If you install, move, add WordPress Themes, Plugins, or just rearrange things on your server, you are going to run into the challenges associated with file permissions with WordPress. If you are concerned about security, protection from hackers, viruses, and other evil, get familiar with file permissions in WordPress.
In general, file permissions are variables set on server files to control access and usage of the file for individuals, browsers, code, and programs. Consider them the firewalls to your WordPress website, dictating who can do what with each file and folder.
All these folder and files permissions can be confusing in WordPress. Recently, I had a site offline for three hours, going through a variety of tests to figure out what was causing the problem. It boiled down to a single folder being set to the wrong permissions. I had to go through every file and folder to figure out which one was set wrong, so take care when changing file permissions.
There are three levels of access: Owner, Group, and Public. There are three options under each level to fine tune the control and access, read, write, and execute, and you can set these in a variety of combinations. Permissions can be the same or different on folders and files both.
There are key files and areas of your WordPress installation which must be “writable,” able to be edited and changed. If you’ve ever used permalinks or the built-in WordPress Editor for Themes or Plugins, you may have encountered a warning “that said changes could be made if this file were writable.” This means that these files or folders are set at a permission level that doesn’t allow access to make changes. In order to change from from within WordPress, you must set their permission levels to be able to be edited.
Among the writable files and folders in WordPress, some must be writable by the user account, others with less restriction such as the folder to which you upload images.
Luckily, WordPress is fairly easy. All folders must be set to 755, and files set to 644, except for wp-config.php at 640, and all files you need to be writable, like WordPress Themes, need to be set to 666 if you wish to edit them from within WordPress. If you edit them through FTP, then you can set them for tighter security levels.
What this means is that when people or bots try to access these files, they will get a forbidden error, keeping them safe from intruding viruses and malware.
There are many ways to set file permissions on your server. The easiest way is through FTP access. Depending upon how your FTP client program works, usually selecting the folders and/or files and right clicking to select Properties or File Permissions will get you to the file permissions menu. Select or type in the file permissions, select whether or not to apply to folders or files or both, and apply.
For those used to direct access, you can use chmod to set file and folder permissions.
We’ve put together a chart of recommendations for the various files and folders for setting the permission levels with WordPress. You can change these at any time to accommodate work you may be doing on the server. For example, if you need full access to a set of files, can set it to 777 or something slightly less secure. Remember to reset them for maximum security on your site.
There is one caveat to WordPress file permissions. Not all web host servers are equal. Some have dedicated security levels that can protect your files almost no matter what permissions you set, while others are not quite as locked down. Check with your host for specifics on what they recommend to be sure your files are set at the highest level of security and access, while still allowing WordPress to function.