WordPress File Permissions 101: Essential Guide for Digital Agencies

Why are file permissions an important aspect of WordPress development? The versatility and ease of use of this popular CMS, especially after the release of Gutenberg, make it a top choice for many developers and WordPress agencies. Proper WordPress file permissions are crucial for digital agencies that manage multiple client websites. They ensure that your sites remain secure, functional, and protected from unauthorized access and potential vulnerabilities. 

This article covers the key aspects of file permissions, along with best practices and recommendations for delivering secure, high-quality web solutions. We’ve prepared this guide in collaboration with Dmytro Olkhovskyi, Team Lead at Beetroot’s Project Unit, and our in-house WordPress experts, ensuring you receive insights backed by hands-on experience.

How do the WordPress file permissions work?

Different files and directories on computer file systems have permissions that determine who (and what) can access, read, modify, and write them; this is important as WordPress may need permission to write files in your wp-content directory for certain features to work. The access types can be categorized into three main groups:

• Read (r)— Allowing a user to read the contents of the file or view the file names within a directory, yet restricting them from making any changes;
• Write (w)— Write access lets the user modify files or the directory (create, delete, and rename);
• Execute (x)— Users with execute permission can run programs or scripts and access the subdirectories. This access type is crucial for the proper functioning of themes and plugins. 

User groups and roles

The above types of permissions can be set for the User (u) — typically, the owner (creator) of a file or directory, a Group (g) — several users with the same level of access, and everyone else (o) (can be referred to as the ‘others,’ ‘world,’ or ‘public’). These are the typical roles across various systems. 

Decoding file permission modes

The permission modes are computed by adding up the following values for the user, user group, and the world:

Read (r) = 4

Write (w) = 2

Execute (x) = 1

Dash (-) = 0

Each permission set is represented either in a numeric or symbolic notation. In a symbolic form, the letters from above are used to indicate read (r), write (w), execute (x) permission, or none (dash). The first set of three letters refers to User permissions, the second set of three — to Group permissions, and the third one — to Others’ permissions. Here’s an example:

rwxr-xr-- 

The User has all permissions (rwx), the Group can read and execute (r-x), and Others have only read access (r- -).

Using the same example, in a numeric form a User’s permission will be 7 (4+2+1), the Group’s will be 5 (4+0+1), and Others’ will be 4 (4+0+0). Below are several more examples of WordPress permission modes for files or directories:

By default, a WordPress website has the following file permissions:

• 775 or 755 for unmanaged directories: site owners can read, write, and execute files, and group members and others have read and write access;
• 644 for files: owners can read and write, and group members and other users can read only.
• 440 or 400 for wp-config.php: the wp-config.php file contains sensitive configuration information and should have stricter permissions to prevent unauthorized access.

Note: Files and folders designated for performance, security, and other platform reasons have 755 or 644 permissions and cannot be altered (except for some symlinked files, which need a separate topic). No directories should ever be given 777 permission, even upload folders: the php process is running as the file owner (with owner permissions) and can overwrite even a 755 directory.

Recommended file permissions in WordPress

Just like any filesystem, WordPress files access each other to perform various tasks. Some neat features need files to be writable by the web server. On the one hand, allowing write access to your files is asking for trouble, especially in a shared hosting environment. On the other hand, setting the safest permissions like 700, 440, or 000 is not the greatest idea either. Here’s a tip from Dmytro Olkhovskyi:

“When in doubt, always refer to the WordPress Codex for guidance on file permissions. It’s a reliable resource that provides best practices for securing your WordPress installation.”

The official WordPress Developer Resources handbook recommends to lock down your file permissions as much as possible and loosen those permissions for use cases that require write access. Also, a good practice is to create specific folders with fewer restrictions, for example, for file uploads. Here’s a possible permission scheme:

Ensure that all files are owned by your account and writable by you. Any file that requires write access from WordPress must be writable by the web server. Depending on your hosting setup, these files may have to be group-owned by the user account used by the web server process. Files should never be owned by the web server process itself on shared hosts (this might be www, apache, or nobody user; the exact user name can vary depending on the server configuration). Giving full access to all WP files to www-data users can be dangerous. AVOID doing this:

chown www-data:www-data -R *

Dmytro Olkhovskyi also stresses the importance of the correct use of chown and chmod commands:

“Using chown and chmod commands effectively is fundamental for any WordPress developer,” he explained. “These tools allow you to set the correct ownership and permissions, ensuring that only authorized users can modify or execute files.”

The above sample configuration allows the web server to overwrite or put any file on your website, meaning someone can potentially take over your site if they manage to use the web server or if there is a security hole in some .php script. Official WordPress recommends the following to secure your site against such an attack:

A general rule of thumb is that WordPress file and folder permissions should be the same for most users. If an experienced WordPress developer or developers manage your website or your client’s WordPress.com project, you won’t need to modify file permissions. 

The risks of incorrect WordPress file and folder permissions

Typically, web servers (especially Linux-based) are designed to have multiple users, which is a prerequisite to performing many operations and a security risk. Incorrect or too loose file permissions can expose your website to vulnerabilities and threats:

• Hacking and malware: improper access restrictions can let hackers slip into your WP directories and give them all freedom of bad action;
• Site takeover: Lax permissions bear the risk that someone could break into your website and lock you out of your user account;
• Data exposure: Bad actors could get access to confidential data and your private files, including page or blog drafts, images, account credentials, etc.
• Code injection: Improper permissions allow attackers to plant malware or scripts that will damage your files. 

Maintaining correct permissions is a fundamental aspect of WordPress security, which we at Beetroot pay special attention to. By following best practices and regularly reviewing your site’s settings, we ensure your platform remains secure and functional. 

“One common mistake is setting permissions too leniently, which can lead to security breaches. Continuously review and tighten your file permissions to protect sensitive information and prevent unauthorized access,” concludes Dmytro Olkhovskyi.

Best practices for setting WordPress permissions

To recap everything above, we can now outline several key practices that will help you configure optimal file permissions for your website.

Don’t change permissions unless necessary

Although changing the WordPress permissions may seem alluring, if an experienced WordPress host or developer(s) have set them for you, you can leave them as is. A trusted service provider is interested in the best possible security level for your website just as much as you are. Each permission change should be carefully considered and done only if it’s beneficial because unnecessary modifications can create security vulnerabilities or break functionality. Only modify permissions when you have a specific reason for doing so.

Find a balance between too restrictive and too lax

Overly restrictive permissions can prevent WordPress from functioning properly, affecting plugin installation or media file uploads, while overly loose permissions can create security risks. The goal is to find the right balance that allows necessary operations while keeping unauthorized visitors at bay. 

Never use 777 permissions

The crux of this permission is that it grants unrestricted access to files and directories, allowing anyone to read, write, and execute them. This creates a vulnerable environment where an attacker could hijack server processes to gain unauthorized access. The gravest consequence of using 777 permissions is that it allows malicious actors to upload harmful files or modify existing ones, potentially leading to complete compromise of your WordPress site, including access to sensitive database information and passwords.

Other important considerations include:

• Use specific permissions, like 755 for directories and 644 for files;
• Set more restrictive permissions for sensitive files;
• The web server needs to be able to read all files to serve your website properly;
• Only allow write permissions where WordPress needs to modify files, such as the uploads directory for media files;
• Set up proper ownership: files should be owned by your user account, not the web server user, to maintain better control and security;
• If using technologies like suExec, proper group permissions ensure the web server can still access files as needed;
• Periodically check your file permissions to ensure they haven’t been changed by accident or unexpectedly;
• Install security plugins to automate permission management and alert you to potential issues;
• FTP client awareness: some FTP clients may change file permissions during uploads. Keep this in mind and check/correct permissions after file transfers;
• Adhere to the principle of least privilege by granting only the minimum permissions necessary for each file or directory to function correctly.
• Always follow the hosting provider guidelines, as some of them have specific permission requirements;
• Use the built-in WordPress editor to maintain correct permissions automatically.

WordPress is a powerful tool that digital agencies use to create dynamic and engaging websites for their clients. However, its widespread adoption comes with a significant responsibility to ensure that these sites are secure. One critical aspect that often goes unnoticed is the configuration of WordPress file permissions, which can significantly impact your project. Your clients need to be aware of this as well, as Dmytro Olkhovskyi emphasizes:

“Digital agencies must educate their clients about the importance of file permissions. Proper configuration can prevent many common issues, from plugin vulnerabilities to site-wide hacks.” 

Partnering with a reliable WordPress development provider, you gain a trusted back office for your company that takes a holistic responsibility for delivering projects of any complexity. With Beetroot, you gain the flexibility to complete a one-off project, set up a dedicated team of WordPress developers to extend your capacity, and anything in between. Contact us to discover all available cooperation options.