Last Updated on May 25, 2021 by Larious
There are many ways in which hackers can gain illegitimate access to your WordPress site and bend it to their will. Unfortunately, the more they bend it, the further from recovery it becomes, so it’s important to pay attention to security. An ideal strategy is to take up each aspect of the WordPress site and explore ways to strengthen the security barriers. Today, let’s proceed with WordPress file permissions – who’s allowed to access what data and when?
Incorrect file permissions are usually the first strategy hackers use to access sensitive data and admin panel access to perpetuate further damage. If you set permissions for accessing them according to the job, you’re basically defining who can read, write, or execute the content.
Since this information is the foundation that sets the basic structure of your site, incorrect WP file permissions lead to unwanted users. This leads to external redirects to malicious sites, spam content, and SQL or malware injections, data breaches & data theft, website defacement, etc.
By setting the right permissions for different files and folders, you’ll have a secure WordPress site.
What are the important files on WordPress?
The first step always begins with identifying what’s important on your WordPress site. Many files and folders contain structural information and elements such as themes, plugins, other extensions, configurations, etc. Once you visit the WordPress site’s backend, you get to see a certain structure for these files.
Incorrect, file permission in WordPress can lead to hacks like Pharma SEO spam, redirection and much more.
For example, all the content on your WordPress site will be found on the ‘wp-content’ folder. In that, you’ll find the plugins installed and the files on them on your site in a folder called ‘plugins’. Your ‘wp-config.php’ file contains the configuration details like the credentials to your database, backend, etc. This file is useful for setting advanced options for the WordPress site as well. Files such as these shouldn’t be available to the public but limited to trusted users for reading and modifications.
Other core WP folders are ‘wp-admin’, ‘wp-includes’, etc. These are the prime areas to find important data and settings that define the functions and general appearance of the WordPress site.
How do file permissions function?
Setting such permissions is under your authority as the site owner so that you can determine who can access what on your site for how long. You can set a user to view or modify ‘wp-admin’ or ‘wp-config’ for their job requirements before changing it quickly.
WordPress offers three types of permissions for accessing files and folders:
- User – the WordPress site’s owner/administrator
- Group – a collection of users with roles that include subscriber, editor, or contributor
- World – accessible by the public
There are different levels of permissions available for different files and folders depending on their requirements and trustworthiness:
- Read (R) – User can view the files
- Write (W) – User can edit the files
- Execute (X) – User has the right to run/execute scripts and/or programs within the files and folder
Each file permission is linked to a specific 3-digit number, so you must be aware of this as well to set the correct permissions for the users to access the files and folders.
- The base numbers are:
0 – no access at all; 1 – execute the command; 2 – user can write; 4 – only view
Rest of the 3-digit code is a combination of 1,2, and 4:
3 = 2+1 = both execute and write
5 = 4+1 = both view and execute
6 = 4+2 = both view and write
7 = 4+3 = write, view, and execute the script
Here’s a list of do’s and don’ts that you can follow once you’re familiar with what each number stands for:
- Therefore, ‘777’ is a file and folder permission level that shouldn’t be given to all of them. This makes your WordPress site easy material for hackers to enter and play with it as they please. They can place spammy content, links that redirect your site’s visitors to questionable sites, and possibly launch DDoS attacks.
- ‘000’ and ‘444’ are also not ideal since WordPress requires the basic permission to execute or modify the scripts/commands in files. In the case of plugins, themes, or extensions, they should be given access for certain files and folders. A read-only access will compromise with the ability of these extensions to function fully with your site.
Changing file permissions is a simple task, but always proceed with a clean and fully functional backup of the site, just in case.
Step 1: Login to the web hosting account > go to ‘manage your hosting’ > select ‘cPanel’. Sometimes, different providers have different provisions/options, so do check in with your specific host. You can also use File Transfer Protocol (FTP).
Step 2: Take ‘File Manager’.
Step 3: Open ‘public_html’ for the WordPress site’s files and folders.
Step 4: Here, you can choose the file or folder you want to change permissions for, right-click, and take ‘change permissions’. This is applicable for both specific files or multiple folders and files to change all of them together.
What’s a good combination of permissions?
Here are some ideal file permissions for the core folders on your WordPress site:
- ‘Wp-admin’ – ‘755’ > ‘wp-content’ – 755’
- ‘wp-content/plugins’, ‘wp-content/themes’, ‘wp-content/uploads’ – 755
- ‘.htaccess’ – 644
- ‘Wp-config.php’ – 644
All other files can also follow ‘644’ level permission as well.
WordPress security can be a complicated topic despite looking simple on the surface it. For overall security check out this holistic WordPress security guide.