Understanding File Permissions and Using Them to Secure Your Site

Jenni McKinnon – February 10, 2022

Understanding File Permissions and Using Them to Secure Your Site

File permissions specify who and what can read, write, modify, and access them. This is important, as the Codex explains, because WordPress may need access to write to files in your wp-content directory to enable certain functions.

If your files don’t have the best possible permissions in place, it’s easier for hackers to intrude on your files and your site. Setting your file permissions correctly may not save you from all attacks, but it will help make your site a bit more secure, making it a great addition to your current security measures.

The WordPress Codex has some information on WordPress file permissions, but it doesn’t go into a whole lot of detail so it can be tough to follow. So in today’s Weekend WordPress Project we’ll look at file and folder permissions in detail, and how to change them to improve your site’s security.

What Do File Permissions Look Like?
What Permissions Should I Use?
Where Can File Permission Be Found?
Conclusion

What Do File Permissions Look Like?

Generally speaking, there are two categories that need to be considered when viewing file permissions: Actions and user groups.

Actions your site’s plugins and files can make are:

Read – allows access to a file to view its contents only
Write – allows the file to be changed
Execute – gives access to a file in order to run the programs or scripts that are contained in it

The user groups of the actions can be:

User – you as the owner of your site
Group – other users that can also have access to the files you choose such as the members of your site
World – anyone with an internet connection who tries to view your files

File permissions are primarily viewed as three consecutive numbers:

First number – the access to file actions granted to the user
Second number – the file access given to the group
Third number – the amount of file access given to the world

To come up with these numbers, a value is given to each possible action combination:

0 – no access
1 – execute
2 – write
3 – write and execute
4 – read
5 – read and execute
6 – read and write
7 – read, write and execute

This being the case, the greatest amount of access you can grant is 777 where the user, group and world have access to read, write and execute files.

The least amount of access you can give – besides none at all – is with a file’s permission set to 444 where everyone can only read the file.

You only need to remember the values given to the read, write and execute actions, though, because adding their corresponding numbers together will give you the correct file permission value.

For example, this is how you would calculate a file permission if you wanted the user to have complete access, while having stricter limitations for everyone else:

User – with the access to read (with the value of 4), write (having a value of 2) and execute (which has a value of 1), 4 + 2 + 1 = 7
Group – has access to read (4) and write (2), 4 + 2 = 6
World – only has access to read files, 4

The final file permission would become 764 in this example. This, however, usually isn’t an ideal permission for WordPress files.

You may notice that file permissions are written differently when looking at them through FTP or SSH (Shell access). They may look something like this:

File permissions are written as text, such as "-rwxr-xr-x." — This format of displaying file permissions is actually the same as their numerical counterpart.

The letters represent the actions for the permission: Read, write and execute.

Diagram of the text permissions — The first character can have other values, but it’s less likely that you would come across them when working with WordPress.

The hyphens represent the absence of an action, except for the first character in the sequence which shows the permission is for a file. If it were for a folder – which is often called a directory – there would be a letter “d” instead.

The characters that follow are grouped in sets of threes. The first set represents the user, the second set for group and the third for world.

Each set displays the allowed actions for each user group. Here’s an example:

Loading gist 8e37c1cd8a1fc796b42863d7b14efe7a

The first hyphen means the permission is for a file. The next three characters show that the user has access to reading, writing and executing the file while the group and world sets have permission to read and execute the file, but not write it as shown by the hyphens.

If you assign the same values to the actions as we covered earlier, the result will be a numeric file permission. This example adds up to 755.

It may also be helpful to mention that using the file permission 777 gives access to everyone so it’s dangerous and shouldn’t be used for your WordPress site, but using 444 is also not ideal because it means your WordPress site won’t have permission to run at all.

If these combinations aren’t great options, then what should your file permissions be, anyway?

What Permissions Should I Use?

If you set up your WordPress site on your own, chances are your file permissions are set correctly. If you find you’re getting permission errors or your site wasn’t set up by you, then it’s time to think about changing your file permissions.

FREE EBOOK

Your step-by-step roadmap to a profitable web dev business. From landing more clients to scaling like crazy.

FREE EBOOK

Plan, build, and launch your next WP site without a hitch. Our checklist makes the process easy and repeatable.

Each plugin will have different needs as far as file permissions go depending on the purpose of the plugin, and your file and folder permissions will depend on your hosting setup.

If you run your own server, you can typically run your site just fine with these general guidelines recommended by the WordPress Codex:

Folders – 755
Files – 644

For the most important files you have in your WordPress installation such as wp-config.php, you can set the permission to 600 if you desire.

The .htaccess file is an exception since it needs to be accessed by WordPress if you want the file to be automatically updated. The recommended setting is 644. If you would like this file to be more secure you can set it to 604 in most cases.

Where Can File Permission Be Found?

They’re only found on Linux and Unix based servers so if your site is set up on Windows, then you won’t be able to find them anywhere.

In cPanel, go to Files > File Manager once you have logged in. If the Directory Selection pop-up appears, click Go at the bottom.

Choose a file from the list and then click the Change Permissions icon at the top of the page.

The "Change Permission" icon is highlighted in cPanel's file manager. — There are many ways to view your file and folder permissions and this isn’t the most efficient one for most users.

An in-line pop-up will appear where you can view and change the permissions for the file or folder.

The "Change Permissions" pop-up shows a folder permission of 755 with the option to change it. — If you choose to change the permissions, be careful as it could break your site or otherwise give hackers a much greater opening to attack your site.

Selecting and de-selecting the checkboxes will update the permission. Clicking the Change Permissions button at the bottom right will save your changes.

You can also update your permissions via FTP. In FileZilla once a connection has been successfully established, you can right click on a file or folder, then select File permissions from the list.

The cgi-bin folder has been right clicked and the mouse is hovering over the "File permissions" option from the list that appeared. — You can also select more than one folder or file at a time to bulk change the permissions, but all the ones selected will have the same permissions.

A pop-up window will appear where you can check the appropriate boxes or type a numeric permission beside the label Numeric value.

The "Change file attributes" pop-up window in FileZilla. — If you’re using a different FTP client, consult their documentation for accurate instructions for changing permissions.

Once you’re happy with your changes, click OK to save them.

You can also change permissions will SSH. Once you have signed into your server, enter the following commands.

Here is the command for folders:

Loading gist 96f8a60c32bcc73793da5ef5cd53f3fb

The command for files is a bit different and here it is:

Loading gist 769656b1410a4844f495fef3e432d4f3

Just be sure to enter the correct path to your file or folder and also change the permission to one that suits your needs. In these examples, you would need to change the values 755 and 644, respectively.

Conclusion

We’ve covered the basics for WordPress permissions and also how to change them in cPanel and via FTP. There’s one more thing, though: It’s also important that you keep your WordPress installation up to date.

This will make sure any security upgrades to your permissions are automatically applied to keep you, your site and its visitors safe.

If you prefer to use plugins, there are three that are frequently updated and reliable that you can try out: Triagis® WordPress Security Evaluation, SECURE and BulletProof Security. These plugins can check your file permissions and inform you of inadequate settings.

If you would like to learn more about the steps you can take to further protect your site, check out some of our other posts on WordPress security: 5 Simple .htaccess Tips to Tighten Your Site’s Security, WordPress Security Essentials: Say Goodbye to Hackers and 6 Best WordPress Security Authentication Plugins.

Image credits: MajorGeeks, shaddy.

Have you ever needed to update your permissions? Are you unsure of whether you should? Feel free to share you experience in the comments below.

Jenni McKinnon Jenni has spent over 15 years developing websites and almost as long for WordPress as a copywriter, copy editor, web developer, and course instructor. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.