Did you just hear about WordPress file permissions and are wondering if yours are set correctly? Or are receiving an error that you don’t have the right permissions? Either way, this is the right post for you.
File permissions are a very important part of protecting your website. They keep your site locked down while giving WordPress itself, its plugins, and other scripts the ability to modify what they need to.
But sometimes things can go wrong. Errors may pop up, or file permissions get changed to improper values. In that case, it’s helpful to know how WordPress file permissions work and how to use them.
That’s exactly what we’ll explain today. Below, you’ll learn all you need to know about file permissions, how change them, and best practices to keep your site functioning smoothly.
Understanding File Permission Levels
If you want to learn how to change file permissions in WordPress, you’ll need to understand the basics first. For that, we need to look into Linux permissions. Here’s a quick crash course on that topic.
Types of File Permissions
There are three main types of permissions files can have. You can set these not just for individual files, but entire directories/folders.
- Read (r) – This allows a user to view a file’s contents or the names of files within a directory.
- Write (w) – Write permission enables a user to modify the file’s content. They might also create, delete, or rename files within a directory.
- Execute (x) – Here, users may execute programs and scripts, or access a directory’s files and subdirectories.
Permission Groups
However, who exactly can have these permissions? In Linux, there are three groups of people who can access a file/directory.
- User (u) – Refers to the owner (usually the creator) of the file/directory.
- Group (g) – Several users that share common permission levels. Any user can be in one or more groups.
- Others, World, or Public (o) – Any users who are not the owner of the file and are not in a defined group.
For each of these, you can set different levels of permission. In WordPress, these are called user roles. For example, you wouldn’t want random website subscriber to have the same permissions as the administrator. That would be a recipe for disaster.
Symbolic and Numeric Notation
When you deal with file permissions, they are represented either in symbolic or numeric notation.
Symbolic notation uses the letters above to denote read (r), write (w), and execute (x) permission, or a dash for none. They are grouped in three sets of three with the first three letters referring to User (u) permissions, the next three to Group (g) permissions, and the final three to Others permissions (o).
Take this example: rwxr-xr--
Here, the User has full permissions (rwx), the Group has read and execute permission (r-x), and the Others group has only read permission (r–).
With numeric notation, each permission is instead assigned a value:
- Read (r) = 4
- Write (w) = 2
- Execute (x) = 1
These are added together to form a three-digit number representing permissions for User, Group, and Others.
Using the same example above, the User’s permission is 7 (r + w + x), the Group’s 5 (r + x), and Others’ 4 (r). That means, the same permission level’s numeric notation is 754.
File Permissions in WordPress
In the context of WordPress and websites in general, file permissions use the same principles as above. But there are also a few differences you’ll want to be aware of.
- File ownership – In a WordPress environment, files and directories are often owned by the web server process (www-data for Apache and nginx for NGINX) rather than individual users.
- Plugin and theme considerations – WordPress plugins may require read and write access to particular files and directories to function properly. Plugins usually use the Filesystem API to interface securely with your server.
- Some groups are already built in – As mentioned, WordPress uses built-in roles like Administrator, Editor, and Contributor. Contributors only have the ability to create and edit their own articles, not others. Functionally, this means they have read permission on all post/page files, and read/write permission on post/page files they create.
- Look out for shared hosting environments – Shared hosting can present issues with file permissions. Certain files may be locked down to prevent other users on your multi-website server from accessing sensitive data. You may find some files set to read-only even for administrators, requiring root access to edit.
The Dangers of Incorrect File Permissions
Now comes the question, why is this even important? Why should you care about this very technical-sounding topic?
The reason is that file permissions form the foundation of website security. Being too loose with them can seriously endanger your site in the following ways:
- Hacking and malware – Improper permissions can let hackers slip through and do basically whatever they want. That includes installing malware, viewing private files, or deleting your site.
- Site takeover – If someone manages to break into your website thanks to lax permissions, they could easily take ownership of your account and lock you out of your own website.
- Data leakage – Improper permissions could result in visitors gaining access to private files, including images, unfinished/test/draft pages, and confidential data.
- Improper file access – Certain permissions may allow users to change existing files on your website, or upload and execute damaging files like malware scripts.
But it’s not just about too much access, it can also be too little. Making your permissions too restrictive will inevitably break your site by preventing WordPress from functioning properly. It’s a fine line between too much and not enough with file permissions.
WordPress File Permission Best Practices
Before you start combing through your website files looking for anything out of place, it’s important to know what a good practices for file permissions look like WordPress. So, let’s go over that now.
Don’t Change Permissions Unless Necessary
The first thing that’s important to keep in mind is that, in most cases, you won’t need to change file permissions. If you are using a good hosting provider and install WordPress properly, this part of your site should be set up in the correct way automatically.
So, unless you’re running into a specific WordPress error, don’t touch your file permissions, especially if you don’t know what you’re doing. Messing with settings you don’t understand can cause more harm than good.
Some web hosts, especially shared hosts, may make some permissions more restrictive due to the nature of the hosting. If you’re having a problem with insufficient permissions, it may be best to contact your host and ask for help.
Recommended Permission Levels
If you do run into a problem and you’re not sure what permission settings your files and directories should be on, there is information for that in the official WordPress documentation.
Below is a quick rundown of generally recommended permissions for various files and folders. However, remember that this varies depending on your setup.
- Directories – 755 (rwer-er-e). For your server to work properly, most directories need execute permissions.
- Files + .htaccess – 644 (rw-r–r–). This allows users to see public files on your website without being able to edit them. Most files should only be writable by your user account.
- wp-config.php – Varies; 400 (r——–), 440 (r–r—–), 600 (rw——-), or 640 (rw-r—–) may be appropriate depending on site setup and security needs. The most important step is to prevent random visitors from accessing this important file.
Don’t Be Too Restrictive
Finding the right balance with file permissions can be stressful, but you can’t just set them all to “000”. While your site would be very secure, at the same time, no one would be able to use it.
Functions on your site, from your web server to plugins to WordPress itself, naturally need some access to specific files and directories to continue functioning properly. Even visitors, who should not be given write or execute access to a majority of files, need to at least be able to “read” the public-facing parts of your site.
It can be tempting to clamp down on file permissions, but you can do some serious damage. When plugins and functions stop working, a plethora of warnings will appear on your dashboard. You could even cause your website to encounter the dreaded White Screen of Death if you’ve severed WordPress’ access to core files.
Use the Principle of Least Privilege
The principle of least privilege states that users (including your web server and WordPress itself) should be given just as much access as what’s necessary to do their jobs.
Granting “root” ownership means giving full control and access to the entire system, which is usually excessive. If a hacker gains access to a WordPress site with root privileges, they could potentially wreak havoc on the entire server.
Instead, the owner of most files should usually be your web server user, usually nginx (NGINX) or www-data (Apache), both of which only have the permissions necessary to function properly. This limits the damage bad actors can cause.
There are some situations where root ownership is necessary, so you shouldn’t go changing permissions if you don’t understand what you’re doing. At the same time, seeing it can be a cause for concern – especially if you notice that a file or directory owner has suddenly changed.
In any other situation where you may be creating files or assigning owners, follow the principle of least privilege. Don’t hand out excessive read, write, or execute permissions. Most files you create on your server will not need root ownership.
Back Up Your Website
Before you touch any sensitive settings on your website, it’s best practice to back up both your website and database files.
Things can easily go wrong when modifying file permissions, so this provides a safety net. If you accidentally break something on your website, you can just roll back your server.
Never Use 777
Setting any file or directory permissions to 777 is basically giving everyone in the world free reign over your website.
This grants any random visitor the ability to view files, edit and delete them, upload potentially malicious programs, and execute scripts. Obviously, this is a terrible idea.
While it may seem benign to give full permissions to just one file, a savvy hacker can easily use this to execute a malicious script or escalate their privileges and worm their way deeper into your server. So just don’t do it.
How to Change WordPress File Permissions
Now that we’ve covered the best practices for file permissions, let’s learn how to change these in various server setups.
cPanel or Dashboard
Most web hosts offer access to cPanel or some custom dashboard. You’ll want to check your hosting provider’s documentation, but within cPanel you can generally go to the File Manager, then right click any folder or file and click Change Permissions.
FTP/SFTP
You can also change permissions using FTP/SFTP access. Start by installing an FTP client like FileZilla and log in to your server. Right click any file or folder and select File permissions…
Then, enter the numeric value or just tick the boxes you want to set.
SSH/Command Line
For this step, use a command line access tool. This is usually provided by your web host. You’ll want to use the cd command to navigate to the directory of whatever file or subdirectory you wish to change. For example:
cd public_html/example_folderYou can then modify the permissions of a file or subdirectory in this folder using the chmod command.
chmod 755 example.htmlYou can also recursively set permissions for an entire directory at once, but be careful when doing this.
chmod -R 755 example_subfolderUse a Plugin
Some security plugins will allow you to easily switch file permissions from the dashboard. One example is All-In-One Security (AIOS). With this, you can change file permissions, identify insecure file permissions, and fix issues in one click.
Common File Permission Errors in WordPress
Finally, let’s take a look at a few common file permission errors in WordPress and what causes them.
- 403 Forbidden (You don’t have permission to access on this server) – You’ll see this error if you try to access a file when you lack read permission. For example, visitors will encounter this if they try to access unpublished articles or pages. You may want to check your permissions if you’re seeing this as the administrator.
- Required file permissions missing – Certain plugins may throw up this error. This may be caused if your website files are not owned by nginx or www-data.
- You need to make this file writable before you can save your changes – You’ll see this in the WordPress editor if you lack write access to certain files.
- Permission denied. Error code: 3 – This error appears when trying to modify or upload files to your website. The causes vary, including website files being owned by root instead of nginx or www-data, needing root access, or simply lacking read/write permissions.
- Installation failed: Could not create directory – If you see this when installing or updating themes and plugins, it means that WordPress does not have write permission to the directory it’s trying to use.
Proceed With Caution When Changing WordPress File Permissions
File permissions are a very important part of maintaining website security, so you shouldn’t change them lightly. One small tweak could break your website, or let hackers more easily slip through.
But it’s good to know how these permissions work, especially if errors start cropping up. Now you know what to do – and especially what not to do – if ever you need to change your WordPress file permissions.
Did you manage to fix a WordPress file permission error? Share your experience in the comments and help others with the same problem!
