WordPress file permissions

Searching for the optimal WordPress file permissions? Or confused by what file permissions are in the first place and why you need to care about them at all?

Either way, we’ve got the answers for you in this post, because we’re going to cover everything you need to know about WordPress file permissions.

We’ll explain what file permissions are and why they matter. Then, we’ll tell you the correct file permissions for WordPress and show you how to modify file permissions via FTP.

📚 Table of contents:

⚠️ Note – if you already know what file permissions are and you’re just looking for the optimal configuration for WordPress, we recommend clicking here to find the optimal permissions.

What are file permissions?

File permissions do pretty much what the name says – they control the permissions that different types of users have for interacting with files on your website’s server.

For example, file permissions control whether a specific type of user can edit a certain file or folder on your server.

There are three specific permissions:

  • Read – being able to view/read the contents of a file without changing it.
  • Write – being able to edit/alter a file.
  • Execute – being able to use/execute a file. For example, running a script.

File permissions control what “users” can do, but it’s not quite like “users” in the WordPress sense. Instead, it’s users on your web server, which are usually configured by your hosting provider.

There are three types of users:

  • Owner – the entity that is assigned to be the owner of a file or folder.
  • Group – entities that are members of a group that owns the file or folder.
  • Public – all other users.

Again, your hosting provider is the one responsible for setting up these types of users. If you don’t totally understand, that’s fine. Non-developers don’t really need to understand these details – we’re just sharing it because these are terms that you’ll see when reading about file permissions.

In total, you’ll have nine different permission configurations because there are three types of users and each type of user has three potential permissions:

  • Owner can read, write, and/or execute.
  • Group can read, write, and/or execute.
  • Public can read, write, and/or execute.

When you configure your site, you’ll typically give the Owner the most permissions, followed by Group, and then Public should always have the fewest permissions.

For example, a typical configuration for WordPress files is as follows:

  • Owner can read and write.
  • Group can read.
  • Public can read.

Why do WordPress file permissions matter?

Having the proper WordPress file permissions is important for the security and functioning of your site.

If you make your file permissions too permissive, that can be a security issue because people might be able to modify or execute files/folders that they shouldn’t have access to. For example, they could use this to insert malicious code on your site.

But at the same time, if you make your file permissions too restrictive, your site might not be able to function properly. If certain users can’t even read files on your server, your WordPress site won’t work.

For example, file permissions that are too strict can often cause issues with WordPress plugins because the plugin might not be allowed to modify certain files that it needs to edit.

For that reason, you’ll typically give file users some permissions, but not all.

Does everyone need to set their file permissions?

Honestly, no. Most people will never need to interact with WordPress file permissions.

Why? Because if you choose a quality WordPress hosting provider, they should automatically configure WordPress to use the optimal file permissions for that host’s environment.

I’ve been using WordPress for over a decade and I’ve never needed to manually mess with file permissions. This is because I’ve always relied on my host to do things for me.

However, that doesn’t mean there aren’t situations where you might need to make a tweak. Things can get messed up in weird ways and checking file permissions is an important step in troubleshooting a lot of issues, such as the “403 Forbidden” error.

Basically:

  • If you’re using high-quality WordPress hosting and you don’t have a specific reason to think about your file permissions, you probably don’t need to do anything.
  • If you’re trying to debug a certain issue/error or you recently migrated a site from a local development environment to live hosting, you might need to manually dig into your site’s file permissions.

What do the different numbers in file permissions mean?

File permissions are typically represented by a series of three numbers – e.g. 644. You might also see letters and dashes like rw-rw-r--, but that format is less common.

Each digit in the three-number sequence corresponds to a specific type of user:

  • First digit – Owner.
  • Second digit – User accounts in the owner’s groups.
  • Third digit – Public.

Then, each action is assigned a number:

  • Read – 4
  • Write – 2
  • Execute – 1

The number in each digit place is then the sum of the actions that that type of user can perform. For example, if the number in the first digit is “6”, that means that the Owner (first digit) can Read (4) and Write (2) … 4+2 is 6 which is why the digit is 6.

If a certain type of user has all permissions, the number would be 7 (4+2+1).

This is why 777 is the most permissive mode. It means that all three types of users can perform all three actions.

However, you should pretty much never set any WordPress file permissions to 777. It’s a huge security risk – unless you absolutely know what you’re doing, you should never set any file or folder to 777.

What are the correct WordPress file permissions?

Now that you understand what file permissions are, let’s go over the optimal configuration for WordPress.

But first – I need to specify that some of this depends on your hosting provider and how your host has configured your server.

When in doubt, we recommend always following the advice of your host as they’ll have a better understanding of the optimal configuration for their environment.

With that being said, the file permissions that we’ll share below should work for the vast majority of WordPress sites.

We’ll cover the optimal file permissions for four different areas:

  • WordPress files
  • WordPress folders
  • wp-config.php
  • .htaccess

The last two files are sensitive, which is why they deserve special attention.

WordPress file permissions

All WordPress files should have 644 file permissions, with the potential exception of the two files that we’ll single out below.

WordPress folder permissions

All WordPress folders should have 755 file permissions.

WordPress wp-config.php file permissions

Your site’s wp-config.php file is one of the most sensitive WordPress files, so it deserves some extra attention.

However, the optimal wp-config.php file permissions can be a little tricky because it depends on how your host has configured things.

Some hosts will configure the wp-config.php file to be 644 like other WordPress files. This is true of some popular managed WordPress hosts that I’ve tested.

However, the official WordPress Codex recommends 440 or 400 for the wp-config.php file. Some experts, like iThemes Security, recommend 444, and others 640 or 600.

Basically, you’ll see a lot of different options here. When in doubt, it’s always a good idea to ask for your host’s recommendation based on their specific configuration. Or, just start with 440 or 400.

WordPress .htaccess file permissions

The .htaccess file is another important configuration file that you might want further restrict access to.

As with the wp-config.php file, some hosts will configure the .htaccess file to be 644 like other WordPress files. This is also the configuration recommended by the WordPress.org Codex, so it’s a good place to start. This is because a lot of plugins need to write to the .htaccess file, including many caching plugins.

However, some experts, such as iThemes Security, recommend using 444 instead. Just keep in mind that if you use 444 your plugins won’t be able to write to .htaccess, which might cause issues.

How to change file permissions

Now that you know what the file permissions should be, let’s cover how you can go and actually change your WordPress file permissions.

The easiest way to change WordPress file permissions is to use FTP and your favorite FTP client – I like FileZilla because it’s free and open-source. If your host uses cPanel, you can also use cPanel File Manager. However, I’m going to focus on the FTP method in this section.

To get started, you’ll want to connect to your WordPress site’s server using FTP. If you’re not sure how to do that, check out our full guide to WordPress FTP.

The interface screenshots below are based on FileZilla – it might be a bit different in other FTP clients.

Once you’ve connected, navigate to the folder that contains your WordPress site. This will be the same folder that contains the wp-admin and wp-content folders.

To edit file permissions, right-click on one or more files or folders and choose the File Permissions option. For example, if you right-click on the wp-content folder, you can see that its permissions are 755, which is what you want.

If you needed to edit the permissions, you could just enter the numbers in the Numeric value box and click OK:

Changing WordPress file permissions with FileZilla

To help you save time, FileZilla gives you an option to Recurse into subdirectories. Essentially, this lets you apply the same file permissions to all of the files and folders inside the directory that you’ve selected.

However, remember that WordPress files and folders should have different file permissions, so make sure you use the sub-options to Apply to files only or Apply to directories only.

For example, to instantly set the proper file permissions for all of your folders, you could:

  1. Select all of the folders.
  2. Right-click and choose File Permissions.
  3. Enter 755.
  4. Select Recurse into subdirectories.
  5. Select Apply to directories only (so that you don’t change the file permissions for files inside the folders that you’ve selected).
  6. Click OK.
Using the recurse into subdirectories feature

That will let you instantly apply 755 permissions to all of the folders on your server. You can use the same idea to apply 644 permissions to all files.

Get your WordPress file permissions sorted today

Having the correct WordPress file permissions is important for the security and functioning of your site. With that being said, most quality WordPress hosts handle configuring file permissions for you, so you don’t usually need to change them yourself.

You might have situations where you do, though, which is why we went over the optimal WordPress file permissions in this post and showed you how to change them using FileZilla and FTP.

For some other ways to secure your WordPress site, check out our posts with the key WordPress security tips and the best WordPress security plugins.

Do you still have any questions about WordPress file permissions? Let us know in the comments section and we’ll try to help.

Free guide

4 Essential Steps to Speed Up
Your WordPress Website

Follow the simple steps in our 4-part mini series
and reduce your loading times by 50-80%. 🚀

Free Access

0 Comments
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!