Site: US UK AU |

How to configure WordPress file permissions

How to configure WordPress file permissions

This article presents how to set the correct permissions for files within a WordPress installation.

Changing permissions

Attention: Do not change a client's WordPress file permissions without consulting with your Shift Lead.

One of the first items to consider is the hosting environment for your site. If you are running Linux, there are two main environments that you will find:

  1. PHP scripts that execute via mod_php or equivalent and all scripts are executed as the webserver user. This means when your script is running it sometimes can read at the same privilege level as the web server. This could allow cross-account snooping in shared hosting configurations, and is not ideal in a shared environment especially for eCommerce.

  2. PHP scripts that execute as the user who owns the files via an intermediate construct such as, suPHP, PHP suEXEC, PHP-FPM, and so on. In this case your scripts run as you and this is overall a more secure configuration when running on a shared server. Here at Nexcess, this is the most commonly used environment.

The second environment, is the preferred method, if the permissions are configured correctly as it provides an extra level of security provided by Linux. A majority of our shared WordPress OBP plans provide this environment and it is preferred given that is provides user-based permissions isolation so stricter file permissions can be used.

Attention: To execute the following changes, you will need to have SSH access. If you do not have SSH access please contact

The Linux permissions for all files in your WordPress base directory should be set to readable and writable by the owning user (you) and readable only by everyone else. This creates a baseline where the webserver can read all files. It will need read access in order to serve static content like images, CSS and Javascript files. Unlike the method above we will be adjusting script permissions to be more stringent later on.

find </path/to/wordpress> -type f \-exec chmod 644 {} \;

If possible, the permissions for all files should be set to read and writable to your user, readable by the group, and no permissions for others. In some instances this may cause issues with other software or plugins, but it is possible to restrict these permissions in some instances.

find </path/to/wordpress> -type f \-exec chmod 640 {} \;

Change the Linux permissions for all directories in your Magento base directory to listable, file editable and navigable for the owning user and simply navigable for everyone else.

find </path/to/wordpress> -type d \-exec chmod 711 {} \;

In some cases you may find that some plugins require the wp-content folder to be made writeable. Change the permissions of the wp-content folder and all sub folders.

find </path/to/wordpress/wp-content/> -type d \-exec chmod 755 {} \;

Lockdown permissions for all PHP scripts so that only your user can read them. This is ideal because only your user should need to know the contents of scripts.

find </path/to/wordpress> -type f -name “*.php” \-exec chmod 600 {} \;

777 permissions

You may encounter instructions for web-based software that states that files must be set to 777 permissions, read/write/execute permissions to all. This may be necessary for some directories but is rarely the case for files. Permissions of 666, read/write permissions for all, are adequate in these cases if more strict permissions cannot be set. Configuring the 777 permissions sets the execute bit for files as well which most web servers that do not require it in most cases. In many cases a plugin may require more open permissions. Read the plugin’s documentation or contact the developer to inquire about the permissions it requires.

For further reading about WordPress file permissions, visit the WordPress website


For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (1 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
What is Nexcess Cloud Auto Scaling?
Added on Wed, Apr 18, 2018
How to change WordPress URLs
Added on Tue, Dec 10, 2013
What is W3 Total Cache?
Added on Fri, Oct 31, 2014
How to combat WordPress comment spam
Added on Wed, Oct 29, 2014
How to configure the Nexcess CDN with WordPress and W3 Total Cache
Added on Thu, Mar 8, 2018
How to create Magento and WordPress dev sites
Added on Wed, Aug 3, 2016
How to configure WordPress plug-ins
Added on Tue, Jul 30, 2013
How to configure a WordPress multi-site network
Added on Thu, Mar 13, 2014
How to purchase Nexcess shared hosting plans
Added on Mon, Jan 4, 2016
How to install WordPress
Added on Tue, Aug 6, 2013