WordPress Tips: File Permissions
WordPress file permissions are regarded as a necessary evil by some bloggers. It’s always something – if your permissions aren’t correct, then your content becomes unwritable in the WordPress editor, or you can’t add permalinks to your .htaccess file without having to tweak it manually, or you can’t install plugins or themes. So, some people just put all their file permissions to 777 because that allows them to upload and install plugins and themes at all times, and makes anything writable.
But the problem with 777 is that it makes your content writeable for just about anyone. It’s not secure. You shouldn’t put your file permissions to 777 – you can do it just to install that plugin or file that needs it, but then you should change them again.
In this article, I’m going to explain what file permissions mean, how you can change them, and what your default permissions for WordPress should be.
The basics of file permissions
First of, if you look into your FTP program (which is FTP Surfer for me), go to a file, right-click and then go to “change permissions”, you’ll see all the possible file permissions. The method might be different in several programs, but it should still allow you to change file permissions in a simple pop-up.
Once you found the “change permissions” option, you’ll see there are three possible actions for your website’s files:
- Read: the file can only be read or viewed
- Write: the file can be changed
- Execute: the file can run programs or scripts contained in the file
If you look closely, you’ll also see there are three user groups.
- Owner/User: you, as the owner of your website
- Group: other users with access to the website, like members of your website
- Other: Anyone who tries to view your website or files
You’ve probably noticed by now that file permissions always have three numbers.
- First number: access to files given to the user
- Second number: access given to the group
- Third number: access given to others
Every possible action and combination is given a value, to come up with these numbers.
- o – no access
- 1 – execute
- 2 – write
- 3 – write and execute
- 4 – read
- 5 – read and execute
- 6 – read and write
- 7 – read, write and execute
So if you change your files to 777 file permissions, then everyone (the owner, group and others) can read, write and execute the file. You can see how dangerous that would be.
WordPress File Permissions
The best default WordPress file permissions would be 755 for folders and 644 for files. Let’s break those down.
755 for folders means…
- User/Owner: read, write and execute
- Group: read and execute
- Other: read and execute
644 for files means…
- User/Owner: read and write
- Group: read
- Other: read
If you right-click on a folder, then go to “change permissions” and open up the permissions window, then you can see two options after picking your selected permissions. You can either “change permissions of files in the selected folder” or “change permissions for the select folder”.
So you can select 644 and then “change permissions of files in the select folder”, and then after doing that, you can add 755, and “change permissions for the selected folder”.
You may want to make your most important files even more secure than the defaults I mentioned here. For wp-config.php for example, it would be best to set it to 600, so that only the user/owner can read and write the file.
If you want to give more privileges to the members on your websites, you can change permissions of the files to 664 (then users can read and write the files) and permissions of folders to 775.