WordPress file permissions play a vital role in securing your site. Setting them up properly should be the first thing to do after installing WordPress. Having the wrong set of permissions can result in different errors – white screen of death while loading a certain page, error message while trying to upload images to the media folder and so on. Apart from that, wrong file/ folder permissions can also compromise your website and make it prone to attacks. In this article, we will look at how to set up the right file permissions for your site. But before getting into that, let us remind you to take backups. So that if something goes wrong when you are changing file permissions, you can quickly restore your site back to normal. And if you are not using a backup service, then check out this backup plugin guide to choosing the best WordPress backup plugin.
WordPress has a well-defined folder structure with wp-content, wp-admin, and wp-includes being the most important ones. Almost all the components that make up your site such as themes, plugins, images, etc are stored within these folders. Each folder is associated with a set of permissions that allow site owners to determine “who” can access “what” within them.
Users and Groups
Before proceeding further we need to understand users and groups, as they go hand in hand with permissions. A user is simply an account that has access to the computer (or web server). For instance, you connect to your WordPress website using SFTP to upload a file to the site. When you do this, you are using an SFTP user account.
A group denotes a set of users. A user can belong to one or more groups. A group is needed when you want to assign privileges for a specific resource (e.g. a folder) and share it among a set of users. Just like the SFTP user account using which you can transfer files from/to the server, you also have the web user which is used to serve pages on the site. When you upload a media file or install a new plugin using the WordPress dashboard, it is this web user that creates the underlying files. Some cPanel based hosting like Hostgator and Bluehost don’t distinguish between the two. However, on hosts like WPEngine, these user types are distinct (but belonging to the same group). Users and groups together give you the ability to configure the right access control for your WordPress site.
Every file in WordPress has an owner user and owner group. Any given user will have one of the following associations with a file –
- User may be the file owner (owner)
- User may belong to the group that owns the file (group)
- User may neither own the file nor belong to the group that owns it (others)
WordPress File Permissions
Every file in WordPress is associated with a set of permissions. Permissions dictate what users can do with a file. There are three things you can do with a given file – read, write (or modify), and execute. For every file, you can specify which of these actions can be performed by the owner, group, and others. So we need three bits (one for each action) for each relationship, thus adding up to a total of 9 bits. A file permission thus becomes a three digit number, e.g. 644
Just like files, directories too have permissions associated with them. However, permissions take on a different meaning for directories. Here’s what read, write, and execute permissions correspond to for a directory –
- read determines if a user can view the directory’s contents
- write determines if a user can create new files or delete files in the directory (a user with write access to a directory can delete files in the directory even if he/she doesn’t have write permissions for the file!)
- execute determines if the user can get into the directory (e.g. using the cd command in a terminal)
Using the right permission modes plays a vital role when it comes to security. For instance, a file like wp-config.php should have its permissions set to 600 (read-only). Supposing this is changed to 666, anyone can view and modify the contents of your configuration file which can easily break or compromise your site.
Changing WordPress File Permissions
Your host’s cPanel provides an interface that you can use to modify file and folder permissions. Just right-click on a specific file and choose Change Permissions.
If you like to work with a terminal, you could also use the chmod command to alter permissions. chmod 644 <file>
Permissions for WordPress
It’s now time to adjust the permission modes of the files and folders on your WordPress site. As a rule of the thumb, all you need to do is remember the following:
- All files should be 664
- All folders should be 775
- wp-config.php should be 660
Here’s what we’re trying to achieve with this set of permission modes:
- Users may read and modify our files
- WordPress may create, modify or delete files and folders
- Other people must not see our database credentials in wp-config.php
The best way forward is to make the entire site read-only. That way hackers will find it very difficult to modify files or upload malicious scripts. This will greatly reduce the scope for attacks on your site. However, making everything read-only will result in a lot of usability issues. You won’t be able to upload media or add new plugins and themes to your site. Under some circumstances having very strict permissions also results in strange WordPress errors while upgrading WordPress or a plugin. Hence, following the recommended defaults for WordPress files and folders works best for most users. Even in the odd case where you are required to relax this condition, you must revert back to its original permissions on completing the task at hand. We looked at how file permissions can make a big difference to tighten your site’s security. Apart from these steps, you can also refer to our article on how to use the htaccess file to restrict file access.
Before ending this article, we’d like to reiterate the importance of backups. Writing an article with or without jargons will amount to nothing if you lose the articles. Misfortunes can happen to anyone which is why it’s advisable that you take WordPress backups. So that, on occasion of a misfortune, you can always restore your site back to normal.