If you install, move, add WordPress Themes, Plugins, or just rearrange things on your server, you are going to run into the challenges associated with file permissions with WordPress. If you are concerned about security, protection from hackers, viruses, and other evil, get familiar with file permissions in WordPress.
In general, file permissions are variables set on server files to control access and usage of the file for individuals, browsers, code, and programs. Consider them the firewalls to your WordPress website, dictating who can do what with each file and folder.
All these folder and files permissions can be confusing in WordPress. Recently, I had a site offline for three hours, going through a variety of tests to figure out what was causing the problem. It boiled down to a single folder being set to the wrong permissions. I had to go through every file and folder to figure out which one was set wrong, so take care when changing file permissions.
There are three levels of access: Owner, Group, and Public. There are three options under each level to fine tune the control and access, read, write, and execute, and you can set these in a variety of combinations. Permissions can be the same or different on folders and files both.
There are key files and areas of your WordPress installation which must be “writable,” able to be edited and changed. If you’ve ever used permalinks or the built-in WordPress Editor for Themes or Plugins, you may have encountered a warning “that said changes could be made if this file were writable.” This means that these files or folders are set at a permission level that doesn’t allow access to make changes. In order to change from from within WordPress, you must set their permission levels to be able to be edited.
Among the writable files and folders in WordPress, some must be writable by the user account, others with less restriction such as the folder to which you upload images.
Luckily, WordPress is fairly easy. All folders must be set to 755, and files set to 644, except for wp-config.php at 640, and all files you need to be writable, like WordPress Themes, need to be set to 666 if you wish to edit them from within WordPress. If you edit them through FTP, then you can set them for tighter security levels.
What this means is that when people or bots try to access these files, they will get a forbidden error, keeping them safe from intruding viruses and malware.
There are many ways to set file permissions on your server. The easiest way is through FTP access. Depending upon how your FTP client program works, usually selecting the folders and/or files and right clicking to select Properties or File Permissions will get you to the file permissions menu. Select or type in the file permissions, select whether or not to apply to folders or files or both, and apply.
For those used to direct access, you can use chmod to set file and folder permissions.
We’ve put together a chart of recommendations for the various files and folders for setting the permission levels with WordPress. You can change these at any time to accommodate work you may be doing on the server. For example, if you need full access to a set of files, can set it to 777 or something slightly less secure. Remember to reset them for maximum security on your site.
| Folder | Files | Permissions | |
| public_html | 750 | rw r-x — | |
| root | 755 | rwx, rx, rx | |
| wp-admin | 755 | rwx, rx, rx | |
| wp-includes | 755 | rwx, rx, rx | |
| wp-content/*all directories* | 755 | rwx, rx, rx | |
| wp-content/images | open to user’s contributions | 777 | rwx rwx rwx |
| .htaccess | 644 | rw, r–, r– | |
| wp-admin/index.php | 644 | rw, r–, r– | |
| wp-content/themes/theme-name/*template-files* | 666 | rw-, rw-, rw- | |
| wp-config.php | 640 | rw, r–, — | |
| all other files | 644 | rw, r–, r– | |
There is one caveat to WordPress file permissions. Not all web host servers are equal. Some have dedicated security levels that can protect your files almost no matter what permissions you set, while others are not quite as locked down. Check with your host for specifics on what they recommend to be sure your files are set at the highest level of security and access, while still allowing WordPress to function.
For more information on WordPress file permissions, see:
© 2008-2012
Managing File Permissions in WordPress | Blogging, WordPress, Social Media, Web Publishing – WordCast…
If you install, move, add WordPress Themes, Plugins, or just rearrange things on your server, you are going to run into the challenges associated with file……
I would caution against using 777, ever.
Perhaps talk about file OWNERS vs file permissions. As long as file owners are in sync and your web host or pluigin doesn’t suck you should be able to set very secure permissions and still have the rwx you/wordpress needs to operate.
As Strebel said, I would caution using 777.
640 may not work in all instances, as stated above every config is different.
Please reference the Codex as it offers the recommended permissions for files and directories:
https://codex.wordpress.org/Hardening_WordPress
As the article states, not all server configurations support these, nor should anyone risk their site with having it fully open, though this is required for some sites that need to have image and media folders open for public access. The article on Hardening WordPress is mentioned in the article, too, along with other solid references.
Nice post on WordPress. my question is if i install the WordPress on RHEL6 testing Environment Selinux is enabled so what permission or other word context we applied on WordPress site all Folder. anybody help me to resolved….
Thank in advance.
I have found much information about directory and file permissions for WordPress, but the missing piece is a good explanation about owner, group and public. Who exactly is the owner? Is it the person logging in from WordPress admin, the FTP account user, etc.? Where does WordPress itself fit into this scheme; is it considered a part of the group or the owner? How does the FTP user fit into this?
If public needs only to read files, why does public need read and execute permissions on directories?
This might make for a good article. If you write it, I would certainly like to read it.
Thanks for your many already published articles about WordPress and websites. I have discovered you on many websites.
[...] This is a lot of information to pack in over a couple days. Personally my brain is overloaded. In 3 days, I’ve learned so much about SEO, Web Mastering, Web Servers, that my brain just needs to process it all. The web is a zoo of information, this page again seems to be pretty clear and helpful Managing File Permissions in WordPress. [...]
ha ””””””””””””””””””
\
http://WWW.TAWKLE.COM
Nice article but i would like to know if there is another way to set file permissions except FTP access. If yes, are they better? If not easier? Anyway thanks a lot for the informations, they have helped me a lot until now.
Greetings,
Alex