Guide to WordPress File Permissions: Best Practices for Security and Automation

WordPress is one of the most popular content management systems (CMS) globally, powering over 40% of websites on the internet. However, its popularity makes it a prime target for malicious actors. Configuring proper file and directory permissions is a foundational step in hardening your WordPress security and safeguarding your site from unauthorized access or malicious activities.

This guide explores the essentials of file permissions, their relationship to WordPress, and how you can implement and automate them to enhance your site’s security.

What Are File and Directory Permissions?

File and directory permissions determine who can read, write, or execute a file or folder on your web server. These permissions are defined for three types of users:

  1. Owner: The user who created or owns the file.
  2. Group: A set of users who share access to the file.
  3. Others: All other users, including the public and potential attackers.

Each permission is categorized into:

  • Read (r): Allows viewing file contents or listing directory contents.
  • Write (w): Permits modifying a file or creating/deleting files within a directory.
  • Execute (x): Grants the ability to run executable files or access a directory.

Permissions are represented numerically (e.g., 755) or symbolically (e.g., rwxr-xr-x).

File and Directory Permissions in WordPress

WordPress relies on files and directories to store core functionality, themes, plugins, and user uploads. Misconfigured permissions can lead to vulnerabilities, including unauthorized access or malicious script execution.

Recommended Permissions

For optimal security and functionality, configure permissions as follows:

  1. Files:644 (rw-r--r--)
    • The owner can read and write; others can only read.
  2. Directories:755 (rwxr-xr-x)
    • The owner can read, write, and execute; others can only read and execute.
  3. Sensitive Files (e.g., wp-config.php):400 or 440 (r-- --- --- or r-- r-- ---)
    • Restricts access to the owner or, at most, the group.

Key Directories and Files to Secure

  1. Core Files:
    • WordPress relies on files like index.php, wp-config.php, and wp-load.php. Proper permissions ensure attackers cannot modify or delete them.
  2. Uploads Directory:
    • /wp-content/uploads/ is often targeted for malicious script uploads. Ensure permissions are restrictive without breaking media functionality.
  3. Themes and Plugins:
    • /wp-content/themes/ and /wp-content/plugins/ must have secure permissions to prevent unauthorized modifications.
  4. wp-config.php:
    • Contains sensitive database credentials. Use 400 or 440 to restrict access.

How to Set File Permissions

Using the Command Line

For users comfortable with SSH or terminal access, the following commands help configure permissions:

# Set file permissions
find /path-to-wordpress/ -type f -exec chmod 644 {} \;

# Set directory permissions
find /path-to-wordpress/ -type d -exec chmod 755 {} \;

# Secure wp-config.php
chmod 400 /path-to-wordpress/wp-config.php

Using cPanel or Hosting Control Panel

  • Navigate to the File Manager in your hosting control panel.
  • Right-click on a file or folder and select Permissions or Change Permissions.
  • Set the desired numeric values (e.g., 644 for files, 755 for directories).

Automating File Permissions with Security Plugins

WordPress security plugins simplify managing and automating file permissions while providing additional features like malware scanning and firewalls. Popular plugins include:

1. Wordfence Security

  • Scans for incorrect file permissions and provides actionable recommendations.
  • Offers real-time alerts if permissions become insecure.

2. Sucuri Security

  • Includes file integrity monitoring and highlights permission-related vulnerabilities during scans.

3. SolidWP (Formerly iThemes Security)

  • Provides a one-click fix for file permission issues, along with other security hardening features.

4. All In One WP Security & Firewall

  • Includes a dedicated module for analyzing and fixing file permissions.

5. WP Hardening

  • Lightweight and easy to use, offering detailed scans for misconfigured permissions.

These plugins not only streamline file permission management but also provide robust, all-around security for your WordPress site.

Best Practices for File Permissions in WordPress

  1. Disable File Editing in the Admin Dashboard:
    Prevent users or attackers from editing themes and plugins directly via the admin interface. Add this to your wp-config.php: define('DISALLOW_FILE_EDIT', true);
  2. Limit User Roles:
    Assign the minimum required capabilities to each user role. For example, only grant administrator rights to trusted individuals.
  3. Regularly Monitor Permissions:
    Use plugins or manual checks to ensure your file permissions remain secure over time.
  4. Secure Sensitive Files with .htaccess:
    Add rules to restrict access to files like wp-config.php: <Files wp-config.php> Order allow,deny Deny from all </Files>
  5. Use Secure Protocols:
    Always use SFTP or SSH for file transfers and server access instead of insecure FTP.

Encouragement to Explore Further

While plugins can automate much of the work, it’s essential to understand the underlying principles of file permissions. Dive deeper into the capabilities of plugins like Wordfence, Sucuri, and SolidWP to determine which fits your specific needs. Experiment with their settings in a staging environment before applying them to a live site.

Security is an ongoing process. Research, implement, and regularly review your WordPress setup to ensure your website remains secure and functional.