This article presents how to set the correct WordPress file permissions for files within a WordPress installation. Readers of this article should have good understanding of how Linux file permissions are configured as discussed in the following article:
Understanding Linux File Permissions
What are the general directory and file permissions recommended for WordPress?
Generally, WordPress directory permissions should be set to 755, and most WordPress file permissions should be set to 644. WordPress also recommends you set these file permissions for your site. With these file permissions set, the WordPress auto update functionality will work correctly.
Why is the default directory permission 755 and default file permission 644 in Linux?
So, the directory permission 755 means that the owner and anyone else on the system can see inside the directory. Any user can execute a program inside the directory as needed. The file permission 644 means that the owner can read and write the file, and all other users on the system can only read it.
WordPress file permissions: SSH access
Only Nexcess Cloud clients have SSH access by default. If you are a Nexcess Classic (non-Cloud) client, first see How to enable SSH access.
WordPress file permissions: changing permissions
One of the first items to consider is the hosting environment for your site. If you are running Linux, there are two main environments:
- (Preferred) PHP scripts that execute using mod_php or equivalent and all scripts are executed as the webserver user. This means when your script is running it sometimes can read at the same privilege level as the web server. This could allow cross-account snooping in shared hosting configurations, and is not ideal in a shared environment, especially for ecommerce. If the permissions are configured correctly as it provides an extra level of security provided by Linux. A majority of our shared WordPress OBP plans provide this environment, and it is preferred given that is provides user-based permissions isolation so stricter file permissions can be used.
- PHP scripts that execute as the user who owns the files via an intermediate construct such as, suPHP, PHP suEXEC, PHP-FPM, and so on. In this case your scripts run as you and this is overall a more secure configuration when running on a shared server. Here at Nexcess, this is the most commonly used environment.
WordPress file permissions: Linux permissions
WordPress file permissions: 644 permissions
The Linux permissions for all files in your WordPress base directory should be set to readable and writable by the owning user (you), and readable only by everyone else. This creates a baseline where the web server can read all files. It will need read access in order to serve static content like images, CSS and Javascript files. Unlike the method above we will be adjusting script permissions to be more stringent later on:
find </path/to/wordpress> -type f \-exec chmod 644 {} \;
WordPress file permissions: 640 permissions
If possible, the permissions for all files should be set to read and writable to your user, readable by the group, and no permissions for others. In some instances this may cause issues with other software or plugins, but it is possible to restrict these permissions in some instances:
find </path/to/wordpress> -type f \-exec chmod 640 {} \;
WordPress file permissions: 711 permissions
Change the Linux permissions for all directories in your WordPress base directory to listable, file editable, and navigable for the owning user and simply navigable for everyone else:
find </path/to/wordpress> -type d \-exec chmod 711 {} \;
WordPress file permissions: 755 permissions
In some cases, you may find that some plugins require the wp-content folder to be made writeable. Change the permissions of the wp-content folder and all sub folders:
find </path/to/wordpress/wp-content/> -type d \-exec chmod 755 {} \;
WordPress file permissions: 600 permissions
Lockdown permissions for all PHP scripts so that only your user can read them. This is ideal because only your user should need to know the contents of scripts:
find </path/to/wordpress> -type f -name “*.php” \-exec chmod 600 {} \;
WordPress file permissions: 777 permissions
You may see instructions for web-based software that states that files must be set to 777 permissions, read/write/execute permissions to all. This may be necessary for some directories, but is rarely the case for files. Permissions of 666, read/write permissions for all, are adequate in these cases if more strict permissions cannot be set.
Configuring the 777 permissions sets the execute bit for files as well which most web servers that do not require it in most cases. In many cases a plugin may require more open permissions.
Read the plugin’s documentation or contact the developer to inquire about required permissions. For further reading about WordPress file permissions, visit the WordPress website.
If you'd like to further assistance moving forward, check out what Nexcess offers for managed WordPress hosting.
