Web Hosting

WordPress Security: Why These Permission Changes to WordPress Files and Directories Can Save Your Site


Warning: This is a tutorial for advanced users. If you are not comfortable with file permissions, we recommend contacting our support team for help. 

File Permissions

File permissions are what they sound like: a set of permissions that determine who can and cannot access your files. These permissions not only affect who can view the file but also who can edit and execute it.

It’s imperative to take the time to set up your file permissions correctly. Badly set file permissions can be a security risk, allowing anyone to access or execute items on your server. 

WordPress is no exception. While the WordPress admin interface handles the web design and post creation, WordPress still consists of files on your web server. As such, your chosen file permissions still matter. 

We talked to our resident security experts here at Pair Networks and asked them what they recommended. We’ve put together their recommendations (and how to implement them on your Pair server) below. 

If you’d like to watch instead of reading this information, check out one of our security webinars over at CrowdCast. Our security experts have all sorts of recommendations and tricks to keep your WordPress installation secure.  

Understanding Your File Permissions

File permissions don’t just apply to files; they also apply to directories (folders) as well. We’ll be going over how to find your file permissions, what file permissions are recommended for WordPress files, and how to change them. However, this process requires an understanding of how file permissions work and how to read them. 

If you are not familiar with file permissions, we strongly recommend reading our knowledge base article, File Permissions

Check Your Current Permissions First

Before you dive into what our security experts recommend, you should first check what file permissions you currently have configured. 

It could be that your WordPress installation was using the correct permissions all along, as would be the case with any PairSIM or our Managed WordPress Hosting. 

While it is possible to check and change your file permissions directly in the Account Control Center (ACC), we’re going to be using a terminal to do so in this article. We’re doing this because a terminal has some great commands that will significantly speed up the process. Otherwise, you might have to spend all night (and maybe the next day) changing each file one by one.

You can use any terminal program you are comfortable with. Not sure what to use? If you are using a MacOSX environment, you can use their built-in Terminal program. If you are on a Windows machine, you can use their Command Prompt tool. 

Note: Customers on Pair Legacy accounts will require different permissions and steps for WordPress to work correctly. If you would like to change your file permissions to be more secure, we strongly recommend either reaching out to our support team for specific steps or upgrading to one of our newer offerings (they’re more secure and give you more bang for your buck!). 

Now, to see your file permissions from the terminal, follow these steps: 

  1. Connect to your Pair server using SSH
  2. Navigate to your WordPress installation file
  3. Type the command ls -l
  4. You will see your files listed with their file permissions

If you don’t know how to read the permissions, please see our File Permissions knowledge base article. 

Use File Permissions to Secure Your WordPress Installation

Once you have found and identified your WordPress installation’s file permissions, you can start checking whether or not they line up with our security expert’s recommendations. 

Remember – Pair Legacy accounts (created before June 2011) have separate steps and recommendations. We recommend reaching out to our support team for more information. 

Change the wp-config.php file to 600

Our security expert’s first recommendation is to change your wp-config.php permissions to 600 (or rw-------). Doing so restricts the wp-config.php file to only the file’s creator(which in most cases is the server admin). 

It’s crucial to restrict access to the wp-config.php file because it contains sensitive information, like your WordPress database username and password (which holds your other WordPress login credentials). There are bots out there designed to guess the file path to wp-config.php files for WordPress installations. If a bot finds a readable one, it will give it access to all the sensitive information stored there (and essentially provide them with the power to break into your WordPress site and wreak havoc). 

If you are using our PairSIM installation manager or one of our Managed WordPress hosting accounts, the wp-config.php file should already be configured to 600 for you. 

Your wp-config.php files not set to 600? Don’t worry – we’ll show you how to easily change these permissions in a few sections. 

Change Your WordPress Directories to 705

Your directories are the folders of your server file system. If you have perused the ACC, you will have seen them marked by little blue folder icons. 

However, while folders aren’t nearly as sensitive as a file like wp-config.php, they still may contain sensitive information that you may not want the world to have access to. As such, our security experts recommend changing all your WordPress installation directories to the 705 (or rxw---r-x). 

Change Your WordPress Files to 604

Our security experts also recommend changing your WordPress installation files to 604 (or rw----r--). This action limits the files from being rewritten or executed by outside sources and helps minimize any potential security risks. 

How to Easily Change Your Permissions

If all of your files had the correct permissions, great! You can skip this section. However, if you need to change a few file permissions, we’ll show you how to do so easily and quickly from the terminal. 

Just follow these steps:

  1. Return to the terminal and navigate back to your WordPress installation directory
  2. From the terminal, you can enter the following commands to change your file permissions

To change your wp-config.php file, use this command: 

chmod 600 wp-config.php

To change all your directories to 705 at once, use this command:

find /path/to/your/wordpress/install/ -type d -exec chmod 705 {} \;

To change all your files to 604 at once, use this command:  

find /path/to/your/wordpress/install/ -type f -exec chmod 604 {} \;

Need Help?

If you experience any issues or are apprehensive about attempting this process by yourself, please reach out to our 24/7  support team. They love to help customers make these types of fixes on their hosting accounts. Better security means happier customers, and your customer satisfaction is important to us. 

Just visit our Contact page to see all the ways you can reach us.