Blog

WordPress File Permissions: A Security Guide

WordPress File Permissions: A Security Guide

Incorrect file permissions are the #1 way hackers break into WordPress sites. Yet most site owners have no idea what permissions their files are using — or even what file permissions are.

Think of file permissions like the locks on your house. Set them too loose, and anyone can walk in. Set them too tight, and even you can't get through the door. WordPress needs the same balance.

This guide explains exactly which permissions your WordPress files need, why they matter for security, and how to fix them when they're wrong.

What Are File Permissions?

File permissions control who can read, write, or execute files on your web server. Every file and folder in WordPress has a three-digit code that sets these rules.

The three digits represent permissions for three groups:

  • Owner - Usually your hosting account
  • Group - Other users in the same group
  • Public - Everyone else

Each digit is a number from 0-7 that adds up different permissions:

  • 4 = Read
  • 2 = Write
  • 1 = Execute

So permission 644 means: Owner can read+write (6), Group can read (4), Public can read (4).

Permission 755 means: Owner can do everything (7), Group can read+execute (5), Public can read+execute (5).

Standard WordPress Permission Settings

Here's what WordPress expects for normal operation:

Folders: 755

All WordPress directories should be set to 755. This lets WordPress read files and navigate through folders, but prevents outsiders from adding malicious files.

Files: 644

Regular files (PHP, CSS, JS, images) should be 644. This lets WordPress read the files and serve them to visitors, but blocks unauthorized modifications.

wp-config.php: 640 or 644

Your configuration file contains database passwords. Some hosts recommend 640 for extra security, though 644 works on most servers. Check with your host if unsure.

.htaccess: 644

This file controls URL rewriting and security rules. WordPress needs to read it, but shouldn't need to modify it frequently.

Dangerous Permission Settings to Avoid

Never use 777 permissions. This gives everyone full control — read, write, and execute. It's like leaving your front door wide open with a "Rob Me" sign.

Common places people mistakenly use 777:

  • Upload directories
  • Cache folders
  • Plugin folders during troubleshooting

If a plugin demands 777 permissions to work, find a different plugin. No legitimate WordPress plugin should require such loose security.

Why 777 Is So Dangerous

With 777 permissions, any user on the shared server can:

  • Upload backdoor scripts to your site
  • Modify your files to inject malware
  • Read sensitive configuration data
  • Delete important files

Once hackers plant a backdoor through loose permissions, they can return anytime — even after you fix the permissions. That's why WordPress malware removal often requires professional help.

Special Cases: When WordPress Needs Write Access

Sometimes WordPress legitimately needs to write to certain folders. Here's how to handle these cases safely:

Uploads Folder (wp-content/uploads)

This needs to be writable so you can upload images and media. Keep it at 755 — WordPress can still write here because the web server runs as the file owner.

If uploads fail with 755, your server might be configured differently. Contact your host rather than jumping to 777.

Cache Folders

Caching plugins create temporary files to speed up your site. These folders typically need 755 permissions. The plugin should create them with correct permissions automatically.

Backup Directories

If you store backups on your server (not recommended for proper WooCommerce backups), keep those folders at 755 and consider password-protecting them via .htaccess.

How to Check Your Current Permissions

You can check permissions several ways:

Via FTP/SFTP Client

Connect to your site with FileZilla or similar. Right-click any file or folder and look for "File permissions" or "Properties". You'll see the numeric code.

Via Hosting Control Panel

Most hosts provide a file manager in cPanel or similar. Navigate to your files and look for a permissions column, or right-click for properties.

Via Command Line (SSH)

If you have SSH access, use: ls -la to see permissions in the format drwxr-xr-x (that's 755 for directories).

How to Fix Incorrect Permissions

Found permissions that are too loose or too tight? Here's how to fix them:

Single Files via FTP

  1. Connect via FTP/SFTP
  2. Right-click the file or folder
  3. Choose "File permissions" or "Change permissions"
  4. Enter the correct numeric value (644 for files, 755 for folders)
  5. Click OK

Bulk Fixes via Command Line

If you have SSH access and need to fix many files:

To fix all directories to 755:
find /path/to/wordpress -type d -exec chmod 755 {} \;

To fix all files to 644:
find /path/to/wordpress -type f -exec chmod 644 {} \;

Warning: Be very careful with bulk permission changes. Wrong commands can break your site. Always backup first.

Using Security Plugins

Some security plugins can scan and fix permissions. However, be cautious — automated fixes sometimes create new problems. Manual checking is more reliable.

Common Permission-Related Problems

Can't Upload Images

If uploads fail, check wp-content/uploads is 755. Also verify the folder exists and your hosting account hasn't hit storage limits.

Can't Update Plugins

WordPress needs temporary write access during updates. This usually works with standard permissions. If updates fail, check with your host — don't loosen permissions.

White Screen After Permission Changes

Too-restrictive permissions can cause blank pages. Ensure all WordPress core folders are 755 and PHP files are 644. Check error logs for specific issues.

Security Plugin Warnings

Security scanners might flag standard WordPress permissions as "issues". Research each warning — not all need fixing. Some plugins are overly aggressive.

Server Configuration Matters

Permission requirements can vary based on server setup:

Shared Hosting

Standard permissions (755/644) almost always work. The web server runs as your user, so WordPress can write to 755 directories.

VPS/Dedicated Servers

Depends on configuration. With suPHP or similar, use standard permissions. With mod_php, you might need different ownership settings.

Cloud Hosting

Modern cloud hosting platforms like Ambrite's handle permissions automatically. We configure servers so WordPress works securely with standard 755/644 permissions.

Ownership vs. Permissions

Permissions aren't the whole story. File ownership also matters.

On properly configured hosting, your WordPress files should be owned by your account user. If files are owned by "nobody" or "www-data", you might have ownership issues that permissions alone won't fix.

Wrong ownership often happens when:

  • Files are uploaded through WordPress instead of FTP
  • Plugins create files with incorrect ownership
  • Server migrations don't preserve ownership

Fixing ownership requires server access or host support. Don't try to compensate with loose permissions.

Permissions and WordPress Security

Correct permissions are just one layer of WordPress security. They work best combined with:

  • Security monitoring to catch intrusions early
  • Regular updates to patch vulnerabilities
  • Strong passwords and two-factor authentication
  • Quality hosting with server-level protection

Think of permissions as your first line of defense. They won't stop a determined hacker who finds a plugin vulnerability, but they prevent many automated attacks and limit damage if someone does break in.

Special Considerations for Canadian Sites

Canadian businesses handling customer data need extra security vigilance. PIPEDA compliance requires protecting personal information from unauthorized access.

Loose file permissions could constitute a privacy breach if they allow unauthorized access to:

  • Database backups containing customer info
  • Log files with personal data
  • Uploaded documents from clients
  • Export files from plugins

For sites handling sensitive data, consider additional hardening beyond standard permissions.

When to Get Professional Help

Some permission issues signal deeper problems:

  • Permissions keep reverting after you fix them
  • New files appear with suspicious permissions
  • You see unfamiliar files in WordPress directories
  • Permission errors accompany other strange behavior

These often indicate an active hack. Professional WordPress security services can clean infections and harden your site against future attacks.

Maintaining Proper Permissions

Check permissions quarterly or after major changes:

  • After migrating hosts
  • After restoring from backup
  • After installing new plugins
  • After any security incident

Add permission checking to your maintenance routine. It takes five minutes and can prevent major headaches.

Testing Permission Changes Safely

Before changing permissions on a live site:

  1. Note current permissions for rollback
  2. Make changes to one test file first
  3. Verify the site still loads properly
  4. Test functionality that might be affected
  5. Then apply changes more broadly

Never change all permissions at once without testing. A single typo in a bulk command can take your entire site offline.

File Permissions Quick Reference

Screenshot this for future reference:

Standard WordPress Permissions:
All directories: 755
All files: 644
wp-config.php: 640 or 644
.htaccess: 644

Never use:
777 on any file or folder
666 on sensitive files

If something needs writing:
Try 755 first (for folders)
Contact host if that fails
Never jump to 777

Keep your WordPress file permissions correct, and you'll block the easiest path hackers use to compromise sites. It's a simple step that makes a real difference in your site's security posture.

This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.

Was this article useful?

Related Articles

How to Comply with PIPEDA: Essential Privacy Policy Requirements for Canadian Websites
Your website collects personal information from visitors — even just their IP address counts....
How to Set Up Two-Factor Authentication for WordPress Admin Access
Two-factor authentication (2FA) is like adding a deadbolt to your WordPress admin door — and in...
How Hackers Exploit Outdated WordPress Plugins
That outdated WooCommerce shipping plugin you've been meaning to update? It's probably already...
How a Hacked Website Damages Your Firm's Reputation
Your website just got hacked. The sinking feeling in your stomach is real — and it should be. A...
WordPress Security Best Practices for Law Firms
Your law firm's website handles sensitive client data every single day. One security breach...