WordPress file permissions and ownership play an integral role in the overall security of your WordPress website, which is why you should be sure to get them right. In this post, we’ll cover all you need to know about WordPress file permissions.
Whether you’re a blogger or business owner, the simplicity of WordPress means that it is the most popular CMS system by far. If you are going to use the platform, though, you should give WordPress security the attention it deserves. While there are many different factors to consider, setting up the correct file permissions should be one of the top items on your agenda.
What are WordPress File Permissions?
WordPress file permissions determine who can access the files on your WordPress site. File permissions are essentially a way to organize and manage files and folders. Failure to set them correctly can put your website and your site’s visitors at significant risk.
Without the right file permissions, hackers can gain access to your admin account and potentially your entire server (where your website resides). This may allow them to read, write and execute sensitive files including the addition of malicious codes that run malware inside the backend of your site.
On a separate note, if your WordPress site is used by several users (such as contributors of blog posts or news pieces), the right file permissions prevent the threat of internal mistakes (honest or otherwise) while also offering a layer of protection for them against attackers too.
While file permissions aren’t the only key element of WordPress security best practices, they ensure the right execution of files, making them a key aspect for the site’s function.
Setting up WordPress file permissions: FTP v cPanel
Before actively setting file permissions, you must first know which client you use for the management of your website’s files. There are commonly two main solutions: FTP and cPanel.
Using an FTP client, you’ll want to set the permissions of the file or folder by using chmod or set permissions from the menu. Simply open the files and folder. From there the Permissions column will be clearly indicated.
On each file, a sequence of letters and hyphens are displayed. In characters you can see any (singular or combined) of the following:
- The letter ‘r’ to indicate the user can Read the file,
- The letter ‘w’ to indicate the user has Write permissions,
- The letter ‘x’’ to indicate the user may Execute permissions.
- A hyphen ‘-’ to indicate no permissions.
They will be presented in a certain way to show the settings for individual groups and users. From the menu on the FTP client, simply click Set Permissions to make the necessary changes.
When using the chmod, octal numbers are used. Their meanings are as follows:
- 755 means that the owner can do anything while others can read and execute, but may not alter the file. This is ideal for public files.
- 644 means you can read and write while others can read only.
- 711 means that the only can do anything with the file while others can only execute.
- 700 means that you can do anything while others have no access. This is best used for private directories and items within the backend.
- 600 means that you can read and write while other users have no access. This is ideal for private text files.
Using cPanel’s file manager is equally easy. Once inside the portal, you can click Change Permission to bring up a popup box that shows a number of checkboxes. From here, you simply need to tick and untick the right permissions for the appropriate users and groups in relation to each file and folder.
WordPress File Permissions: The Components
When handling your WordPress site, there are a number of different file types and folders that may require alterations to the permissions for internal and external security measures. From inside the panel, you’ll notice the various folders and directories. A little understanding of each element will go a long way to aiding your cause.
Correct File Permissions for the wp-content Folder
The WP-content folder houses the data relating to the themes, plugins and uploads to your WordPress account. Editing the files within this folder will significantly impact the website, making it a target for prospective hackers.
Setting the permission of the folder so that only the owner can write and execute permissions is vital.
To do this, set the folder permissions to 755, and the files inside to 644 will provide the right protection against unauthorized access.
Correct File Permissions for wp-includes
The WP-includes folder stores the core files needed for the API and functioning of your site. As such, setting this to 644 is the right selection.
Correct File Permissions for Folders
Setting to a 755 is usually the best option for all other folders as this gives you full access while the access to others is limited.
Correct File Permissions for wp-config
The wp-config file is where base configuration and database connection information are stored, making it one of the most important files of all. Use a 444 permission to users and groups to read the file but not write or execute.
It is also the right permission choice for the PHP file within the Wp=root.
Using the iThemes Security Plugin to Check Your WordPress File Permissions
iThemes Security is a WordPress security plugin designed to harden and lock down your WordPress site. The File Permissions setting lists file and directory permissions of key areas of the site.
From the iThemes Security plugin menu, visit the Settings page. Locate the File Permissions module.
Click the Show Details button to see your file permission. iThemes Security will then give you a report of the status of your permissions.
WordPress File Permission Suggestions
The Final Word
Protecting your WordPress site with the right security is absolutely vital. With the right file permissions set, you can be sure that your website isn’t open to attacks caused by unauthorized edits to files. Likewise, users won’t accidentally cause problems by making simple errors.
When your file permissions are supported by the other WordPress security best practices, your WordPress site will carry greater protection than ever.