Guide On Setting Correct File Permissions and Ownership for WordPress

When it comes to improving the security of a WordPress website, installing security plugins is usually considered as the best practice that every WordPress website must follow. However, people don’t pay much attention to setting up file permissions and ownership of a WordPress site.

But remember that, file permissions and ownership are crucial elements that help ensure the overall security of a website. And, not setting up them properly can cause fatal errors and can compromise the security of your site and make it susceptible to attack.

Through this post, I’ll provide a detailed insight on setting up proper file permissions and ownerships in a WordPress site: what exactly do we mean by file permissions and ownerships and how to properly set them up.

I’ll also share with you the different type of WordPress file configurations and how they differ from each other.

Using Terminal For Changing File Permissions and Ownerships Over FTP Client

As you read through this post, in several sections, you’ll find that terminal is used for changing permissions and ownerships.

But, probably a few of you might wonder why can’t you use an FTP Client to serve such a need? The reason that we’ll not be using the FTP client is that it comes with certain limitations.

Wondering what?

While it’s true that the FTP Client like filezilla can help in transferring files and changing the permissions of files and folders, but it refrains users from changing the ownerships settings.

Now, before you begin to setup your file permissions and ownerships, be sure about getting logged-in into your server using the “SSH” command.

If you’re not familiar with using Linux commands, then you can have a better understanding of the same by going the article: “Introduction to Linux Commands.”

Understanding the Difference Between Groups and Users

One important concept that you need to become familiar with before getting down to anything technical is the difference between users or groups.

That’s because, both users and groups are closely related and are used to define permissions.

The user is basically an account having access to a computer system, while a group that help identify a set of users.

What this means is that at the time whenever you need to transfer your files using an FTP client, you’ll need to get logged in with your main server – using your user account. And based on how your web host has set up your user account, you might be a part of one or more groups.

In essence, you can consider “Users” and “Groups” to be just like WordPress users roles. Both of these concepts are same in a contextual manner, however, the former is being used on the server.

What makes users and groups important is that they help in recognizing identifying files and folder privileges.

Any user, who is the owner, of a particular file usually have complete privileges on that file; a few other users belonging to the same group as the owner will have lesser privileges to the file. Lastly, everyone else won’t be having any privileges on the file.

What Exactly Does File Permissions Mean?

So now that you’ve come to know about a few basic aspects of file permissions and ownerships, let us now talk about what exactly do we mean by WordPress file permissions.

In simple terms, permission is something that makes users authorized to read, write, modify and access different files and directories, belonging to a website.

In WordPress, permission is normally highlighted by a set of different numbers, such as: 644 or 777. These numbers are also referred to as “permission mode”.

If you’re a programmer and have worked on WordPress files and plugins before, then you most likely would have stumbled across a situation wherein: a certain program asks to change the permissions associated with some specific files and directory, since they cannot be configured by a plugin.

Put it simply, in order to give your web server the ability to access anything from a file, you’re required to change the file’s permission.

Oftentimes, permission mode in WordPress are being referred to as a statement: “who can do what”, to which every single numeric value (of the permission mode) represents the “who” part of that statement.

• The first numeric value corresponds to what can a user account having ownership of the file can do.
• The second numeric
  value corresponds to what all other user accounts – that are a part of the group that owns the file – can do.
• The third numeric value represents
  what leftover user accounts can do.

Next, in the permission mode the numbers represent
the “what” part of the programming statement, and is basically the “sum of the combinations” of the following digits:

• 4: Read a file, or the many different names of the files placed in a particular folder
• 2: Write a file or modify it, or allow modifying the contents of a specific folder.
• 1: Executes a file or run it, or help provide access to the files inside a particular folder.

 
The above mentioned digits are actually the privileges that are associated with the “who” part of the permission mode.
Note: Permissions can vary from one host to the other.

Understanding How You Should Modify the Permission Modes

An FTP client provides an interface that allows to change the permissions of all the files and folders in a highly convenient manner. The interface of the FTP client looks something like:

You can even make changes to the permission mode of your WordPress website files using the server’s terminal, but you must-have access to the terminal. Apart from having access to the terminal, you can make use of the “chmod” command for making the desired changes to permission modes of a particular file as well:

sudo chmod 644

Now, for making modification to all of the files (and folders) of your site, you’ll have to use the chmod command together with the find command, as follows:

sudo find . -type f -exec chmod 644 {} +

A Look at the WordPress Server Configurations

Before you start to make changes to your WordPress file permissions, it’s very important for you to become familiar with the process of setting up the server first.

You can find many different server configurations that requires a distinct set of permission modes to make a WordPress site work in a proper and secure manner.

But, I’ll be sharing only two of the most important and commonly used configurations and how you can set up proper file permissions for those configurations.

1. Standard Server Configuration – This WordPress configuration does not have any relationship between the user account and web server.

This is because the configuration requires that the web server must run as any other user account.

Before we start with the process of setting up permissions for the files for the standard server configuration, we must make some adjustments to the ownerships of files and folders taking into account the following considerations:

• your user account must own all the files and folders of a WordPress install.
• your user account and another user account of your web server should be part of the same group.

You can find out the group that your user accounts are associated with, using the “groups” command within your server’s terminal. And, to figure out the groups that your web server is a part of use the following PHP script:

echo exec( ‘groups’ );

If you come across a situation where your user and the web server belongs to a different group, then you can add a user to any group of your web server, by using the below provided command in the terminal:

sudo usermod -a -G <a-the-group-name> mygroup

In order to ensure that your user account has access to all the things of your WordPress folder and belongs to the newly created shared group, simply run the below mentioned command within the folder of your WordPress install:

sudo find . -exec chown mygroup:a-the-group-name {} +

Abiding by all of the aforementioned commands will ensure that all the files and folders of your WordPress site have correct ownership.

Lastly, all you have to do is to make adjustments to the file and folder permission mode. To do so, you must keep the following key points in mind:

• All files are required to have 664 permission mode.
• All folders are required to have 775 permission mode.
• The permission mode of the wp-config.php file ought to be 660.

 
Use either an FTP client for modifying the permission modes, or simply use the below mentioned commands within your WordPress install directory to serve such needs:

sudo find . -type f -exec chmod 664 {} +
sudo find . -type d -exec chmod 775 {} +
sudo chmod 660 wp-config.php

2. Shared Server (Or SuEXEC) Configuration: Compared to the standard WordPress server configuration, the permissions for the shared server configuration can be implemented in a remarkably easier way.

This is because, we don’t need to emphasize on setting up the ownership since the web server owns the files and folders. This means that both our user account and web server are the owners, and have same privileges.

And so, all we have to do is to modify the permission modes considering the below listed key points:

• all the files ought to be 644.
• all your folders ought to be 755.
• And the permission mode of wp-config.php file should be 600.

 
To change the permissions of the files and folders, simply use the following commands in your WordPress website directory:
sudo find . -type f -exec chmod 644 {} +
sudo find . -type d -exec chmod 755 {} +
sudo chmod 600 wp-config.php

Final Words
One more important thing that you must consider is to avoid using the ‘777’ permission mode since it allows anyone to get access to the list of files, and enables to make modifications to any file in the folder.

It’s pretty obvious that giving access privileges of a file to everyone is not good for your website security, as malicious users can place code in the file that can compromise your site’s security.

Hope that the post will make you better understand about the correct way to set up the file permissions and ownerships of your WordPress website.

Author Biography:
Jack Calder is a master in Web development technologies. He has successfully completed so many projects on time. Right now he is a PSD to WordPress Conversion service provider for some potential clients for SKT Themes.