Recommended File Permissions for WordPress

What permissions should I have for the following:

  1. Root folder storing all the WordPress content
  2. wp-admin
  3. wp-content
  4. wp-includes

On computer filesystems, different files and directories have permissions that specify who and what can read, write, modify and access them. This is important because WordPress may need access to write to files in your wp-content directory to enable certain functions.

Permission Modes

  7       7    7
 user   group  world
 r+w+x  r+x    r+x
 4+2+1  4+0+1  4+0+1 = 755

The permission mode is computed by adding up the following values for the user, the file group, and for everyone else. The diagram shows how.

  • Read 4 – Allowed to read files
  • Write 2 – Allowed to write/modify files
  • eXecute1 – Read/write/delete/modify/directory
  7       7     7
 user   group  world
 r+w+x    r      r
 4+2+1  4+1+0 4+1+0  = 744

Example Permission Modes

ModeStr PermsExplanation
0477-r–rwxrwxowner has read only (4), other and group has rwx (7)
0677-rw-rwxrwxowner has rw only(6), other and group has rwx (7)
0444-r–r–r–all have read only (4)
0666-rw-rw-rw-all have rw only (6)
0400-r——–owner has read only(4), group and others have no permission(0)
0600-rw——-owner has rw only, group and others have no permission
0470-r–rwx—owner has read only, group has rwx, others have no permission
0407-r—–rwxowner has read only, other has rwx, group has no permission
0670-rw-rwx—owner has rw only, group has rwx, others have no permission

WordPress Recommended File & Folder Permission

Below rules are recommended for a default wordpress site:

  • For folders inside wp-content, set 0755 permissions:

    chmod -R 0755 plugins

    chmod -R 0755 uploads

    chmod -R 0755 upgrade

The default permission scheme should be:

  • Folders – 755
  • Files – 644

There a number of ways to accomplish this change. There are also a number of variations to these permissions that include changing them to be more restrictive. These however are the default recommendations. Check with your host before making permissions changes as they can have adverse affects on the performance and availability of your site.

Avoid having any file or directory set to 777.

You can read more about WordPress updates and file ownership on the Updating WordPress codex page.

Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

You can also do this via your favorite FTP/SFTP client.

The Difference Between 644 And 777

Let’s look at some permission modes and how they affect our website.

What would a PHP script with a permission mode of 644 mean? Following the explanation above of how permission modes work, we can decipher what this mode allows users to do with our script:

  • The owner’s privileges are “read” (4) + “write” (2) = 6
  • The owner’s group privileges are “read” (4) = 4
  • Everyone else’s privileges are “read” (4) = 4

In plain language, this means that:

  • if we own the script, we may read and modify it;
  • everyone else may only read it.

As we can see, 644 is a good permission mode for our PHP script. We can make changes to it, and our Web server can read it.

Now let’s look at folders. What if we owned a folder that had a permission mode of 777? This permission mode can be broken down as follows:

  • The owner’s privileges are “read” (4) + “write” (2) + “execute” (1) = 7
  • The owner’s group privileges are “read” (4) + “write” (2) + “execute” (1) = 7
  • Everyone else’s privileges are “read” (4) + “write” (2) + “execute” (1) = 7

This means that

  • anyone may get a list of file names in our folder;
  • anyone may create, modify and delete any file in our folder;
  • anyone may access the files in our folder.

It is obvious that 777 is a bad permission mode for anything on our WordPress website because any visitor would be able to add files to our directory or even delete scripts. Worse, anyone would be able to put in malicious code and compromise our website.


Related Posts

How to link WP Domain Checker Buy Button to Contact Form 7

Is it possible to link WP Domain Checker Buy Button / Purchase Button to Contact Form 7? This is a question from one of WP Domain Checker user. The answer is YES. It is possible! We can use HTTP GET variables feature from Contact Form 7. To get the default value from HTTP GET variables, add default:get option to […]

Read More

How to Prevent SQL injection in PHP 2017

July 31, 2017

PHP, Security, Tutorial

SQL injection happens when you interpolate some content into a SQL query string, and the result modifies the syntax of your query in ways you didn’t intend. It doesn’t have to be malicious, it can be an accident. But accidental SQL injection is more likely to result in an error than in a vulnerability. The […]

Read More