’ll single out below.
WordPress folder permissions
All WordPress folders should have
755 File Permissions.
WordPress wp-config.php file permissions
Your site’s wp-config.php file is one of the most sensitive WordPress files, so it deserves special attention.
However, getting the optimal permissions for the wp-config.php file can be a bit tricky as it depends on how your host has configured things.
Some hosts configure the wp-config.php file to be
644 like other WordPress files. This is true of some popular managed WordPress hosts I’ve tested.
However, the official WordPress Codex recommends
400 for the wp-config.php file. Some experts, like iThemes Security, recommend
Basically, you’ll see a lot of different options here. When in doubt, it’s always a good idea to ask your host for a recommendation based on their specific configuration. Or just start with it
Permissions for WordPress .htaccess files
The .htaccess file is another important configuration file that you may want to further restrict access to.
As with the wp-config.php file, some hosts configure the .htaccess file like this
644 like other WordPress files. This is also the configuration recommended by the WordPress.org Codex, so it’s a good place to start. This is because many plugins need to write to the .htaccess file, including many caching plugins.
Some experts, such as B. iThemes Security, but recommend using it
444 instead of this. Just keep that in mind when using
444 Your plugins cannot write to .htaccess, which can cause problems.
How to change file permissions
Now that you know what file permissions should be, let’s dive into how you can actually change your WordPress file permissions.
The easiest way to change WordPress file permissions is to use FTP and your favorite FTP client – I like it FileZilla because it’s free and open source. If your host uses cPanel, you can also use the cPanel file manager. However, I will focus on the FTP method in this section.
First, you should connect to your WordPress site server via FTP. If you’re not sure how to do this, check out our complete guide to WordPress FTP.
The following user interface screenshots are based on FileZilla – it may be slightly different with other FTP clients.
Once connected, navigate to the folder containing your WordPress site. This is the same folder that contains the wp-admin and wp content Binder.
To edit file permissions, right-click one or more files or folders and select File Permissions Possibility. For example, if you right-click the wp content folder, you can see that its permissions are
755what you want
If you need to edit the permissions, you can just type the numbers in the numerical value box and click on it OK:
To help you save time, FileZilla offers you the opportunity Recursion in subdirectories. Essentially, this allows you to apply the same file permissions to all files and folders Within the directory you selected.
However, remember that WordPress files and folders should have different file permissions, so make sure you use the sub-options Apply to files only or Apply to directories only.
For example, to immediately set the correct file permissions for all your folders, you could:
- Select all folders.
- Right-click and select File Permissions.
- Choose Recursion in subdirectories.
- Choose Apply to directories only (so you don’t change file permissions on files in the selected folders).
- click OK.
With this you can apply immediately
755 Permissions for all folders on your server. You can use the same idea to apply
644 Permissions for all files.
Get your WordPress file permissions today
Having the correct WordPress file permissions is important for the security and functioning of your website. That being said, most quality WordPress hosts will take care of configuring file permissions for you, so you typically don’t need to change them yourself.
You might have situations where you dowhich is why in this post we went through the optimal WordPress file permissions and showed you how to change them using FileZilla and FTP.
For more ways to secure your WordPress site, check out our Top WordPress Security Tips and Best WordPress Security Plugins posts.