Ownership and file permissions rarely have a place in the focus of WordPress security discussions, which makes sense if thinking about hacker intrusion and security plugins. What many users don’t know is that those plugins would be useless if the file permissions are not set up in the right way: that’s exactly the gap intruders use to bypass your security measures!
Additionally, setting up WP ownership and permission settings can prevent numerous problems from arising, such as error messages while uploading an image in the library. Therefore, you have to know how to do this accurately.
How to recognize file permissions
When talking about file permissions, you have to distinguish between the two existing categories: Actions and User Groups.
By Actions we refer to the action of your files and plugins, which are:
- Reading – it allows you to see the content of the file
- Writing – it allows you to change the content of the file
- Executing – it allows you to access the file in a prescribed order, or to run the scripts/programs it contains inside.
The User Groups are the following:
- User – the owner of the website (you)
- Group – users other than the owner, who can access the files (you get to choose those among the members of the site)
- World – anyone using the internet to connect with your website and to access the files.
Permissions refer to ‘who can do what’, so think of them this way. The digits inside correspond to the ‘who’ part of the above-mentioned statement.
- The first digit
Indicates what can be done by the users of the owner’s account
- The second digit
Indicates what can be done by other users account in that group
- The third digit
Indicates what every user can do (including random visitors)
In order to calculate the digits, you have to know the specific value prescribed to each possible combination:
- 0 – no access at all
- 1 – executing
- 2 – writing
- 3 – writing and executing
- 4 – reading
- 5 – reading and executing
- 6 – reading and writing
- 7 – reading, writing and executing
As you can see, the biggest possible value of the final number is 777, meaning that everyone (you, the group, and the world) can do everything with the file (read, write, and execute). The lowest one, on the other hand, is 000, but you will hardly ever need to use that one. The most common one is 444, meaning that all files can be read, but not changed or subjected to execution.
Try to remember these values, or at least to note them down, because you will need them each time when you want to correct your file permissions.
What could also be relevant to you is to know that the 777 value is a dangerous one: it means that everyone has access to your content, so avoid using it. 444s, on the other hand, are not ideal either, because putting it everywhere will make the website completely unusable.
The important part is to find and use the correct permission mode. To make things clearer, make a list of users and roles you want to adjust. Think who is supposed to do what, and consider all contributors and administrators and the capability they should have. For instance, contributors should be enabled to add and modify content, but not to add/remove plugins at the same time.
Administrators, on the other hand, should be capable of doing everything, even if that means changing the website completely. You must determine the roles in advance so that you can build proper permission models, not that much because of content and themes, but because of the files and folders which are critical to your overall presence on the web.
So, which are the permissions you should use?
If you’re a creative site owner who liked to set up pages of his own, you’re running a serious risk of incorrectly set permissions. If not sure about them, check them, and choose the right ones instead.
Remember that you will have to adjust the permissions for each plugin, because they all have different purposes, and require different capacity depending on the hosting setup.
When running a personal server, few WordPress Codex guidelines are perfectly enough:
- Keep all files at 644.
- Keep all folders at 755.
- Keep wp-config.php at 600.
The .htaccess file is a different case because the value of its permissions depends on whether you want WordPress to access it in the case of automated updating. The best thing is to keep it at 644 or to switch to 604 in order to make it more secure.
Modifying file permissions with the cPanel
If your file manager is included in the cPanel, you should consider the following steps to check/edit the permissions for each file or directory:
1. Log into the cPanel account.
2. Look for ‘File Manager’, and open the file/directory that needs adjustment.
3. Select ‘Change Permissions’.
4. A popup will appear, and inside you can check/modify the permissions by ticking/unticking the box next to each action. Once done, confirm on ‘Change Permissions’ and the settings will be saved.
Modifying file permissions on your FTP site (via FileZilla )
In case you’re using an FTP program, you can change/modify permissions easily on your own web server. This is how:
1. Connect the FTP client to the web server, and look for the file that needs to be checked or monitored.
2. Open FileZilla, right-click on the file and select File Permissions to see the attributes of that file. Note that the terminology can be different (that depends on the FTP you’re using). A dialog box named ‘Change File Attributes’ will appear.
3. Calculate the value, and put the exact number in the text field named Numeric Value.
4. Confirm with OK, and the new permissions will be saved in the file.
Modifying file permissions via command lines
Those of you who have SSH access to their hosting accounts can benefit from the possibility to modify file permissions using the chmod method. The chmod is more suited for professional users, so in case you’re not one, look for tutorials to familiarize with it first. The reason for such precaution is that setting up incorrect permissions can take your website offline.
Keeping each file/folder from the wp-content directory writable is important, so try other alternatives before you get to this one. In case you go for this one, edit the directory, and replace DIR with a folder where you’ve written:
chmod -v 746 DIR chmod -v 747 DIR chmod -v 756 DIR chmod -v 757 DIR chmod -v 764 DIR chmod -v 765 DIR chmod -v 766 DIR chmod -v 767 DIR
In case some of these commands turn out un-writeable, try again, this time using ‘R’ instead of ‘v’. If the result doesn’t change, change the permission values to 777s.
Many WordPress users go for 777 straight away, without thinking how this can affect the security of their website. The common reason for doing it is saving time, as 777 solves any uploading problem right away.
Still, don’t forget that 777 is wide-open access, and it makes your website vulnerable to every possible attack. Following the guidelines we mentioned instead won’t be difficult, and it will still lead you to far safer results.
Some plugins, however, will request 777, and you’ll have to insert it (at least temporarily). In cases like this, keep the value at 777 as long as necessary, but switch back to the original one once the thing is done.
In case the whole work seems to be a huge chore for you, remember you can always ask for our support.