Security / Server Setup / Wordpress

Secure WordPress chmod: A Guide to correct file permissions

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

WordPress empowers a lot of websites. That is because it is a flexible and easy to use CMS. However, this popularity also makes it a target for malicious attacks. One of the essential ways to improve your WordPress website’s security is by setting proper file permissions. This article will guide you through securing your WordPress installation using the chmod command, following best practices.

Understanding chmod file permissions

In Unix-like systems, the chmod command is used to change the permissions of files and directories. Permissions define who can read, write, or execute the files; and in case of directories, who can list their contents or traverse the directory structure. They are essential for basic security. The main permissions are:

  • Read (r): View the contents of the file or list the contents of the directory.
  • Write (w): Modify the contents of the file or add/remove files from the directory.
  • Execute (x): Run the file as a program or enter the directory and access its contents.

An actual permission can be a combination of the three permissions mentioned. For example:

  • read and write (rw) means that a resource is allowed for read and write operations, but not for execution because x is missing for it;
  • rx would if set on a file would mean that it is allowed to be read and executed as a program, but not being written to, because w is missing from the permission.

Permissions are set for three types of users. In this order: the file owner, the group, and others.
So a full chmod permission consists of three permissions for each type of users, e.g.: rwx rw r. Would mean allow the owner any operation, the user group to read and write, and any other users to read the file.

The rwx permissions have corresponding numeric representation. Some quick shortcuts to memorize are:

  • rwx is 7 (read, write and execute)
  • rw is 6 (read and write)
  • rx is 5 (read and execute)
  • r is 4 (read only)

The rwx (is the most insecure permissions. And you should strive to reduce its usage. This is why 777 is the most insecure, primarily because it allows any user on the system to do anything to the file which has such permission.

The WordPress Codex and security experts recommend the following chmod settings:

  • Directories: 755 or 750
  • Files: 644 or 640
  • wp-config.php: 600

These settings ensure that only authorized users can modify files and directories, reducing the risk of unauthorized changes or security breaches.

It is crucial to run your web server with the correction permissions setup, before adjusting WordPress file permissions.
For details, read our guide: NGINX and PHP-FPM. What my permissions should be?

Setting Secure Permissions with chmod

Secure Directories:

find /path/to/wordpress -type d -exec chmod 750 {} \;

This sets directory permissions to 750, allowing the owner to read, write, and execute, while others cannot read.

Secure Files:

find /path/to/wordpress -type f -exec chmod 640 {} \;

This sets file permissions to 640, allowing the owner to read and write, while others cannot read.

Secure wp-config.php:

chmod 600 /path/to/wordpress/wp-config.php

This restricts the wp-config.php file, a critical WordPress configuration file, to be readable and writable only by the owner.

Excluding .git Directories

When setting permissions, it’s essential to exclude .git directories to preserve their integrity and prevent unauthorized access. Use the -not -path '*/.git*' option with find to exclude these directories.

Automating with Bash Scripts

For convenience, you can automate the permission-setting process with a bash script. This script would use the find command to set the recommended permissions and exclude .git directories.

Monitoring and Maintenance

Regularly check and correct file permissions, especially after installing new plugins or themes. Tools and scripts are available that can monitor your file permissions and alert you to any changes.


Setting the correct file permissions is a fundamental step in securing your WordPress site. By understanding and implementing the recommended permissions using the chmod command, you can protect your site from many common vulnerabilities. Remember, security is an ongoing process, and regularly reviewing and updating your permissions should be part of your routine maintenance.

By following these best practices, you can significantly enhance the security posture of your WordPress site, protecting it against unauthorized access and potential exploits.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.