Understanding File Permissions and Using Them to Secure Your Site
File permissions specify who and what can read, write, modify, and access them. This is important, as the Codex explains, because WordPress may need access to write to files in your wp-content directory to enable certain functions.
If your files don’t have the best possible permissions in place, it’s easier for hackers to intrude on your files and your site. Setting your file permissions correctly may not save you from all attacks, but it will help make your site a bit more secure, making it a great addition to your current security measures.
The WordPress Codex has some information on WordPress file permissions, but it doesn’t go into a whole lot of detail so it can be tough to follow. So in today’s Weekend WordPress Project we’ll look at file and folder permissions in detail, and how to change them to improve your site’s security.
What Do File Permissions Look Like?
Generally speaking, there are two categories that need to be considered when viewing file permissions: Actions and user groups.
Actions your site’s plugins and files can make are:
- Read – allows access to a file to view its contents only
- Write – allows the file to be changed
- Execute – gives access to a file in order to run the programs or scripts that are contained in it
The user groups of the actions can be:
- User – you as the owner of your site
- Group – other users that can also have access to the files you choose such as the members of your site
- World – anyone with an internet connection who tries to view your files
File permissions are primarily viewed as three consecutive numbers:
- First number – the access to file actions granted to the user
- Second number – the file access given to the group
- Third number – the amount of file access given to the world
To come up with these numbers, a value is given to each possible action combination:
- 0 – no access
- 1 – execute
- 2 – write
- 3 – write and execute
- 4 – read
- 5 – read and execute
- 6 – read and write
- 7 – read, write and execute
This being the case, the greatest amount of access you can grant is 777 where the user, group and world have access to read, write and execute files.
The least amount of access you can give – besides none at all – is with a file’s permission set to 444 where everyone can only read the file.
You only need to remember the values given to the read, write and execute actions, though, because adding their corresponding numbers together will give you the correct file permission value.
For example, this is how you would calculate a file permission if you wanted the user to have complete access, while having stricter limitations for everyone else:
- User – with the access to read (with the value of 4), write (having a value of 2) and execute (which has a value of 1), 4 + 2 + 1 = 7
- Group – has access to read (4) and write (2), 4 + 2 = 6
- World – only has access to read files, 4
The final file permission would become 764 in this example. This, however, usually isn’t an ideal permission for WordPress files.
You may notice that file permissions are written differently when looking at them through FTP or SSH (Shell access). They may look something like this:
The letters represent the actions for the permission: Read, write and execute.
The characters that follow are grouped in sets of threes. The first set represents the user, the second set for group and the third for world.
Each set displays the allowed actions for each user group. Here’s an example:
The first hyphen means the permission is for a file. The next three characters show that the user has access to reading, writing and executing the file while the group and world sets have permission to read and execute the file, but not write it as shown by the hyphens.
If you assign the same values to the actions as we covered earlier, the result will be a numeric file permission. This example adds up to 755.
It may also be helpful to mention that using the file permission 777 gives access to everyone so it’s dangerous and shouldn’t be used for your WordPress site, but using 444 is also not ideal because it means your WordPress site won’t have permission to run at all.
If these combinations aren’t great options, then what should your file permissions be, anyway?
What Permissions Should I Use?
If you set up your WordPress site on your own, chances are your file permissions are set correctly. If you find you’re getting permission errors or your site wasn’t set up by you, then it’s time to think about changing your file permissions.
Each plugin will have different needs as far as file permissions go depending on the purpose of the plugin, and your file and folder permissions will depend on your hosting setup.
If you run your own server, you can typically run your site just fine with these general guidelines recommended by the WordPress Codex:
- Folders – 755
- Files – 644
For the most important files you have in your WordPress installation such as wp-config.php, you can set the permission to 600 if you desire.
The .htaccess file is an exception since it needs to be accessed by WordPress if you want the file to be automatically updated. The recommended setting is 644. If you would like this file to be more secure you can set it to 604 in most cases.
Where Can File Permission Be Found?
They’re only found on Linux and Unix based servers so if your site is set up on Windows, then you won’t be able to find them anywhere.
In cPanel, go to Files > File Manager once you have logged in. If the Directory Selection pop-up appears, click Go at the bottom.
Choose a file from the list and then click the Change Permissions icon at the top of the page.
An in-line pop-up will appear where you can view and change the permissions for the file or folder.
Selecting and de-selecting the checkboxes will update the permission. Clicking the Change Permissions button at the bottom right will save your changes.
You can also update your permissions via FTP. In FileZilla once a connection has been successfully established, you can right click on a file or folder, then select File permissions from the list.
A pop-up window will appear where you can check the appropriate boxes or type a numeric permission beside the label Numeric value.
Once you’re happy with your changes, click OK to save them.
You can also change permissions will SSH. Once you have signed into your server, enter the following commands.
Here is the command for folders:
The command for files is a bit different and here it is:
Just be sure to enter the correct path to your file or folder and also change the permission to one that suits your needs. In these examples, you would need to change the values 755 and 644, respectively.
We’ve covered the basics for WordPress permissions and also how to change them in cPanel and via FTP. There’s one more thing, though: It’s also important that you keep your WordPress installation up to date.
This will make sure any security upgrades to your permissions are automatically applied to keep you, your site and its visitors safe.
If you prefer to use plugins, there are three that are frequently updated and reliable that you can try out: Triagis® WordPress Security Evaluation, SECURE and BulletProof Security. These plugins can check your file permissions and inform you of inadequate settings.
If you would like to learn more about the steps you can take to further protect your site, check out some of our other posts on WordPress security: 5 Simple .htaccess Tips to Tighten Your Site’s Security, WordPress Security Essentials: Say Goodbye to Hackers and 6 Best WordPress Security Authentication Plugins.
Have you ever needed to update your permissions? Are you unsure of whether you should? Feel free to share you experience in the comments below.