A Complete Guide on WordPress FileSystem Permissions and Ownerships

WordPress is a CMS platform that keeps on dictating the trend for all the obvious reasons. The ease with which it lets users achieve higher goals for their site and embed new capabilities to make it stand out, is something that’s difficult to find in any other CMS out there. But, irrespective of its blockbuster features, WordPress can be easily beleaguered with security attacks. Cyber criminals out there can drive ways to leave out rough spots to cripple the legitimacy of your site. As the tools used to hack a website have evolved, security has become a primary concern for most website owners.

Whenever a WordPress site get hacked, the very first step owners take is they proceed to fix the plugin installed on their site. There is a tendency among WordPress users to depend heavily on plugins, whenever the crisis erupts. WordPress plugins are great and this is a proven fact beyond any shred of doubt. But, there are times when we need to implement another approach. Here, I am talking about WordPress file system permissions and ownership’s. Assigning proper permissions to various folders is an important aspect to augment the security of your blog. If file permissions and ownership’s aren’t set correctly, any malicious coder can gain a backdoor to spell doom for your website.

Apart from security concerns, a number of other issue can sprung up if permissions aren’t set accurately. These issues could be related to white screen of death, error messages when uploading a plugin in the media folder, and traffic generating issues.

This post discusses about WordPress file system permissions and ownership’s, their importance, and how they can be set correctly to ensure a smooth functioning of your website.

Let’s Understand About Users and Groups

Before anything else, let’s discuss about the basis of Users and Groups. A user account is created to gain an access to the WordPress site. Users and groups are an integral aspect of file permissions. These two elements together work to define the permissions. To put simply, a user is the one who has an account with a computer access, whereas a group determines the group a user belongs to. Depending upon how the way account has been set, users can belong to one or multiple groups.

The reason why users and groups are important because they give you an ability to define the number of privileges a particular user has. File owners generally have all kinds of privileges as compared to other users who have only fewer controls.

What are File Permissions?

File permissions allow you to define the extent of control and authority a user has to read, write, and edit the files. This is an essential aspect to understand because WordPress might want users to access the files depending upon the provided rights.

Permissions are represented by a set of numbers, such as 677 and 777, commonly known as permission mode. While playing around WordPress files and directories, there are times when you probably have asked about changing the permissions related to these files because some plugins cannot configure it. In other words, you need to change the file permission so that they can be accessed by servers accurately.

The following table will help you understand the concept better:

File Directory
Read Allows users to read the file Whether the user can access the directory’s content
Write If user can edit the file User can add and delete the file.
Execute User can read, write, and modify the file. But, cannot delete it. Access the file as well as delete it.

Changing File Permissions

Permissions is basically a three-digit octal number wherein the digits represent the access rights of the user who owns the file.

For directories 775 is an ideal permission mode. However, if you want to write permissions for directories, it is recommended to change the number to 777. On the other hand, files should have 644 permission mode. Adjusting file permissions is a way to allow the Web server to gain an access to that file or folder.

Following is a method given to break a WordPress file with permission mode 644.

The owner can "read" (4) + "write" (2) = 6
The owner’s group can only "read" (4) = 4
Everyone can only "read" (4) = 4

This means that the file can be read as well as modified. Owner’s group can only read the file.

WordPress folder with the permission mode 777 can be broken down as follows:

The owner’s can "read" (4) + "write" (2) + "execute" (1) = 7
The owner’s group can "read" (4) + "write" (2) + "execute" (1) = 7
Every other user can "read" (4) + "write" (2) + "execute" (1) = 7

As per the above statement, it can be understood that the user can access the file stored in the folder. Users in the owner’s group can also exert the rights as exerted by the owner. Everyone else can read, write, execute the file.

By looking at the above statement, it can be said that 777 is not an ideal permission mode. So why 777 is dangerous? 777 means everyone has the right to access, modify, and delete the file. The only one person who should have the right to do that is you (the admin). So how to modify it? Let’s understand it in the next section.

How To Modify File Permission Mode?

For modifying the permission modes, you need to have an access on server’s terminal. After gaining the access, run ‘chmod’ command and start making the changes of a file or a folder.

$ sudo chmod 644 /path/to/file

The above command is used only when you have to make changes in a single file. In order to modify all the WordPress files or folders, use the same command but add the find command along with it. Just like this:

$ sudo find . -type f -exec chmod 644 {} +

Configuring the WordPress Server

Before we take you to the further, let’s understand first, the important of setting a server. In WordPress, there are different types of configurations that require an entirely different permission mode for achieving a secure configuration process. The two most commonly and major configurations are:

Standard managed server configurations- This type of configuration requires a bit more work as compared to the shared server. Here, you have only one user account; and user account and the Web server’s user account are a part of a single group.

To find out to which group your user belongs, run ‘group’ command in your server’s terminal. And, to find out to which group your web server belongs to, add the following PHP code to any of your WordPress scripts:

echo exec( 'groups' );

If you find out that your user and web server do not belong to a single group then add the following code:

sudo usermod -a -G myuser

Now, use the below mentioned code to make sure that everything in your WordPress is related to the user account and web server’s account.

$ sudo find . -exec chown mygroup:a-the-group-name {} +

Now, as you have gained a complete access to all the user files and folders. The next step is to make adjustments on the permission modes. For this purpose, just follow the below mentioned criteria:

All the files have 664 permission mode
All the folders have 777 permission mode
wp-config.php should have permission mode 660

Configurations for A Shared and Managed Server

Implementing configurations for shared server is easy as compared to the one we mentioned above. Here, your web server is the owner of your files and folders, thus, user and server have the same permissions for changing the permission modes. You can start changing the codes like this:

All the files have 644 permission mode
Ensure that all your folders should be 755
wp-config.php should have 600 permission mode

You can modify the permission modes either via FTP or by adding the following commands:

$ sudo find . -type f -exec chmod 644 {} +
$ sudo find . -type d -exec chmod 755 {} +
$ sudo chmod 600 wp-config.php


Hopefully, you have now got a pretty good idea about how you can go through over file configurations and ownerships. Make sure to implement these tips and keep your WordPress site secure against intruders.

About the Guest author:

Mike Swan is a WordPress web developer by profession. He is expert in developing WordPress from PSD and share his experiences in Research and development vertex of web design technologies.

2 thoughts to “A Complete Guide on WordPress FileSystem Permissions and Ownerships”

  1. The execution permission does not mean the user is able to “read, write, and modify the file. But, cannot delete it” as your table in section “What are File Permissions?” mentions nor does it mean that a user can delete a directory if that directory has the execute permission set.

    For files, the execution permission being set means that a user is able to pass the file to the OS to execute that file. For example a shell script or a directly executable program.

    For directories, the execution permission simply means that a user is able to descend into that directory and access files inside that directory. (For the ability to list [search for] files in a directory the user must also have read access.) This means, for example, by giving the execute bit but not the read bit, you could allow a user to access specific files in a directory (assuming they know the full path to the file) without allowing that user to list all files in that directory.

    Section 5.2 in http://www.tldp.org/HOWTO/Security-HOWTO/file-security.html is a good starting point for people to get familiar with the meanings of these things.

Leave a Reply

Your email address will not be published.