WordPress Security – File Permissions

File Permissions are set when WordPress is installed. If you did not carry out your own installation, you may want to check that the settings are right for your site.

Setting file permissions for certain files may have significant security implications for your site. It is worth taking a few minutes to check your settings and make sure they match your requirements.

In short, an install done by an experienced WP installer probably won’t need any file permissions tweaks. A self-install might need checking. Also note that shared servers will need different settings. Personally, my sites are on shared servers, as I imagine the majority of WP sites are.

File Permissions Values

The settings for each file are indicated by a four-figure number from 0000 to 0777. The first figure is always zero, the other three can be 4, 6 or 7 depending on the strictness of the permissions. The three figures are permissions attributed to various users:

  • user
  • group
  • world
Symbolic Notation Numeric Notation English
---------- 0000 no permissions
-rwx------ 0700 read, write, & execute only for owner
-rwxrwx--- 0770 read, write, & execute for owner and group
-rwxrwxrwx 0777 read, write, & execute for owner, group and others
---x--x--x 0111 execute
--w--w--w- 0222 write
--wx-wx-wx 0333 write & execute
-r--r--r-- 0444 read
-r-xr-xr-x 0555 read & execute
-rw-rw-rw- 0666 read & write
-rwxr----- 0740 owner can read, write, & execute; group can only read; others have no permissions

On shared hosting, directory permissions should be set to 0755 or 0750, files should be set to 0644 or 0640 except for wp-config.php which should be 0440 or 0444 to prevent other server users from reading it.

The ‘File Security’ sub-menu of the All in One WP Security plugin that I previously mentioned shows shows your critical file┬ápermissions. It will flag up if it thinks your settings are wrong, but I am not sure if it determines if you are on a shared server. It recommends 0755 for folders, 0644 for .htaccess, wp-admin/index.php and wp-config.php. You might want to consider ‘hardening up’ wp-config permissions to 0444.

file permissionsChanging Permissions

So let’s say we’re going to make that change, to ‘harden’ file permissions for wp-config from 0644 to 0444 on a shared server. How do we go about it?

  • Cpanel – log into your cpanel or other host server file management system. Click on ‘File Manager’ and navigate to the folder that contains your WordPress installation. Highlight your file (in this case wp-config.php), right click and select ‘change permissions’. I hope yours is as simple as mine was… My WP security plugin file security page changed to reflect the new setting. The plugin offers to change the settings back to default, but I am going to leave the 0444 in place.
  • FTP – I use Filezilla to access my server, so again I navigate to where the WordPress site is kept. Again, right click on the file, and the very last option should be ‘Permissions’. Select the setting you want – or simply use this to check your settings.

Be careful in changing anything without fully understanding what you are doing. Some changes can break your site, so this is not one for the faint-hearted. Equally if you don’t check these settings, you may be open to vulnerability

Leave a Reply