How to define file permissions for WordPress directories and files for ensuring best security?
Permissions defines what users can do with the file or directory. The permissions are represented by a set of numbers called permission mode.
WordPress file permissions:
WordPress file permissions specify who can read, write and execute the files and directories in WordPress website. Permission mode protect the website from unauthorized access by hackers. Permissions are given based on the role that user possess. Along with permission modes, it is always recommended to install security plugins that will reduce the security breach of the WordPress website. Popular WordPress security plugins are: Sucuri, iThemes, Security, Jetpack security, WPScan , Wordfence.
Types of permissions:
| Permissions | Meaning | Symbol | Number representation |
| Read | View contents of a file or directory | r | 4 |
| Write | Can modify the contents of a file or directory | w | 2 |
| Execute | Allowed to run script files or scripts inside directory | x | 1 |
| No Permission | User has no access to the file or directory | – | 0 |
Roles:
- User : The assigned owner of the file or directory.
- Group : Members of the group that owns the file or directory.
- Others : All users other than file owner or group members
How to identify the permission mode:
- 3 = (2 + 1) = Write + Execute
- 5 = (4 + 1) = Read + Execute
- 6 = (4 + 2) = Read + Write
- 7 = (4 + 2 + 1) = Read + Write + Execute
Example:
| Mode | Explanation |
| 670 | Owner has read and write only, group has read, write and execute, others have no permission |
| 777 | All have permissions for read, write and execute |
Recommended file permissions for WordPress website
| Path | Permission mode |
| Root directory (usually public_html) | 755 |
| wp-config.php | 444 or400 |
| .htaccess | 444 or 644 |
| wp-includes | 755 |
| wp-admin/js | 755 |
| wp-content | 755 |
| wp-content/themes | 755 |
| wp-content/plugins | 755 |
| wp-content/uploads | 755 |
| Index.php | 644 or 444 |
Fixing permissions
Therearemultiplewaysto access your files and directories to fix the WordPress permissions. The user can choose whichever is convenient.
permissions using cPanel:
cPanel is an online Linux-based graphical interface (GUI) used as a control panel to simplify website and server management. cPanel allows you to publish websites, manage domains, organize web files.
- Log into your cPanel account. Either find a link on web host dashboard, or type /cPanel after the site URL.
- Select Files ->File Manager
- Find the root directory (generally it is public_html) and expand.
- All files and directories are visible in the explorer pane. Right-click on a file or directory and select Change Permissions.
- Set permissions as necessary and Click on Change Permissions.
Permissions using File Transfer Protocol:
FTP is another way to fix file and directory permissions. if the web host does not have a usable interface, use FTP Client.
• Go to the root folder of WordPress site.
• Select all folders in root directory.
• Right click and select File permissions.
• In file permissions dialog box enter 755 in
numeric value field.
• Click on recurse into subdirectories.
• Select apply to directories only->ok.
Same way, select all files and folders in the root folder of WordPress site and right-click to select file permissions.In file permissions dialog box,enter 644 in numeric value field. click on Recurse into subdirectories checkbox and select Apply to files only option. Click ok. FTP client will start setting file permission to all files in WordPress site,
iThemes Security Plugin to Check WordPress File Permissions:
iThemes Security Plugin enhances the security of WordPress website. The plugin detects and automatically
blocks suspicious activity that increases the security of passwords and site data. To check the assigned file
permissions follow the below mentioned steps.
• iThemes Security plugin menu ->security -> Tools->Check File Permissions.
• Click run->status of permission is displayed in the screen.
Permission modes like 000 may be the safest but they are not practical.777 is the least protected permission as it leads the file and directory open to modify by any user. Never advice 777 for any core files. Some plugins require the directory to be in write mode, make the permissions accordingly. Sometimes we need to loosen the permission mode to work certain functionalities.
