How to Control WordPress File and Folder Permissions

Post by WPressBlog
Updated on

Apart from common security problems such as brute force attacks, data breaches, or cross-site scripting (XSS), you should also pay attention to file and folder permissions. Unlike other external security vulnerabilities, this issue comes from improper setups inside your root directory, at the server level.

If anything wrong happens to your WordPress file and folder permissions, your site will be attacked easily. As a result, you won’t be able to interact with the website to simply upload an image. Not to mention, you will even see a white screen when loading a page.

In this article, we’ll show you how to control who can take certain actions on your files and folders, in order to ensure your WordPress website is running smoothly without any interruption.

Before hopping to it, let’s find out what file and folder permissions are and how vital it is to get the right set of them.

What Are WordPress File and Folder Permissions?

WordPress Files and Folders

WordPress primarily works as a publishing platform that helps create and bring content to the world without any hassle. Over one-third of the site owners love this content management system due to its simplicity.

In case you plan to extend WordPress default functionalities, you can easily seek assistance from supporting tools including themes, plugins, images, and so on. Those are stored within files and folders in your WordPress root directory.

There are multiple folders and files, each with different functions, to help your site work like a charm. Important folders include wp-admin and wp-content, and index.php or about.php are WordPress files. Each folder may include numerous sub-folders as well.

Files and folder permissions

Every WordPress file and folder stored in your hosting should have its own access restriction that defines who has the right to manage and make changes to them. To take one example, only admins are able to read, write, or execute the wp-admin folder. Editors, on the other hand, can read or view only. General users will not even be able to view this folder.

By giving away the authority to adjust files and folders, you might share tasks with permitted users and end up leaving a loophole for hackers to attack.

In order to prevent this nightmare, it’s important that you understand completely how WordPress files and folder permissions work.

How to Modify WordPress Folder Permissions

Permission mode includes three numbers or a combination of hyphens and letters, depending on what network protocol you are using such as File Transfer Protocol (FTP) or Shell access (SSH).

WordPress provides three options to classify who can access your folders by default:

  • Users/Owners – Website’s administrators
  • Groups – Collection of other user’s roles on your website such as editors, subscribers, contributors, and more.
  • World – Whoever on the Internet

Along with that, there are 4 basic management capabilities that each user type can take action on the folders including:

  • Read (4) – Enable users to read files or folders only
  • Write (2) – Allow users to modify the content
  • Execute (1) – Authorize users to read, delete, modify, and change the code directory
  • Hyphen “-” (0) – Restrict users from doing anything on your files and folders

Whenever intending to change the permissions, you need to use the computation of the manageability value. The first value will affect the control over users/ owners. The second value determines the group’s permissions, and the third is for the world.

Here are some examples for better understanding.

4+2+14+0+14+0+1= 755

“755” indicates that users can read, write, and execute the folder, while groups and the world are able to read and execute the folder only. It best applies to wp-admin, wp-content, and wp-includes folders.

4+0+04+2+14+2+1= 477

477: Users are allowed to read folders only, but group and world can have full access rights – Read, Write, and Execute.

It’s recommended to refer to WordPress change file permission for other permission modes.

What Can Happen to WordPress Folder Permissions?

As mentioned, folder permissions somehow relate to the website’s security. Giving other users permission to make changes to your WordPress files or folders is quite similar to granting someone access to your laptop and moving things around.

Without proper permissions, you might end up with security vulnerabilities from those who aren’t supposed to modify files and folders. For instance, you should be highly aware that it’s not ideal for users in the group and world categories to adjust your folders.

Once hackers gain full control over your site, they can add spam emails, send malware, or even copy your important files and delete them from your own website.

In addition, if authorized users accidentally make some mistakes when changing codes, your website will be cracked. As a consequence, you will get the folder permission error message soon. This affects your website’s activities as well as SEO performance. Right when search engines and web hosts detect those problems on your WordPress site, they may suspend it until the error is fixed.

Fortunately, it’s pretty simple and straightforward to solve files and folder permission errors, especially after you already know what they are and how to modify their different modes.

Let’s figure out what to do when your WordPress folder permissions are in trouble.

3 Ways to Set Up WordPress Files and Folders Permissions

The two most common tools that several WordPress sites are using turn out to be FTP and cPanel. You must know which client you are using so that you can follow the instructions easier. Besides, you can also take advantage of WordPress plugins to manage and protect your files and folders.

1) Use FTP client to edit file and folder permissions

Are you using an FTP client? Let’s establish a connection with the server first. Then, go to your root directory and select the desired files or folders. After that, right-click on them and choose File permissions.

Use FTP client to edit file and folder permissions

A pop-up window will appear to show what functions each specific user type could have. You can enter the correct number in the Numeric value box, depending on the permissions you want to grant users.

Adjusting file permissions requires you to go through the same process. Remember to check “Apply to files only” before saving your changes.

Adjusting file permissions

2) Use cPanel to set correct WordPress file and folder permissions

Similar to FTP, cPanel enables you to set up correct permissions for your WordPress folders. Takes these 4 steps to get started:

  • Log in to your cPanel account and open the root directory
  • Select all files or folders you need to reset permissions
  • Right-click and choose the Change Permissions option
cPanel to set correct WordPress file and folder permissions
  • Enter the correct number in the Permission box and save your settings
Enter the correct number in the Permission box

The same steps are applied to your WordPress files permissions.

3) Use PDA Gold plugin to protect WordPress files and folders

The methods mentioned above force you to go to your website server and update permissions from the root directory. Prevent Direct Access (PDA) Gold and its Access Restriction, on the other hand, allows you to manage file and folder permissions in a completely different path. You can handle everything right in your WordPress admin dashboard.

The plugin protects your media files as well as folders under the WordPress upload directory. Also, it authorizes you to determine who can access your protected files under these folders, such as admins or logged-in users.

Follow these 4 simple steps to start protecting your WordPress folders and their files:

  • Download and install the PDA Gold plugin along with its Access Restriction extension
  • Click on the plugin icon on your admin navigation menu and head to the Folder Protection tab
  • Pick any folders you want to protect in the Select Folders dropdown
protect WordPress files and folders using plugin
  • Select specific roles allowed to view files in your protected folders

Save changes and that’s it!

Your media upload folders are all secure now. You don’t have to go to your server and enter numbers in the “Change file attributes” popup like what you’ve done with FTP or cPanel anymore.

Secure WordPress Site with Correct File and Folder Permissions

Proper file and folder permissions help avoid unwanted security vulnerabilities to your WordPress site. Only the right people can take certain actions on your important folders like wp-admin or wp-content.

These 3 methods you can apply to set up and correct your WordPress file and folder permissions, varying from using FTP client or cPanel to a third-party plugin.

While the first 2 methods require you to log in to your FTP or cPanel account and open the root directory, the other gets rid of this complexity and lets you edit folder permissions right in the WordPress admin dashboard.

Still, have a question about how to control your WordPress file and folder permissions? Just say the word in the comment section below.

Author Bio: Emily Anniston

As a technical copywriter, Emily loves sharing her knowledge with the WordPress community, especially about WordPress protection and security tips. She never stops exploring new plugins and themes to bring more useful articles to readers and make WordPress a better place.

Read Also:

Affiliate Disclosure: This page contains affiliate links. That means, when you buy a service or a product through these affiliate links, we sometimes earn a small commission without any extra cost to you. Learn More

4 thoughts on “How to Control WordPress File and Folder Permissions”

  1. We have come across this blogsite many times when researching certain issues and information. Thank you for sharing all the valuable research!

  2. Thanks, it always seems like they make everything more complicated with each update of WordPress… Almost seems like a bit too much to keep up with.


Leave a Comment