File permissions in WordPress

File permissions are always a bone of contention in terms of operation, security, and everything around WordPress. But what are the permissions wordPress needs to work?

The answer, as usual, is “it depends.” And what does it depend on? Your hosting and how its users are managed.

But first, let’s look slightly at what the various permissions mean. In this case we will only see the permissions in Linux, although in Windows they work in a similar way.

What permission numbers mean

To summarize, when we upload our WordPress to the server we have 2 types: files and folders. A file is a container of content (text, image, etc…) and a folder is a place to group files.

Both must have certain permissions, which are 3: read, write and execute.

And on the other hand, we have 3-digit numbers. The first refers to the owner of the file, the second to the group to which that user belongs, and the third to the rest of the users.

With this mixture, as a general rule we will have 2 types of numbering.

Permissions for folders

In the case of folders, in order to access them, we need them to be “execution”. The difference, then, will be in whether they are read-only or read-write.

  • Write: W (Write)
  • Reading: R (Read)
  • Execution: X (eXecute)

In this way, the folders, at first, could be like this:

OwnerGrupoOtros
WXRWXRW-R

As in a hosting can enter the owner or other users of the same group (other developers) we would leave permissions so that they can also do the same as the owner. It is clear that if some other user tries to do something, he could run and look at a folder, but not modify it.

Permissions for files

In the case of files, we do not need them to be executed at any time, since we will not run any program. In this case the files will be read and write only as needed.

  • Write: W (Write)
  • Reading: R (Read)
  • Execution: X (eXecute)

In this way, the files, at first, could be like this:

OwnerGrupoOtros
W-RW-R--R

As in a hosting can enter the owner or other users of the same group (other developers) we would leave permissions so that they can also do the same as the owner. It is clear that if some other user tries to do something, he could run and look at a folder, but not modify it.

The numbers

The most common is that we see codes of the type 644, or 775. What do these numbers mean? This is the combination of the WXR numbering.

SymbolsNumberingExplanation
---0There are no permissions of any kind.
--x1There are execute permissions.
-w-2There are write permissions.
-wx3There are write and execute permissions.
r--4There are read permissions.
r-x5There are read and execute permissions.
rw-6There are read and write permissions.
rwx7All permissions.

Permissions on a shared hosting

When we are in a shared hosting, the usual thing is that the system can have several FTP users, and that all of them share the same group. That way, there is a user who is the owner, and there are others who are in the same group. In this case, we would have that the owner and the group must always have the same permits, and the rest, the minimum necessary to operate.

If we do so, the permissions for all the files of a WordPress would be:

  • Folders: rwxrwxr-x / 775
    With this you can enter the folders and read their contents. Those who have a user will be able to write in them.
  • Files: rw-rw-r-- / 664
    In this case you can always read the contents of the files. Those who have a user, will be able to write in them.

In the case of WordPress, all files should have these permissions. In no case should you give execution permissions to a file, and it does not make sense to give write permissions to other users.

If someone recommends you put to the folders 777 or 666, be careful, because it is likely that the problem is not permissions, but something that is wrong in some other configuration.

Permissions on a VPS/dedicated

When we talk about a dedicated hosting, a VPS or a system in which the control of the system is taken by a system administrator, things change. In these cases it can be extremely restrictive, since it depends a lot on who owns the files and folders.

In these cases, we can reduce the casuistry especially with respect to security. In most cases, the services that are on the server (for example apache or nginx) can be found in the same group of users, and if this is the case “there are no more users”.

With this we would have like 3 levels: you / webmaster (owner), WordPress itself (group) and other users.

If we do so, the permissions for all the files of a WordPress would be:

  • Folders: rwxr-x--- / 750
    With this you can enter the folders and read their contents. Users will be able to write to them. Other users would not have access.
  • Files: rw-r----- / 640
    In this case you can always read the contents of the files. Users will be able to write to them. Other users would not have access.

This would be the extreme case, which in general is also not necessary. the most common will be to be lighter with the permissions and leave a more lax configuration.

  • Folders: rwxr-xr-x / 755
  • Files: rw-r--r-- / 644

For your safety

In any case, as you may have seen, write permissions are never given to the last of the 3 blocks, and only folders are given execute permissions, never files.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.