WordPress filesystem permissions & ownerships- Getting them right for enhanced site security

PSD to Wordpress

Even though plugins have always served as the right tools for ensuring utmost security for WordPress powered blogs and websites, there’s a lot that can be done by setting the file permissions and ownerships in the right manner. This is exactly what I’ve covered in this post. Here, you’ll get a complete idea about WordPress file permissions and ownerships and the way to set them in the most accurate format.

Wordpress Web Development

Getting to know about Users and Groups

Well, user refers to a specific account which has complete access to the computer system. On the contrary, group is defined as an identifier for a specific set of users. During WordPress configuration, choosing to transfer files via FTP will expect you to use a user account on your web server. Additionally, in accordance to the way the host has set up this user account, you(as the user) would belong to single or several groups. In WordPress, users and groups are absolutely similar to users and roles. An in-depth knowledge about users and groups will help you in identifying the privileges for all files and folders stored in your WordPress enriched website.

What are file permissions?

Permission dictate as to what all the users can do with a particular file. Well, a permission is represented by a set of numbers such as: 644 or 777 which is referred to as the permission mode. Tweaking the file permissions will allow your web sever to gain a quick access to the file or folder under focus.

Permission mode can be easily computed by simply adding up the values for the user, file group and for the remaining users. Have a look at this diagram:

 7     4      4
user  group   world
r+w+x    r       r
4+2+1 4+0+0 4+0+0  = 744

Each digit within the permission mode has a specific meaning as explained below:

  • First digit represents what all the owner of file can do

  • Second digit represents what all other users within the owner’s group can do

  • Third digit represents what all rest of the users(including site visitors) can do

Now, here’s an explanation of each individual digit in the permission mode:

  • 4– It denotes that you(the user) can read the names of the files available within the folder

  • 2– It denotes that you(the user) can write as well as modify the file or folder contents

  • 1– It denotes that you(the user) can execute the file or access different files available within a folder.

A brief on changing file permission modes

For changing the file permission mode, you need to have access to your server’s terminal. After having gained the access, you can use the ‘chmod’ command for making the desired modifications to the permission mode of a single file or folder.

Original command

$ sudo chmod 644 /path/to/file

Modified command

$ sudo find . -type f -exec chmod 644 {} +

A closer look at permission scheme for WordPress powered websites

File/folder permissions vary from one host to another. Typically, all WordPress files must be owned by the user(ftp) account available on your web server. Plus, all these files should be writable by the respective user account. If you’re hosting your website on a shared host, then make sure that the files are not owned by the webserver. Instead, any file that requires a write access from WordPress must be owned or group-owned by the created WordPress user account. For instance, even after having created a user account that allows you to FTP files back and forth to your web server, the server may itself run using a separate user or in a separate user group such as nobody or dhapache. Under such a case, if WordPress is running as your FTP account, the respective account must have write access. This can be achieved by either becoming the owner of the files or belonging to a user group which has a write access. If you’re inclined on choosing the latter option, it would mean that are file permissions are being set quite differently from the default scheme. For example, 775 would be used instead of 755 and 664 would be used instead of 644.

Understanding file permission scheme in case of shared hosting with suexec

In case of shared hosting systems which use the “suexex” approach for exeucting PHP binaries, the php process will run as the owner of the php files, thereby allowing a much more simpler configuration and a secure website hosting environment. Here’s a list of few vital pointers related to file permissions for shared hosting using suexec:

  • All files must be owned by the original user’s account and not the user account that’s been used for the httpd process

  • All file directories should either be 755 or 750

  • All files should either be 644 or 640

  • Directories should never be assigned 777. This also includes the upload directories.

By ensuring that all the above mentioned pointers are considered well, WordPress will automatically detect that it can directly opt for creation of files with the accurate ownership. The best part is that it won’t ask for any FTP credentials in order to upgrade or install plugins into the website.

That’s it!


Now that you’ve learned about the accurate setting up of file permissions and ownerships, applicable to a WordPress website, I surely hope you’ll implement the knowledge for keeping your WordPress website secure and free from the attacks of hackers.

About mikeswan

Mike swan is professional WordPress developer and helps users in converting PSD to wordpress theme services. He loves to share his experiences in web design and web development trends.