File Permissions
Quick Definition
File permissions control who can read, write, or execute files on your server. WordPress recommends 755 for folders, 644 for files, and 440 or 400 for wp-config.php — wrong permissions are one of the most common causes of security breaches and broken sites.
What Are File Permissions?
File permissions are a set of rules enforced by the server operating system (Linux/Unix) that determine who can do what with every file and folder on your server. There are three types of permission:
- Read (r) — Can view the file contents
- Write (w) — Can modify or delete the file
- Execute (x) — Can run the file as a program (for folders: can enter the directory)
These permissions are assigned to three groups: the owner (typically the server process or your user account), the group (other users in the same group), and others (everyone else, including the public web).
Permissions are expressed as a three-digit octal number. Each digit is the sum of 4 (read) + 2 (write) + 1 (execute). So 755 means the owner gets 7 (read+write+execute), group gets 5 (read+execute), and others get 5 (read+execute).
Recommended WordPress Permissions
| Item | Permission | Why |
|---|---|---|
| Folders / directories | 755 | Owner can read, write, enter. Others can read and enter but not write. |
| Files | 644 | Owner can read and write. Others can only read. |
| wp-config.php | 440 or 400 | Contains database credentials. No one should be able to write it; 400 locks it to the owner only. |
| .htaccess | 644 | Controls server behavior. Writable only by the owner. |
Never set any directory to 777. This grants full read, write, and execute to everyone on the server — including malicious scripts that may have found their way onto a shared host. This is how attackers plant malware or backdoors.
How to Check and Change Permissions
There are three common ways to manage file permissions:
- FTP client (FileZilla) — Right-click any file or folder and choose File Permissions. Enter the numeric value (e.g., 644) in the dialog box.
- cPanel File Manager — Navigate to your file, right-click and choose Change Permissions. Use the checkboxes or type the octal value directly.
- SSH / terminal — The
chmodcommand changes permissions. To set all files to 644 and all folders to 755 recursively:find /path/to/wordpress -type f -exec chmod 644 {} ;andfind /path/to/wordpress -type d -exec chmod 755 {} ;
You can check current permissions with ls -la in SSH — the first column shows the permission string (e.g., -rw-r--r-- = 644).
Why It Matters
Incorrect file permissions are one of the most exploited attack vectors in WordPress. Overly permissive settings (especially 777 on directories) let attackers upload malicious files through vulnerabilities in plugins or themes. Once a malicious file is executable on your server, attackers can run arbitrary code, steal database credentials from wp-config.php, or take full control of the site.
On the flip side, permissions that are too restrictive break WordPress functionality — the site cannot write to the uploads folder, cannot install plugins, or cannot update automatically. Getting permissions right is a balance: least privilege without breaking the CMS.
Security plugins like Wordfence and hardening guides typically include a permission scanner that flags any file set to insecure values. Pair correct permissions with a strong firewall and SSL certificate for a solid baseline.
Sources: WordPress Developer Docs — File Permissions, Patchstack, WPBeginner