WordPress can pretty much run on any operating system that runs PHP. However, the vast majority of WordPress websites run on Linux. Therefore it is important that you understand Linux file permissions.
It is crucial to get file permissions right. Setting incorrect file permissions can open your website up for attack. Incorrect file permissions can allow unauthorized users to gain access to potentially sensitive files and data. Such data can then be used as a stepping stone to a larger attack.
As a WordPress administrator, file permissions may seem a bit daunting, especially if you’re new to Linux. Fear not! This guide explains what file permissions on Linux are from the ground-up. It also explains how Linux file permissions apply to your WordPress website.
Table of contents
What are file permissions?
Permission groups
It all starts with who. Like any other operating system, Linux has a concept of users and groups. When defining who gets access to a file, each file and directory on a Linux system has three permission groups.
- Owner
- Each file or directory has an owner.
- The owner permissions apply only to the owner of the file or directory. They will not impact the actions of other users.
- Group
- Each file or directory may be assigned a group of users who are granted access to it.
- The group permissions apply only to the group that has been assigned to the file or directory. They will not impact the actions of other users.
- Other
- Each file or directory can define what permissions “everyone else” has. That is, aside from the owner or the group we set.
- The other permissions apply to all other users on the system. This is the permission group that you want to watch the most since you may unwittingly allow access to everyone.
Permission types
Now that we know how to specify who has access to a file or directory, we need to choose what kind of permissions we give each owner, group and other for the files or directories. The following are the permission types we can give to a permission group (owner, group, other):
- Read
- The read permission type refers to a user’s capability to read the contents of the file.
- Write
- The write permission refers to a user’s capability to write and/or modify the contents of the file.
- It’s possible to allow a user to write to a file without them having the ability to read its contents.
- Execute
- The execute permission affects a user’s capability to run a file, for example a script.
- The execute permission also allows a user to view the contents of a directory.
Permission representation
Now that we have an understanding of how permissions work, let’s look at how a Linux permission would actually be represented. File permissions are stored as a series of 3 numbers. However, they can also be represented as letters, making them a bit easier to read. Let’s first understand what these numbers signify.
- First number
- Permissions given to the owner
- Second number
- Permissions given to the group
- Third number
- Permissions given to other (everyone else, except owner and group)
Each number corresponds to a combination of one or more permission types we discussed earlier. Understanding this is much easier when visualized. Each permission type carries a weight which is added together for each permission group.
Confused? It may take a while and some practice to wrap your head around it. In the meantime, here’s a table of all the possible file permissions you can assign to each permission group.
| Number | Letters | Description |
|---|---|---|
| 0 (0+0+0) | — | No access |
| 1 (0+0+1) | –x | Execute |
| 2 (0+2+0) | -w- | Write |
| 3 (0+2+1) | -wx | Write and Execute |
| 4 (4+0+0) | r– | Read |
| 5 (4+0+1) | r-x | Read and Execute |
| 6 (4+2+0) | rw- | Read and Write |
| 7 (4+2+1) | rwx | Read, Write and Execute |
To see a concrete example, a 644 file permission means
- owner permission to read and write the file or directory
- group has permission to read the file or directory
- other has permission to read the file or directory
You will typically see these values represented without any spaces in between, and with an additional – or d at the beginning. The – denotes a regular file. d denotes a directory. The following is an example of this using the Linux ls -la command to list files in a directory.
$ ls -la total 0 drwxr-xr-x 4 user group 128 May 25 23:25 . drwxrwxrwt 8 root wheel 256 May 25 23:25 .. drwxr-xr-x 2 user group 64 May 25 23:25 directory -rw-r--r-- 1 user group 0 May 25 23:25 file.txt
Recommended WordPress file permissions
Setting incorrect WordPress file permissions could result in accidentally granting access to other users than you mean to. In the worst-case scenario this may allow an attacker to change the contents of an important file which they are not meant to have access to. It may also allow any user on the Internet to read sensitive files within your WordPress installation.
This is why you should never set WordPress file permissions to 777 (-rwxrwxrwx). This would allow full read, write and execute access to anyone who is in a position to control that file. This could be a third-party making changes via FTP or SSH, or an attacker via an upload form.
On the flipside, you need to take care not to make things too restrictive for WordPress to do its job. Since WordPress itself, as well as themes and plugins will often need to safely make changes to several files. For example, when WordPress auto-updates to keep your site safe against security vulnerabilities.
So for the sake of argument, a permission of 444 (-r–r–r–) may cause your WordPress website to malfunction. With 444 WordPress will only be allowed to read, so the auto updates will fail. With this being said, it is possible to run WordPress with read-only permissions (444, or r–r–r–). It will be a very sucre install. However, you will need to take the aforementioned limitations into account.
Some managed WordPress hosting providers support this out of the box. Though if you want to run WordPress on such permissions, first try it on the staging environment.
The file permissions recommended by WordPress are as follows.
| Type | Numbers | Letters | Description |
|---|---|---|---|
| Directories | 755 | drwx-wx-wx | WordPress installation directories |
| Files | 644 | -rwxr–r– | WordPress core, WordPress themes and plugins (exceptions may apply to some themes and plugins) |
| wp-config.php | 600 | -rw——- | The WordPress configuration file |
| .htaccess | 644 or 600 | -rw-r–r– -rw——- | Apache HTTP Server configuration file (may not apply if you are running Nginx or web server other than Apache HTTP Server) |
How to fix WordPress file permissions
While one hosting environment differs from another, you will always have a way of controlling WordPress file permissions.
Fixing WordPress file permissions via your shared hosting control panel
If you’re using shared hosting, you’ll likely have access to some control panel such as cPanel or Plesk. In this case, check with your hosting provider regarding the steps you need to take to modify file permissions on your WordPress site.
Fixing WordPress file permissions via FTP
Fixing WordPress file permissions may be done easily via an FTP client such as FileZilla or Cyberduck. The following screenshot is from Cyberduck. Simply right-click the file or directory you want to change permissions for, click Info, and then click on the Permissions tab.
The process is similar on Filezilla. Right-click the file, select File permissions and you will be presented with a similar dialog.
Fixing WordPress permissions via SSH
If you’re already using an SSH client, you can execute the Linux chmod command to alter file permissions. Taking the same example as above, to change the permissions of wp-config.php from 644 to 600, we’d use the following commands:
# change directory to the location of your WordPress installation $ cd /var/www/html # list wp-config.php’s file details $ ls -la wp-config.php -rw-r--r-- 1 www-data www-data 7368 Sep 2 2019 wp-config.php # change wp-config.php’s permissions from the current 644 to 600 $ chmod 600 wp-config.php # verify your change $ ls -la wp-config.php -rw------- 1 www-data www-data 7368 Sep 2 2019 wp-config.php
Properly configured WordPress file permissions mean a more secure website
Let’s recap what was covered. We saw that file permissions allow us to specify who and how a file or directory can be accessed and/or modified on a Linux system. We also discussed how to change permissions both using a SFTP client as well as via SSH. However, the most important thing we discussed is why you should be taking care to set file permissions on your WordPress website correctly.
Even though it may be a tedious process at first, incorrect file permissions may expose sensitive files on your WordPress website. Furthermore, they may allow an attacker to escalate a low-severity vulnerability into a more dangerous one given the right circumstances.
Now that you have a better understanding of how file permissions work on Linux, and how they affect the security of your WordPress site, use this information to shore-up any WordPress file permissions which are too liberal.
Bonus security tips: beyond WordPress file permissions
Correct WordPress file permissions are a great place to start working on with regards to WordPress security. However, the are far from the only thing to worry about. Other things you should do to improve the security posture of your WordPress website are:
- Keep a record of everything that happens on your site in a WordPress activity log,
- Use a WordPress file integrity monitor plugin,
- Enforce strong WordPress password policies,
- Add Two-factor authentication to your WordPress website,
- Install a WordPress firewall / use an online WordPress firewall service.
Given that the most likely attack vector is via the web server restricting the permissions for group and other has negligible impact on security. It would have been helpful to tell us what files need to be writeable by the webserver uid at run time (i.e. outside of patching/install cycles).
Thank you for your comment and for reading our article. We have focused on explaining what the permissions are and how they work VS on simply giving out a template of permissions, because each website is different and different businesses have different requirements and standards. If you’d ask me and how our websites are set up, even though it is impractical (security paranoid) I set everything to read only. The WordPress core, and most of the plugins and themes do not need to write to the file system. Only allow write access to the following:
1. /wp-content/uploads/ – this is needed because this is where media and user files are stored
2. /wp-content/plugins/ – allow temporary write access when there are WordPress plugins updates
3. /wp-content/themes/ – allow temporary write access when there are theme(s) updates
4. website root, /wp-admin/ and /wp-includes/- allow temporary write access when there are WordPress core updates.
I hope that helps.