Blog
WordPress File Permissions: A Security Guide
Incorrect file permissions are the #1 way hackers break into WordPress sites. Yet most site owners have no idea what permissions their files are using — or even what file permissions are.
Think of file permissions like the locks on your house. Set them too loose, and anyone can walk in. Set them too tight, and even you can't get through the door. WordPress needs the same balance.
This guide explains exactly which permissions your WordPress files need, why they matter for security, and how to fix them when they're wrong.
What Are File Permissions?
File permissions control who can read, write, or execute files on your web server. Every file and folder in WordPress has a three-digit code that sets these rules.
The three digits represent permissions for three groups:
- Owner - Usually your hosting account
- Group - Other users in the same group
- Public - Everyone else
Each digit is a number from 0-7 that adds up different permissions:
- 4 = Read
- 2 = Write
- 1 = Execute
So permission 644 means: Owner can read+write (6), Group can read (4), Public can read (4).
Permission 755 means: Owner can do everything (7), Group can read+execute (5), Public can read+execute (5).
Standard WordPress Permission Settings
Here's what WordPress expects for normal operation:
Folders: 755
All WordPress directories should be set to 755. This lets WordPress read files and navigate through folders, but prevents outsiders from adding malicious files.
Files: 644
Regular files (PHP, CSS, JS, images) should be 644. This lets WordPress read the files and serve them to visitors, but blocks unauthorized modifications.
wp-config.php: 640 or 644
Your configuration file contains database passwords. Some hosts recommend 640 for extra security, though 644 works on most servers. Check with your host if unsure.
.htaccess: 644
This file controls URL rewriting and security rules. WordPress needs to read it, but shouldn't need to modify it frequently.
Dangerous Permission Settings to Avoid
Never use 777 permissions. This gives everyone full control — read, write, and execute. It's like leaving your front door wide open with a "Rob Me" sign.
Common places people mistakenly use 777:
- Upload directories
- Cache folders
- Plugin folders during troubleshooting
If a plugin demands 777 permissions to work, find a different plugin. No legitimate WordPress plugin should require such loose security.
Why 777 Is So Dangerous
With 777 permissions, any user on the shared server can:
- Upload backdoor scripts to your site
- Modify your files to inject malware
- Read sensitive configuration data
- Delete important files
Once hackers plant a backdoor through loose permissions, they can return anytime — even after you fix the permissions. That's why WordPress malware removal often requires professional help.
Special Cases: When WordPress Needs Write Access
Sometimes WordPress legitimately needs to write to certain folders. Here's how to handle these cases safely:
Uploads Folder (wp-content/uploads)
This needs to be writable so you can upload images and media. Keep it at 755 — WordPress can still write here because the web server runs as the file owner.
If uploads fail with 755, your server might be configured differently. Contact your host rather than jumping to 777.
Cache Folders
Caching plugins create temporary files to speed up your site. These folders typically need 755 permissions. The plugin should create them with correct permissions automatically.
Backup Directories
If you store backups on your server (not recommended for proper WooCommerce backups), keep those folders at 755 and consider password-protecting them via .htaccess.
How to Check Your Current Permissions
You can check permissions several ways:
Via FTP/SFTP Client
Connect to your site with FileZilla or similar. Right-click any file or folder and look for "File permissions" or "Properties". You'll see the numeric code.
Via Hosting Control Panel
Most hosts provide a file manager in cPanel or similar. Navigate to your files and look for a permissions column, or right-click for properties.
Via Command Line (SSH)
If you have SSH access, use: ls -la to see permissions in the format drwxr-xr-x (that's 755 for directories).
How to Fix Incorrect Permissions
Found permissions that are too loose or too tight? Here's how to fix them:
Single Files via FTP
- Connect via FTP/SFTP
- Right-click the file or folder
- Choose "File permissions" or "Change permissions"
- Enter the correct numeric value (644 for files, 755 for folders)
- Click OK
Bulk Fixes via Command Line
If you have SSH access and need to fix many files:
To fix all directories to 755:
find /path/to/wordpress -type d -exec chmod 755 {} \;
To fix all files to 644:
find /path/to/wordpress -type f -exec chmod 644 {} \;
Warning: Be very careful with bulk permission changes. Wrong commands can break your site. Always backup first.
Using Security Plugins
Some security plugins can scan and fix permissions. However, be cautious — automated fixes sometimes create new problems. Manual checking is more reliable.
Common Permission-Related Problems
Can't Upload Images
If uploads fail, check wp-content/uploads is 755. Also verify the folder exists and your hosting account hasn't hit storage limits.
Can't Update Plugins
WordPress needs temporary write access during updates. This usually works with standard permissions. If updates fail, check with your host — don't loosen permissions.
White Screen After Permission Changes
Too-restrictive permissions can cause blank pages. Ensure all WordPress core folders are 755 and PHP files are 644. Check error logs for specific issues.
Security Plugin Warnings
Security scanners might flag standard WordPress permissions as "issues". Research each warning — not all need fixing. Some plugins are overly aggressive.
Server Configuration Matters
Permission requirements can vary based on server setup:
Shared Hosting
Standard permissions (755/644) almost always work. The web server runs as your user, so WordPress can write to 755 directories.
VPS/Dedicated Servers
Depends on configuration. With suPHP or similar, use standard permissions. With mod_php, you might need different ownership settings.
Cloud Hosting
Modern cloud hosting platforms like Ambrite's handle permissions automatically. We configure servers so WordPress works securely with standard 755/644 permissions.
Ownership vs. Permissions
Permissions aren't the whole story. File ownership also matters.
On properly configured hosting, your WordPress files should be owned by your account user. If files are owned by "nobody" or "www-data", you might have ownership issues that permissions alone won't fix.
Wrong ownership often happens when:
- Files are uploaded through WordPress instead of FTP
- Plugins create files with incorrect ownership
- Server migrations don't preserve ownership
Fixing ownership requires server access or host support. Don't try to compensate with loose permissions.
Permissions and WordPress Security
Correct permissions are just one layer of WordPress security. They work best combined with:
- Security monitoring to catch intrusions early
- Regular updates to patch vulnerabilities
- Strong passwords and two-factor authentication
- Quality hosting with server-level protection
Think of permissions as your first line of defense. They won't stop a determined hacker who finds a plugin vulnerability, but they prevent many automated attacks and limit damage if someone does break in.
Special Considerations for Canadian Sites
Canadian businesses handling customer data need extra security vigilance. PIPEDA compliance requires protecting personal information from unauthorized access.
Loose file permissions could constitute a privacy breach if they allow unauthorized access to:
- Database backups containing customer info
- Log files with personal data
- Uploaded documents from clients
- Export files from plugins
For sites handling sensitive data, consider additional hardening beyond standard permissions.
When to Get Professional Help
Some permission issues signal deeper problems:
- Permissions keep reverting after you fix them
- New files appear with suspicious permissions
- You see unfamiliar files in WordPress directories
- Permission errors accompany other strange behavior
These often indicate an active hack. Professional WordPress security services can clean infections and harden your site against future attacks.
Maintaining Proper Permissions
Check permissions quarterly or after major changes:
- After migrating hosts
- After restoring from backup
- After installing new plugins
- After any security incident
Add permission checking to your maintenance routine. It takes five minutes and can prevent major headaches.
Testing Permission Changes Safely
Before changing permissions on a live site:
- Note current permissions for rollback
- Make changes to one test file first
- Verify the site still loads properly
- Test functionality that might be affected
- Then apply changes more broadly
Never change all permissions at once without testing. A single typo in a bulk command can take your entire site offline.
File Permissions Quick Reference
Screenshot this for future reference:
Standard WordPress Permissions:
All directories: 755
All files: 644
wp-config.php: 640 or 644
.htaccess: 644
Never use:
777 on any file or folder
666 on sensitive files
If something needs writing:
Try 755 first (for folders)
Contact host if that fails
Never jump to 777
Keep your WordPress file permissions correct, and you'll block the easiest path hackers use to compromise sites. It's a simple step that makes a real difference in your site's security posture.
This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.
Was this article useful?
Related Articles
Your website collects personal information from visitors — even just their IP address counts....
Two-factor authentication (2FA) is like adding a deadbolt to your WordPress admin door — and in...
That outdated WooCommerce shipping plugin you've been meaning to update? It's probably already...
Your website just got hacked. The sinking feeling in your stomach is real — and it should be. A...
Your law firm's website handles sensitive client data every single day. One security breach...
