Why Correct File Permission Settings are Important

WordPress is a very popular platform for building websites.  WordPress sites could make up anything from 15% to 23% of sites on the Internet depending on where you get your statistics from. This platform makes a very lucrative target for malicious hackers due to the scale of its deployment and the ‘rich target environment’ the WordPress platform offers.

Vulnerabilities in WordPress are generally found in 3rd party plugins that developers utilize to add functionality to the WordPress platform. One of the best ways to mitigate the risk of using plugins is to ‘harden’ your WordPress install. Should a vulnerability exist in a plugin you have installed, the ‘hardened’ WordPress platform could prevent the hacker from exploiting this to escalate their access to your system.

Setting the correct file permissions on a web server hosting a WordPress instance is an excellent measure in keeping your site secure.

WordPress File Permission Settings

WordPress file permissions on your server should be set as follows:

  • Folders should be set to 755 or rwxr-xr-x
  • Files should be set to 644 or rw-r—r–
  • wp-config.php should be set to 600 or rw——

Here are the commands to set these permissions globally. You will need to be able to access your server via an SSH terminal to set these file permissions. Once you have logged onto your server, navigate to the directory where your WordPress site is hosted and run the following commands:

  • sudo find . -type f -exec chmod 644 {} +
  • sudo find . -type d -exec chmod 755 {} +
  • sudo find wp-config.php -exec chmod 600 {} +

If you do not have SSH access but have access to your site files via an FTP client like FileZilla, or some other interface provided by your hosting provider, you could you use that interface to set the file permissions as per the settings detailed above i.e. 755 for folders, 644 for files and 600 for the wp-config.php file.