Mentioning WordPress security, we often think of brute force attacks, cross-site scripting, or malware. Have you ever heard about WordPress file and folder permissions? It should be the first thing you pay attention to after installing WordPress.
You might not notice but if there is anything wrong with your file and folder system permissions, all your site security measures will be broken and prone to attacks easily. What’s more, you’re not able to upload a file on your WordPress site or will see a death screen when loading a page.
In this article, we’ll briefly explain what WordPress file and folder permissions are and 3 ways to fix errors happening with your file-system permissions.
Let’s get started with the basics!
What are WordPress file upload permissions?
WordPress consists of various files and folders to store your themes, plugins, images, etc. Each file has a set of permissions defining which roles or which types of users can access it.
Some typical folders in WordPress include wp-admin, wp-includes, wp-content, etc. while the .htaccess, index.php, wp-login.php are main WordPress files.
There are 3 main types of users allowed to access your WordPress files and folders by default: the owners or administrators, a group of user roles such as editors, contributors, subscribers, and anyone on the internet. Each type has a set of permissions authorizing them to take particular actions.
While admins can write and execute codes, the group is permitted to read and write on the folder only. The rest, on the other hand, will be able to read the folder.
It’s necessary to decide the right file and folder permissions to secure your WordPress website. To take one example of the wp-config.php folder. It’s a part of your self-hosted WordPress site configuration to store database information and contain high-level settings. This file should be set to be read-on due to its importance. If users can write and make changes to the folder, hackers can edit, add spam, and break your site easily.
The right set of WordPress file and folder permissions
You shouldn’t set your file and folder permissions to 777 in case you’re using FTP, or SSH since you’re giving everybody full access to your files. Neither for the 444 permission which accepts both WordPress and everyone on the web to view your files.
It’s recommended to set your file and folder permissions as follows. You can refer to WordPress permission modes for more information about how to define these numbers.
- Folders – 755
- Files – 644
- wp-config.php – 600
- .htaccess – 644, or 600
Once understanding what WordPress files and folders are as well as their right set of permissions, let’s move to the next section of how to fix file and folder permission errors.
Fix WordPress folder permissions with FTP
FTP refers to a tool letting you upload files from computers to your WordPress website. To use it, you need help from an FTP client to connect your computer with your hosting account.
After that, take these 5 steps:
- Go to your root directory and select the 3 most important folders: wp-admin, wp-content, and wp-includes
- Right-click on these folders and choose File Permissions
- Enter “755” in the Numeric value box
- Tick in the ‘Apply to directories only’ option then hit OK
After that, take the same steps with the other folders in the directory. All you need to do is select all the files left → right-clicking to set file permissions → enter “644” in the Numeric value. Remember to tick on “Apply to files only” before saving your changes.
Use cPanel to correct your file and folder permission errors
Another way to fix your WordPress file and folder permission errors is through the web hosting cPanel. The instruction below shows you a clear process:
- Log into your cPanel account then open the root directory
- Right-click and change these folders’ permissions
- Enter “755” in the Permission box of the Change Permissions popup
That’s it. Similar to the FTP method, to update your file permissions, you should choose all the files then set the permission mode to 644.
Protect your WordPress folder using PDA Gold
Instead of fixing your WordPress folder permissions on the server level, it’s much simpler for you to try out the method of using a third-party plugin. Unlike the mentioned 2 solutions which require you to go to your directory, you just need to install the Prevent Direct Access plugin and its powerful extension Access Restriction.
These 2 plugins protect all files in specific folders under your WordPress upload directory. It comes in handy when you want to secure files not included in your Media Library such as those submitted to your site via a form.
You’re enabled to select protected folders to which specific user roles are granted access to. The following simple steps with screenshots will clearly show you how to get started with the plugins:
- Download, install and activate 2 plugins PDA Gold and Access Restriction
- Head to the plugin Folder Protection page from your WordPress admin dashboard
- Choose folders to protect
- Set user roles who are allowed to view the protected files in these folders
You can also set certain referrer links to define which web page sends users to your website. There are 3 options for you to choose from:
- Disable referer links – Users from all other sites or web pages won’t be able to access your protected files.
- Allow all referer links – Everyone coming from any webpages is permitted to open your files.
- Allow specific referrer links – Only users from specific pages can view your files in the protected folder. These pages will be listed in the Input URLs box.
Make sure to set the right WordPress file and folder permissions
File and folder permissions should be your first priority when configuring WordPress site security. Setting the correct permissions stops unauthorized users from accessing your files and folders as well as preventing potential attack risks.
There are 3 different ways to change your WordPress file and folder permissions. You can use FTP, cPanel web hosting, or Prevent Direct Access Gold plugin. The first 2 methods require you to go to the website root directory and fix the permissions there. PDA Gold plugin and Access Restriction extension, meanwhile, protects folders under your WordPress upload directory.
Still have a question about how to fix your WordPress file and folder permission errors? Let us know in the comment section below.