File permissions play an especially important role in defending websites from unauthorized or malicious access. However, some beginners always ignore this truth due to the lack of knowledge about file permissions.
As imcorrect file permissions can put your website at risk and even cause serious attacks, we would like to offer a detailed explanation about the function and suggest the best possible settings that help to prevent security issues on your server.
One thing you need to pay attention before reading this post is that you do not have to make changes to the file permissions if the WordPress installation was handled by yourself, unless there are problems bringing about permission errors.
Understand File Permissions
Setting certain file permissions, you give particular groups of people the access to read, write and/or execute the files, which has a significant influence on your site performance and security. You may have seen some permissions set as 777, 755 and 644, but do you really know what they mean? Now you can understand them starting from permission mode.
Permission Mode
File permissions are performed in the format of 3 numbers like 644 which target at the permissions for the user, the group (other users in the group that owns the file or folder) and the world (everyone else) respectively. Each of the numbers consists of the permissions of read, write and execute. And the number can be a sum of any of the following digits.
- 4 stands for Read (r), allowing reading files or reading the names of files in a folder.
- 2 stands for Write (w), allowing modifying files or modifying all content in a folder.
- 1 stands for Execute (x), allowing running a file or accessing all files in a folder.
Therefore, the permissions 644 can be explained in this way.
Likewise, 755 refers to the permissions that the user is allowed to read, write and execute (4+2+1) files, the group is able to read and execute (4+1) the file, and everyone else on the web is also permitted to read and execute (4+1) the file only.
How to Check the Current Permissions for Files and Folders?
Before making any modification to the permissions of any file, you should know the current status of your files and folders. Manual checking is time-consuming, but thanks to the great extensibility of WordPress, you can get things done easily by using plugins.
For instance, after installing and activating Acunetix WP Security plugin, you can perform a security check on the file permissions. Once the checking is done, you get a file scan report which includes the folder and file names, current permissions and permissions suggestions for better security. With the help of the report, you can easily get full knowledge about the file security on your server.
What File Permissions Should Be Used?
You should NEVER give unlimited access to everyone, which means that 777 is not suggested in any circumstance. Doing so exposes your files and folders to all people on the web including hackers and other attackers because the permissions allow everyone to read, modify and delete files. Can you imagine the consequence? You are destroying the whole site.
In fact, there are some general rules for granting permissions to your files. Based on the rules, you can make your own modification according to specific needs. But always remember to think twice before giving the right of write to someone else except for yourself and web server requiring such permission.
- Folders should be set to 775 or 770, which means the user and the group (web server) have full privilege, and all others have no right to modify or even access the content in the folder.
- Common files should be set to 664 or 660. WordPress needs the right to create and modify files when installing or removing themes and plugins.
- Important files like wp-config.php should have even more strict permissions like 600 – the web server and world have completely no access. If the strict permissions cause trouble for your website or plugins, just change them to the same ones as other files.
- Special cases: 644 is recommended for .htaccess file and php.ini, and 755 is recommended for php.cgi and php5.cgi.
After modifying the permissions of any file, you should make sure that the site still functions well. 000 seems to make sure the best security by locking down all access, but it is of no use at all. Besides, the suggestions discussed above are general rules only for Linux-based servers, and the permissions vary for different server configurations. Therefore, you’d better consult someone before making the final decision.
How to Change WordPress File Permissions?
There are commonly 2 ways to change file permissions – using an FTP client or a command line editor. The former way is much easier because no command line is needed and even a beginner can handle the task quickly. Taking an example, if you are using FileZilla, connect the server, locate the file/folder, and then right-click and select “File permissions”. Now the “Change file attributes” screen pops up allowing you to make changes to the permissions of the selected file/folder.
Using the command line is a little more difficult than the previous method, but it’s quicker. If you have SSH access to your server, you can change file permissions by using chmod. In the case that you are not experienced enough in chmod, we recommend you reading some in-depth tutorials to have a good understanding of it to prevent serious problems brought by improper file permissions.
For detailed guidance and codes for changing file permissions using chmod, this article in WordPress Codex should help much.