◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Management → File Permissions
WordPress file permissions: A beginner’s guide
This article presents how to set the correct WordPress file permissions for files within a WordPress installation. Readers of this article should have good understanding of how Linux file permissions are configured as discussed in the following article:
What are the general directory and file permissions recommended for WordPress?
Generally, WordPress directory permissions should be set to 755, and most WordPress file permissions should be set to 644. WordPress also recommends you set these file permissions for your site. With these file permissions set, the WordPress auto update functionality will work correctly.
Why is the default directory permission 755 and default file permission 644 in Linux?
So, the directory permission 755 means that the owner and anyone else on the system can see inside the directory. Any user can execute a program inside the directory as needed. The file permission 644 means that the owner can read and write the file, and all other users on the system can only read it.
WordPress file permissions: changing permissions
One of the first items to consider is the WordPress hosting environment for your site. If you are running Linux, there are two main environments:
- (Preferred) PHP scripts that execute using mod_php or equivalent and all scripts are executed as the webserver user. This means when your script is running it sometimes can read at the same privilege level as the web server. This could allow cross-account snooping in shared hosting configurations, and is not ideal in a shared environment, especially for ecommerce. If the permissions are configured correctly as it provides an extra level of security provided by Linux. A majority of our shared WordPress OBP plans provide this environment, and it is preferred given that is provides user-based permissions isolation so stricter file permissions can be used.
- PHP scripts that execute as the user who owns the files via an intermediate construct such as, suPHP, PHP suEXEC, PHP-FPM, and so on. In this case your scripts run as you and this is overall a more secure configuration when running on a shared server. Here at Liquid Web, this is the most commonly used environment.
WordPress file permissions: Linux permissions
WordPress file permissions: 644 permissions
The Linux permissions for all files in your WordPress base directory should be set to readable and writable by the owning user (you), and readable only by everyone else. This creates a baseline where the web server can read all files. It will need read access in order to serve static content like images, CSS and Javascript files. Unlike the method above we will be adjusting script permissions to be more stringent later on:
find </path/to/wordpress> -type f \-exec chmod 644 {} \;WordPress file permissions: 640 permissions
If possible, the permissions for all files should be set to read and writable to your user, readable by the group, and no permissions for others. In some instances this may cause issues with other software or plugins, but it is possible to restrict these permissions in some instances:
find </path/to/wordpress> -type f \-exec chmod 640 {} \;WordPress file permissions: 711 permissions
Change the Linux permissions for all directories in your WordPress base directory to listable, file editable, and navigable for the owning user and simply navigable for everyone else:
find </path/to/wordpress> -type d \-exec chmod 711 {} \;WordPress file permissions: 755 permissions
In some cases, you may find that some plugins require the wp-content folder to be made writeable. Change the permissions of the wp-content folder and all sub folders:
find </path/to/wordpress/wp-content/> -type d \-exec chmod 755 {} \;WordPress file permissions: 600 permissions
Lockdown permissions for all PHP scripts so that only your user can read them. This is ideal because only your user should need to know the contents of scripts:
find </path/to/wordpress> -type f -name "*.php" \-exec chmod 600 {} \;WordPress file permissions: 777 permissions
You may see instructions for web-based software that states that files must be set to 777 permissions, read/write/execute permissions to all. This may be necessary for some directories, but is rarely the case for files. Permissions of 666, read/write permissions for all, are adequate in these cases if more strict permissions cannot be set.
Configuring the 777 permissions sets the execute bit for files as well which most web servers that do not require it in most cases. In many cases a plugin may require more open permissions.
Read the plugin’s documentation or contact the developer to inquire about required permissions. For further reading about WordPress file permissions, visit the WordPress website.
Upgrade your WordPress.org hosting
Managing a secure, efficient, user-friendly WordPress site starts with fast, reliable hosting. Liquid Web has been leading the industry for decades with the fastest servers for WordPress, air-tight security features, always-on expert support, and more.
Liquid Web offers the widest range of hosting options specifically designed for WordPress sites — from a simple VPS, to WordPress cloud hosting, to dedicated WordPress servers for enterprise organizations. You choose your favorite OS and the level of management support you need. Get in touch today.
Additional resources
WordPress management tips and trends →
A crash course on hosting, plugins and themes, running multiple sites, and more
What is a plugin? →
A complete beginner’s guide on WordPress plugins and how to use them
Troubleshooting a slow admin page →
Optimize your WordPress admin page for speed and efficiency