We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.

Your Digital Commerce Experts
Nexcess Logo

How to configure WordPress file permissions

September 10, 2019

This article presents how to set the correct permissions for files within a WordPress installation.

But first...

Only Nexcess Cloud clients have SSH access by default. If you are a Nexcess Classic (non-Cloud) client, first see How to enable SSH access

Changing permissions

One of the first items to consider is the hosting environment for your site. If you are running Linux, there are two main environments:

  1. (Preferred) PHP scripts that execute using mod_php or equivalent and all scripts are executed as the webserver user. This means when your script is running it sometimes can read at the same privilege level as the web server. This could allow cross-account snooping in shared hosting configurations, and is not ideal in a shared environment, especially for eCommerce. If the permissions are configured correctly as it provides an extra level of security provided by Linux. A majority of our shared WordPress OBP plans provide this environment and it is preferred given that is provides user-based permissions isolation so stricter file permissions can be used.
  2. PHP scripts that execute as the user who owns the files via an intermediate construct such as, suPHP, PHP suEXEC, PHP-FPM, and so on. In this case your scripts run as you and this is overall a more secure configuration when running on a shared server. Here at Nexcess, this is the most commonly used environment.

The Linux permissions for all files in your WordPress base directory should be set to readable and writable by the owning user (you), and readable only by everyone else. This creates a baseline where the web server can read all files. It will need read access in order to serve static content like images, CSS and Javascript files. Unlike the method above we will be adjusting script permissions to be more stringent later on.find </path/to/wordpress> -type f \-exec chmod 644 {} \;

If possible, the permissions for all files should be set to read and writable to your user, readable by the group, and no permissions for others. In some instances this may cause issues with other software or plugins, but it is possible to restrict these permissions in some instances. find </path/to/wordpress> -type f \-exec chmod 640 {} \;

Change the Linux permissions for all directories in your Magento base directory to listable, file editable, and navigable for the owning user and simply navigable for everyone else. find </path/to/wordpress> -type d \-exec chmod 711 {} \;

In some cases you may find that some plugins require the wp-content folder to be made writeable. Change the permissions of the wp-content folder and all sub folders. find </path/to/wordpress/wp-content/> -type d \-exec chmod 755 {} \;

Lockdown permissions for all PHP scripts so that only your user can read them. This is ideal because only your user should need to know the contents of scripts. find </path/to/wordpress> -type f -name “*.php” \-exec chmod 600 {} \;

777 permissions

You may see instructions for web-based software that states that files must be set to 777 permissions, read/write/execute permissions to all. This may be necessary for some directories, but is rarely the case for files. Permissions of 666, read/write permissions for all, are adequate in these cases if more strict permissions cannot be set. Configuring the 777 permissions sets the execute bit for files as well which most web servers that do not require it in most cases. In many cases a plugin may require more open permissions. Read the plug-in’s documentation or contact the developer to inquire about required permissions

For further reading about WordPress file permissions, visit the WordPress website

For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Jason Dobry