{"id":139741,"date":"2015-04-18T08:00:20","date_gmt":"2015-04-18T12:00:20","guid":{"rendered":"http:\/\/premium.wpmudev.org\/blog\/?p=139741"},"modified":"2022-02-10T18:40:14","modified_gmt":"2022-02-10T18:40:14","slug":"understanding-file-permissions","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/understanding-file-permissions\/","title":{"rendered":"Understanding File Permissions and Using Them to Secure Your Site"},"content":{"rendered":"<p>File permissions specify who and what can read, write, modify, and access them. This is important, as the <a title=\"Changing Files Permissions\" href=\"https:\/\/codex.wordpress.org\/Changing_File_Permissions\" rel=\"noopener\" target=\"_blank\">Codex explains<\/a>, because WordPress may need access to write to files in your wp-content directory to enable certain functions.<\/p>\n<p>If your files don&#8217;t have the best possible permissions in place, it&#8217;s easier for hackers to intrude on your files <em>and<\/em> your site. Setting your file permissions correctly may not save you from all attacks, but it will help make your site a bit more secure, making it a great addition to your current security measures.<\/p>\n<p>The WordPress Codex has some information\u00a0on WordPress file permissions, but it doesn&#8217;t go into a whole lot of detail so it can be tough to follow. So in today&#8217;s Weekend WordPress Project\u00a0we&#8217;ll look at\u00a0file and folder permissions in detail, and how to change them to improve your site&#8217;s security.<\/p>\n<ul>\n<li><a href=\"#look-like\">What Do File Permissions Look Like?<\/a><\/li>\n<li><a href=\"#use\">What Permissions Should I Use?<\/a><\/li>\n<li><a href=\"#where\">Where Can File Permission Be Found?<\/a><\/li>\n<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\n<\/ul>\n<h2 id=\"look-like\">What Do\u00a0File Permissions Look Like?<\/h2>\n<p>Generally speaking, there are two categories that need to be considered when viewing file permissions: Actions and user groups.<\/p>\n<p>Actions your site&#8217;s plugins and files can make are:<\/p>\n<ul>\n<li><strong>Read<\/strong>\u00a0\u2013\u00a0allows access to a file to view its contents only<\/li>\n<li><strong>Write<\/strong>\u00a0\u2013\u00a0allows the file to be changed<\/li>\n<li><strong>Execute<\/strong>\u00a0\u2013\u00a0gives access to a file in order to run the programs or scripts that are contained in it<\/li>\n<\/ul>\n<p>The user groups of the actions can be:<\/p>\n<ul>\n<li><strong>User\u00a0<\/strong>\u2013\u00a0you as the owner of your site<\/li>\n<li><strong>Group\u00a0<\/strong>\u2013\u00a0other users that can also have access to the files you choose such as the members of your site<\/li>\n<li><strong>World\u00a0<\/strong>\u2013\u00a0anyone with an internet connection who tries to view your files<\/li>\n<\/ul>\n<p>File permissions are primarily viewed as three consecutive numbers:<\/p>\n<ul>\n<li><strong>First number<\/strong> \u2013 the access to file actions granted to the <strong>user<\/strong><\/li>\n<li><strong>Second number<\/strong> \u2013 the file access given to the <strong>group <\/strong><\/li>\n<li><strong>Third number\u00a0<\/strong>\u2013 the amount of file access given to\u00a0the <strong>world<\/strong><\/li>\n<\/ul>\n<p>To come up with these numbers, a value is given to each possible action combination:<\/p>\n<ul>\n<li><strong>0<\/strong>\u00a0\u2013 no access<\/li>\n<li><strong>1<\/strong> \u2013 execute<\/li>\n<li><strong>2<\/strong> \u2013 write<\/li>\n<li><strong>3<\/strong> \u2013 write and execute<\/li>\n<li><strong>4<\/strong> \u2013 read<\/li>\n<li><strong>5<\/strong> \u2013 read and execute<\/li>\n<li><strong>6<\/strong> \u2013 read and write<\/li>\n<li><strong>7<\/strong> \u2013 read, write and execute<\/li>\n<\/ul>\n<p>This being the case, the greatest amount of access you can grant is 777 where the user, group and world have access to read, write and execute files.<\/p>\n<p>The least amount of access you can give \u2013 besides none\u00a0at all\u00a0\u2013\u00a0is with a file&#8217;s permission set to 444 where everyone can only read the file.<\/p>\n<p>You only need to remember the values given to the read, write and execute actions, though, because adding their corresponding numbers together will give you the correct file permission value.<\/p>\n<p>For example, this is how you would calculate a file permission if you wanted the user to have complete access, while having stricter limitations for everyone else:<\/p>\n<ul>\n<li><strong>User<\/strong>\u00a0\u2013 with the access to read (with the value of 4), write (having a value of 2) and execute (which has a value of 1), 4 + 2 + 1 = <strong>7<\/strong><\/li>\n<li><strong>Group<\/strong>\u00a0\u2013 has access to read (4) and write (2), 4 + 2 = <strong>6<\/strong><\/li>\n<li><strong>World\u00a0<\/strong>\u2013 only has access to read files, <strong>4<\/strong><\/li>\n<\/ul>\n<p>The final file permission would become 764 in this example. This, however, usually isn&#8217;t an ideal permission for WordPress files.<\/p>\n<p>You may notice that file permissions are written differently when looking at them through FTP or SSH (Shell access). They may look something like this:<\/p>\n<figure class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-735x735\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/04\/file-permissions.png\" alt=\"File permissions are written as text, such as &quot;-rwxr-xr-x.&quot;\" width=\"735\" height=\"110\" \/><figcaption class=\"wp-caption-text\">This format of displaying file permissions is actually the same as their numerical counterpart.<\/figcaption><\/figure>\n<p>The letters represent the actions for the permission:\u00a0<strong>R<\/strong>ead, <b>w<\/b>rite and e<strong>x<\/strong>ecute.<\/p>\n<figure class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-490x490\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/04\/permissions_diagram.gif\" alt=\"Diagram of the text permissions\" width=\"490\" height=\"320\" \/><figcaption class=\"wp-caption-text\">The first character can have other values, but it&#8217;s less likely that you would come across them when working with WordPress.<\/figcaption><\/figure>\n<p>The hyphens represent the absence of an action, except for the first character in the sequence which shows the permission is for a file. If it were for a folder\u00a0\u2013 which is often called a directory\u00a0\u2013 there would be a letter &#8220;d&#8221; instead.<\/p>\n<p>The characters that follow are grouped in sets of threes. The first set represents the user, the second set for group and the third for world.<\/p>\n<p>Each set displays the allowed actions for each user group. Here&#8217;s an example:<\/p>\n<div class=\"gist\" data-gist=\"8e37c1cd8a1fc796b42863d7b14efe7a\" data-gist-file=\"example file permission\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/8e37c1cd8a1fc796b42863d7b14efe7a.js?file=example+file+permission\">Loading gist 8e37c1cd8a1fc796b42863d7b14efe7a<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>The first hyphen means the permission is for a file. The next three characters show that the user has access to reading, writing and executing the file while the group and world sets have permission to read and execute the file, but not write it as shown by the hyphens.<\/p>\n<p>If you assign the same values to the actions as we covered earlier, the result will be a numeric file permission. This example adds up to 755.<\/p>\n<p>It may also be helpful to mention that using the file permission 777 gives access to everyone so it&#8217;s dangerous and shouldn&#8217;t be used for your WordPress site, but using 444 is\u00a0also not ideal because it\u00a0means your WordPress site won&#8217;t have permission to run at all.<\/p>\n<p>If these combinations aren&#8217;t great options, then what <em>should<\/em> your file permissions be, anyway?<\/p>\n<h2 id=\"use\">What Permissions Should I Use?<\/h2>\n<p>If you set up your WordPress site on your own, chances are your file permissions are set correctly. If you find you&#8217;re getting permission errors or your site wasn&#8217;t set up by you, then it&#8217;s time to think about changing your file permissions.<\/p>\n<p>Each plugin will have different needs as far as file permissions go depending on the purpose of the plugin, and your file and folder permissions will depend on your hosting setup.<\/p>\n<p>If you run your own server, you can typically run your site just fine with these general guidelines recommended by the WordPress Codex:<\/p>\n<ul>\n<li>Folders\u00a0\u2013 755<\/li>\n<li>Files\u00a0\u2013 644<\/li>\n<\/ul>\n<p>For the most important files you have in your WordPress installation such as <em>wp-config.php<\/em>, you can set the permission to 600 if you desire.<\/p>\n<p>The <em>.htaccess<\/em> file is an exception since it needs to be accessed by WordPress if you want the file to be automatically updated. The recommended setting is 644. If you would like this file to be more secure you can set it to 604 in most cases.<\/p>\n<h2 id=\"where\">Where Can File Permission Be Found?<\/h2>\n<p>They&#8217;re only found on Linux and Unix based servers so if your site is set up on Windows, then you won&#8217;t be able to find them anywhere.<\/p>\n<p>In cPanel, go to <strong>Files &gt; File Manager<\/strong> once you have logged in. If the <strong>Directory Selection<\/strong> pop-up appears, click <strong>Go<\/strong> at the bottom.<\/p>\n<p>Choose a file from the list and then click the <strong>Change Permissions<\/strong> icon at the top of the page.<\/p>\n<figure class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-735x735\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/04\/change-permission-cPanel.png\" alt=\"The &quot;Change Permission&quot; icon is highlighted in cPanel's file manager.\" width=\"735\" height=\"150\" \/><figcaption class=\"wp-caption-text\">There are many ways to view your file and folder permissions and this isn&#8217;t the most efficient one for most users.<\/figcaption><\/figure>\n<p>An in-line pop-up will appear where you can view and change the permissions for the file or folder.<\/p>\n<figure class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-735x735\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/04\/pop-up-change-permission-cPanel.png\" alt=\"The &quot;Change Permissions&quot; pop-up shows a folder permission of 755 with the option to change it.\" width=\"735\" height=\"275\" \/><figcaption class=\"wp-caption-text\">If you choose to change the permissions, be careful as it could break your site or otherwise give hackers a much greater opening to attack your site.<\/figcaption><\/figure>\n<p>Selecting and de-selecting the checkboxes will update the permission. Clicking the <strong>Change Permissions<\/strong> button at the bottom right will save your changes.<\/p>\n<p>You can also update your permissions via FTP. In FileZilla once a connection has been successfully established, you can right click on a file or folder, then select <strong>File permissions<\/strong> from the list.<\/p>\n<figure class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-735x735\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/04\/filezilla-permissions.png\" alt=\"The cgi-bin folder has been right clicked and the mouse is hovering over the &quot;File permissions&quot; option from the list that appeared.\" width=\"735\" height=\"290\" \/><figcaption class=\"wp-caption-text\">You can also select more than one folder or file at a time to bulk change the permissions, but all the ones selected will have the same permissions.<\/figcaption><\/figure>\n<p>A pop-up window will appear where you can check the appropriate boxes or type a numeric permission beside the label\u00a0<strong>Numeric value<\/strong>.<\/p>\n<figure class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"attachment-735x735\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/04\/change-file-attributes.png\" alt=\"The &quot;Change file attributes&quot; pop-up window in FileZilla.\" width=\"735\" height=\"410\" \/><figcaption class=\"wp-caption-text\">If you&#8217;re using a different FTP client, consult their documentation for accurate instructions for changing permissions.<\/figcaption><\/figure>\n<p>Once you&#8217;re happy with your changes, click <strong>OK<\/strong> to save them.<\/p>\n<p>You can also change permissions will SSH. Once you have signed into your server, enter the following commands.<\/p>\n<p>Here is the command for folders:<\/p>\n<div class=\"gist\" data-gist=\"96f8a60c32bcc73793da5ef5cd53f3fb\" data-gist-file=\"directory chmod\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/96f8a60c32bcc73793da5ef5cd53f3fb.js?file=directory+chmod\">Loading gist 96f8a60c32bcc73793da5ef5cd53f3fb<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>The command for files is a bit different and here it is:<\/p>\n<div class=\"gist\" data-gist=\"769656b1410a4844f495fef3e432d4f3\" data-gist-file=\"file chmod\"><a class=\"loading\" href=\"https:\/\/gist.github.com\/769656b1410a4844f495fef3e432d4f3.js?file=file+chmod\">Loading gist 769656b1410a4844f495fef3e432d4f3<\/a><div class=\"gist-consent-notice\" style=\"display:none\"><p>Please <a href=\"javascript:Cookiebot.renew()\">update your cookie preferences<\/a> to enable preference cookies to view this gist.<\/p><\/div><\/div>\n<p>Just be sure to enter the correct path to your file or folder and also change the permission to one that suits your needs. In these examples, you would need to change the values 755 and 644, respectively.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>We&#8217;ve covered the basics for WordPress permissions and also how to change them in cPanel and via FTP. There&#8217;s one more thing, though: It&#8217;s also important that you keep your WordPress installation up to date.<\/p>\n<p>This will make sure any security upgrades to your permissions are automatically applied to keep you, your site and its visitors safe.<\/p>\n<p>If you prefer to use plugins, there are three that are frequently updated and reliable that you can try out:\u00a0<a href=\"https:\/\/wordpress.org\/plugins\/triagis-security-evaluation\/\" rel=\"noopener\" target=\"_blank\">Triagis\u00ae WordPress Security Evaluation<\/a>,\u00a0<a href=\"https:\/\/wordpress.org\/plugins\/secure\/\" rel=\"noopener\" target=\"_blank\">SECURE<\/a>\u00a0and <a href=\"https:\/\/wordpress.org\/plugins\/bulletproof-security\/\" rel=\"noopener\" target=\"_blank\">BulletProof Security<\/a>. These plugins can check your file permissions and inform you of inadequate settings.<\/p>\n<p>If you would like to learn more about the steps you can take to further protect your site, check out some of our other posts on WordPress security:\u00a0<a href=\"https:\/\/wpmudev.com\/blog\/5-simple-htaccess-tips-to-tighten-your-sites-security\/\" target=\"_blank\">5 Simple .htaccess Tips to Tighten Your Site\u2019s Security<\/a>,\u00a0<a href=\"https:\/\/wpmudev.com\/blog\/wordpress-security-essentials-say-goodbye-to-hackers\/\" target=\"_blank\">WordPress Security Essentials: Say Goodbye to Hackers<\/a> and\u00a0<a href=\"https:\/\/wpmudev.com\/blog\/6-best-wordpress-security-authentication-plugins\/\" target=\"_blank\">6 Best WordPress Security Authentication Plugins<\/a>.<\/p>\n<p><em>Image credits: <a href=\"http:\/\/www.majorgeeks.com\/files\/details\/filezilla.html\" rel=\"noopener\" target=\"_blank\">MajorGeeks<\/a>, <a href=\"http:\/\/askubuntu.com\/questions\/607075\/unable-to-modify-file-after-creation\" rel=\"noopener\" target=\"_blank\">shaddy<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The WordPress Codex can be a bit hard to follow when it comes to file permissions. So in today&#8217;s Weekend WordPress Project we look at file and folder permissions in detail and how you can change them to improve your site&#8217;s security.<\/p>\n","protected":false},"author":54213,"featured_media":151887,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[1117,263],"tags":[10810,10093,9798],"tutorials_categories":[],"class_list":["post-139741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-multisite","category-tutorials","tag-wordpress-security","tag-file-permissions","tag-weekend-wordpress-projects"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/139741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/54213"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=139741"}],"version-history":[{"count":7,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/139741\/revisions"}],"predecessor-version":[{"id":209657,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/139741\/revisions\/209657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/151887"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=139741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=139741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=139741"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=139741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}