Are you concerned that hackers might use your WordPress files to gain access to your website?
We wish we could tell you there’s nothing to be concerned about, but hackers often exploit incorrect file permissions to gain access to WordPress files.
Who can read, write, and execute the files that make up your WordPress site is defined by file permissions. Unauthorized users and hackers may edit these permissions, insert spam content, and inject malware if they are set incorrectly.
This will give them access to your site and allow them to carry out malicious activities such as defacing it, spamming your customers, and stealing confidential information.
Fortunately, you can prevent all of this by properly permissioning your WordPress files. We’ll show you how to set the proper file permissions for various WordPress files in this guide. Your website will be much more secure against hackers as a result of this.
The WordPress File Structure: An Summary
To set file permissions, you must first determine what needs to be protected. Configurations, templates, plugins, messages, media, and other web components are stored in several directories and files on your WordPress site.
You’ll notice that your files and directories are organized in a specific way if you go to the backend of your web. For example, a folder named wp-content contains all of your website’s content. Files relating to your site’s plugins can be found in a folder called plugins inside this folder. Check out our guide to the WordPress database and file layout.
WordPress comes with three main directories by default:
The core files include:
These are the most relevant directories and files because they contain data and settings that are vital to your WordPress website’s functionality and appearance.
The wp-config file, for example, includes database information such as the database name, hostname, username, and password. It’s also where WordPress’s advanced options are described.
Only trusted users should be able to read and edit this file, and it should not be accessible to the general public. If the wp-config file’s permissions are set to anyone, hackers will steal your database credentials and use them to hack your web.
Similarly, each of the files and folders mentioned above plays an important role on your web, and you must secure them by using the proper file permissions.
What Are WordPress File Permissions?
File permissions are a collection of rules that specify who on your WordPress site has access to what. For example, you can control who has access to the wp-admin folder and in what capacity, i.e. whether they can just display it or make changes to it.
Your files and directories can be accessed by three different types of users:
- User – This is the owner or administrator of the WordPress site.
- Group – This denotes a set of users who have roles on your sites such as subscribers, contributors, or editors.
- World – This is the general public or rather, anyone on the internet.
As previously described, each user form does not need complete permission to access your files and directories. Providing complete access to confidential files to the entire world may be catastrophic!
Depending on the degree of trust you have for that individual user, you must give various levels of permissions to different types of users. You may give users permissions at three different levels:
- Read (R) – This gives a user the ability to view a file.
- Write (W) – The user can alter and edit the file.
- Execute (X) – The user can run scripts and programs inside a file or folder.
You will prevent hackers from accessing sensitive data and modifying essential files by correctly setting file and folder permissions.
File permissions are set as a three-digit number, and you must understand what of number means in order to set the correct number.
What are File Permission Numbers?
File permissions are a combination of three numbers:
From left to right, the numbers are in order of the permissions granted to the type of WordPress user – user, the group, and the world.
Each number denotes a specific level of permission granted to the corresponding user:
- 0 – No access
- 1 – Execute
- 2 – Write
- 4 – Read
The rest of the numbers are a combination of 1, 2, and 4.
- 3 – (2+1) Write and execute
- 5 – (4+1) Read and execute
- 6 – (4+2) Read and write
- 7 – (4+3) Read, write and execute
You wouldn’t want all of your file permissions set to 777, allowing everyone to read, write, and execute your files. This gives a hacker write permissions, allowing them to change your files and redirect your visitors to other pages, launch larger attacks on another website (DDoS), spam and defraud your customers and a variety of other stuff.
You can’t set everyone’s permission to 000 or 444 at the same time. This is due to the fact that WordPress often needs permission to execute or change files. In order for you to be able to use plugins and themes, they require access to unique files and directories.
If you give people read-only access, WordPress and several plugins and themes will stop working. Your WordPress website will be broken if you use those WordPress permission settings.
So, what are the WordPress file permissions that are recommended?
Recommended File Permissions in WordPress
The following are the suggested file permissions for your WordPress account.
- wp-admin: 755
- wp-content: 755
- wp-content/themes: 755
- wp-content/plugins: 755
- wp-content/uploads: 755
- wp-config.php: 644
- .htaccess: 644
- All other files – 644
How to Change File Permissions on WordPress
Changing the permissions on your files is an easy operation. But, before you go any further, we strongly advise you to make a backup of your WordPress account. Any changes to the WordPress backend are dangerous and can result in a broken site. Backup plugins such as BlogVault can be used to take a backup of your account. You can restore your site to its previous state if anything goes wrong.
You’ll need access to your WordPress directories and files to set permissions. This can be accomplished in two ways:
Change WordPress file permissions using cPanel
Step 1: Log in to your web hosting account and pick cPanel under “manage your hosting.” (This can differ depending on the host.) Please double-check with your web host.)
Step 2: Go to File Manager in cPanel.
Step 3: Inside the public HTML root folder, you’ll find your WordPress website’s files and folders.
Step 4: Modify permissions by right-clicking on the folder or file you want to set permissions for.
Step 5: To save your changes, select the permissions you want and click ‘Change permissions.’
The permissions on your files will be updated right now. If you don’t have access to cPanel, you can still use FTP to modify your file permissions (File Transfer Protocol).
Change WordPress file permissions using FTP
FTP (File Transfer Protocol) is a program that allows you to connect to your WordPress website’s server and access its directories and files. To use FTP, you’ll need to download Filezilla or another FTP client. We can begin once you have this mounted.
Step 1: Enter your FTP credentials and select ‘Quickconnect’ to create a link.
Step 2: The right-hand panel will populate with files and directories. Go to the public HTML folder and open it. The files and directories for your website can be found here.
Step 3: Pick ‘File permissions’ from the context menu when right-clicking on the file or folder you want to set permissions for.
Step 4: Update the permissions here and then click ‘OK’ to save your changes.
That concludes our discussion. Your file permissions have been modified and are now correctly configured.
Changing the permissions on your files is a good first step toward protecting your WordPress account. Hackers will no longer be able to access your WordPress files.
Hackers, on the other hand, have a slew of tricks up their sleeves for breaking into your web. They use brute force attacks, SQL injections, and XSS hacks, to name a few, to exploit your WordPress account.
You’ll need a dependable WordPress security plugin to keep your site secure from hackers. It will search and track your website’s operation on a regular basis once it is enabled on your homepage. It can also detect suspicious activity ahead of time and stop hackers from accessing your site.