WordPress is a complicated content management system. Even though you will not face any trouble with the system, sometimes you will have to fix things yourself to get the work done. Especially when it comes to the file and folder permissions, it is important to be aware of the do’s and don’t do’s. If you don’t do it now, you might regret it larger when a hacker gets access to your server and wouldn’t find any difficulties injecting malicious scripts to your site.
What is WordPress file and folder permissions?
Not only on WordPress, but in general server terminology, the file and folder permissions refer to the level of access certain users on your server has for a specific file or folder. In most cases, the permissions are generally divided into 3 categories – Read, Write, and Execute.
If a certain user has read access to a folder or file, he can read the files, but cannot write or execute the certain file or files inside the folder. If another user have all three permissions, they can do whatever they want with the folders or files.
When a third party get access to your server, and have all these permissions, it can be catastrophic for your WordPress website. They can inject malicious code, tweak your files, and do whatever they want with your website until the access has been removed. Even after the access is removed, the changes they made may allow them to regain access. This is commonly known as “Backdoors”. This is why we should always be strict while setting file and folder permissions.
You should read the WordPress vulnerabilities article for a better understanding of what you should be aware of when it comes to securing your server.
Correct file and folder permissions for WordPress
If you are unable to upload images or videos, you will have to resolve the file and folder permission error. If you are not fixing the error, you will not be able to upload while drafting the content. You will not be able to create folders on the server, including the inability to install scripts. If you have given incorrect permissions, your site will be at a huge risk of being hacked. In this article, we will examine the steps required to resolve the file and folder related permissions.
If you would like to provide correct permissions to enable WordPress to create files and folders without any error or security issues, you need to set 755 for folders/sub-folders and 644 for all the remaining files. For wp-config.php it is recommended to set it to 640. For .htaccess and index.php, you can set it to 644.
To add or modify the permission settings, you need to –
- Login to the server using FTP.
- Select all the folders located inside the root directory.
- Select File Permissions. You need to right-click after selecting the folder(s).
- You need to provide 755 as the folder permission.
- Click on ‘Recurse into subdirectories‘ checkbox.
- Select ‘Apply to directories only‘ option.
After setting the above options, you need to click the OK button. You have to wait until the process of configuring the file/folders permissions are completed.
To configure file permissions for files, you need to provide 644 and set “Recurse into subdirectories” and “Apply to files only” options as discussed above. You have to set the permissions for all the files and click OK to continue. You have to wait until the FTP Client completes the configuration of permissions.
As a general rule of thumb, you should only provide the permissions required. And only be lenient if a certain plugin or theme cannot work without a less-string permission for a certain file or folder.
You will have to configure files and folders at the time of installation of certain plugins or themes. The installer specifically prompts you to set all the permissions before proceeding with the installation process. It will display the relevant files and folders for which the permissions are required.
The easiest way to check the file and folder permissions in WordPress is by using an FTP software. You can download software such as FileZilla, access your server, and the right-click on the certain file or folder, followed by choosing the “File Permissions” option.
If you are unable to update WordPress plugins after making changes to the permissions of your folders, you should double-check if you set the correct folder permission. It is usually 755. Also make sure that the owner of the folders are set to the user that is included in the www-data group on your server.