August 15, 2017

WordPress SecurityA WordPress site is made of files. Database aside — which is a special set of files — everything else is a chunk of data stored on the server’s file system. That includes content like images and the executable PHP files that comprise WordPress Core, themes, and plugins.

It’s vitally important that only the right people and programs — represented by user accounts on the server — have access to those files. If every user on a server has access to all the files, there’s no end to the mischief they could make, and that’s before considering unauthorized users like hackers.

If you just want to know about sensible permissions for your WordPress site’s files, skip to the last paragraph. If you want to understand how permissions work, read on.
Most WordPress sites run on Linux servers, and the Linux operating system has a permission mechanism that controls who can read from, write to, and execute files. It’s useful for WordPress users to understand how these permissions work, because assigning the wrong permissions can leave a site open to security problems or stop it working altogether.

The permissions are stored as attributes. Each file has attributes for its owner, group, and everyone else.

Owner, Group, The World

The owner is a single user account on the server. The user account doesn’t have to be associated with a particular person: user accounts are often created for programs (the web server owns some files, for example) and the root user automatically has permission to do anything with any file.

In addition to belonging to a user, a file also belongs to a group. A group is a set of user accounts that can be given permission to interact with a file. For example, you might have a group of user accounts who can write to a file, but only allow the owner to execute it.

Finally, there’s the “world” or everyone else on the server, which allows for the setting of permissions that cover all user accounts.

Each of these types of user — the owner, group members, and the world, can have three levels of access: read, write, and execute. So, a file might have permissions that allow the world and the file’s group to read and write to it, but only allow the owner to execute it.

There are two ways file permissions are displayed. You’ve probably come across notations that look like 744 or drwxrw-rw-. Let’s look at the last of these first. It’s easy enough to understand if you’ve followed what we’ve talked about so far. The first letter (“d” in this case) represents access modes for the file, which we’re not going to get into here.

The rest of the string — rwxrw-rw- — is split into groups of three, with each triplet referring to the permissions of the owner, the group, and the world respectively. In our example, the owner has read(r), write(w), and execute(x) permissions. The group has read and write permissions, and so does the world.

Now to the other notation, which is the one you’re most likely to see in articles discussing WordPress. If we take 744 as an example: the numbers refer to the owner, group, and world permissions. The 7 is for the owner, the first 4 for the group, the second for everyone else.

Each of those numbers represents read, write, and execute permissions. No permission is worth 0, execute permission is worth 1, write permission is worth 2, and read permission is worth 4. Adding those numbers together gives you the permission for each of the sets of users.

This can be hard to get your head around, but it makes sense after seeing a few examples. Consider 744. The 7 is for the owner, and the only way to get a 7 given what we’ve seen is to add execute(1), write(2), and read(4) together. The second number — the group permission — is 4. That has to be a read-only permission. If, for example, it was a 6, it would indicate read(4) and write(2) permissions.

The permissions on files can be changed from the command line using the chmod utility. You can look at chmod’s manual page for full details, but to set a file’s permissions to 766 you’d run this command:

chmod 766 file.php

Finally, which permissions should your WordPress files have? The best defaults are 775 for directories and 644 for files. I haven’t really discussed directory permissions here, but the basics principles are the same. These are relatively safe defaults, providing file ownership permissions are properly set, as is discussed in the WordPress Codex.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.