How to Change File Permissions in WordPress – Fix 755 644 444 Settings
April 23, 2024
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Quick summary: Fix WordPress file permissions in one click with WP Ghost’s Security Check (Premium), or manually via FTP or cPanel. The correct values are 0755 for directories, 0644 for files, and 0444 for wp-config.php.
Why File Permissions Matter
File permissions control who can read, write, and execute files on your server. On a WordPress site, three types of users interact with files: the server owner (your hosting account), the web server process (Apache or Nginx), and everyone else. When permissions are too open (for example 777), any process on the server can modify your files.
If an attacker exploits a vulnerability in any plugin, they can inject malicious code into core files, steal database credentials from wp-config.php, or install backdoors. Correct permissions limit what each user type can do, containing the damage even if a vulnerability exists. Incorrect permissions are one of the most common server-level security issues WordPress sites face.
The Correct Permission Values
WordPress recommends these permission values for a secure installation:
| Type | Permission | What It Means |
|---|---|---|
| Directories | 0755 | Owner: read, write, execute. Group and others: read and execute only |
| Files | 0644 | Owner: read and write. Group and others: read only |
| wp-config.php | 0444 | Read-only for everyone. Prevents any process from modifying database credentials |
Never use 777 on any file or directory. Permission 777 means every user on the server can read, write, and execute the file. On shared hosting, this means other accounts on the same server could modify your files.
Method 1: Fix Permissions with WP Ghost (One Click)
The fastest method. WP Ghost detects incorrect permissions during a Security Check and fixes them in one click. This is a Premium feature.
1. Go to WP Ghost > Security Check.
2. Click Start Scan.
3. If file permissions are incorrect, WP Ghost flags them as a security task.
4. Click Fix it and select your scope: fix all directories, files, and config files, or just the main directories.
5. After the fix, run the Security Check again to confirm all permission tasks pass.
WP Ghost applies the recommended values: 0755 for directories, 0644 for files, and 0444 for config files like wp-config.php.
Method 2: Fix Permissions via FTP
If you prefer to fix permissions manually or do not have WP Ghost Premium, use an FTP client like FileZilla.
1. Connect to your server with your FTP credentials and navigate to your WordPress installation directory.
2. Right-click the WordPress root folder and select File permissions. Set the value to 755. Check Recurse into subdirectories and select Apply to directories only. Click OK.
3. Right-click the WordPress root folder again. Set the value to 644. Check Recurse into subdirectories and select Apply to files only. Click OK.
4. Locate wp-config.php in the root folder. Right-click, select File permissions, and set it to 444. Click OK.
The “Apply to directories only” and “Apply to files only” options in FileZilla let you set different permissions for folders and files in a single pass, so you do not need to change each one individually.
Method 3: Fix Permissions via cPanel File Manager
If your hosting uses cPanel, you can modify permissions directly through the File Manager.
1. Log in to your cPanel dashboard and open File Manager.
2. Navigate to your WordPress installation folder.
3. Right-click a directory and choose Change Permissions. Set to 755. Repeat for all directories.
4. Right-click a file (like index.php) and choose Change Permissions. Set to 644. Repeat for all files.
5. Set wp-config.php to 444.
cPanel’s File Manager does not have a “recurse into subdirectories” option like FTP clients. You will need to set permissions on each directory individually, or use the Terminal feature in cPanel to run bulk commands: find /path/to/wordpress -type d -exec chmod 755 {} \; for directories and find /path/to/wordpress -type f -exec chmod 644 {} \; for files.
Customize Default Permission Values
If your hosting environment requires different permission values, you can override the defaults WP Ghost uses by adding constants to your wp-config.php file.
Custom file permissions (default is 0644):
define( 'HMW_FILE_PERMISSION', 0640 );Custom directory permissions (default is 0755):
define( 'HMW_DIR_PERMISSION', 0750 );Custom config file permissions (default is 0444):
define( 'HMW_CONFIG_PERMISSION', 0444 );These constants change what WP Ghost applies when you click “Fix it” in the Security Check. Adjust the values to match your hosting provider’s requirements. Common alternatives include 0640 for files (no read access for “others”) and 0750 for directories (no access for “others”) on shared hosting environments.
Troubleshooting
Site shows “Permission denied” or blank page after fixing permissions
The web server may need slightly different permissions for your hosting configuration. Some shared hosting providers require 0750 for directories instead of 0755. Contact your hosting provider to confirm the correct values for your environment. Use the HMW_DIR_PERMISSION and HMW_FILE_PERMISSION constants to adjust.
Cannot update WordPress or install plugins after setting wp-config.php to 0444
The 0444 permission makes wp-config.php read-only, which is the secure setting. If WordPress or a plugin needs to write to wp-config.php (this is rare), temporarily change it to 0644 via FTP, make the update, then set it back to 0444. WP Ghost’s own settings do not require writing to wp-config.php.
Permissions reset after a WordPress update
WordPress updates can reset file permissions to the server default. Run the Security Check again after any WordPress core update and use the “Fix it” button if needed.
Frequently Asked Questions
Why is 777 dangerous?
Permission 777 means every user on the server can read, write, and execute the file. On shared hosting, this means other accounts on the same server could modify your files. Even on dedicated servers, if an attacker exploits any vulnerability, they can write to any 777 file, injecting malicious code into core WordPress files or stealing your database credentials.
Do I need WP Ghost Premium for this?
The one-click fix through Security Check requires WP Ghost Premium. However, you can fix permissions manually using FTP or cPanel without any plugin. The correct values (755 for directories, 644 for files, 444 for wp-config.php) are the same regardless of the method you use.
Does this work with WooCommerce?
Yes. WooCommerce files follow the same permission requirements as all WordPress files. The standard 755/644 permissions are compatible with all WooCommerce functionality including uploads, downloads, and order processing.
Will changing permissions break anything on my site?
The recommended values (755/644/444) are WordPress standard and work on the vast majority of hosting environments. If your host uses a non-standard configuration, you may need slightly different values. Always test your site after making changes, and use the wp-config.php constants to fine-tune if needed.
Does WP Ghost modify WordPress core files?
For this specific feature, WP Ghost changes the permission attributes on files and directories. It does not modify file content. Permission changes are metadata operations handled by the operating system, not edits to the files themselves.
Related Tutorials
For more server-level security hardening:
Website Security Check – The tool that detects and fixes permission issues along with 40 other security tasks.
Change Database Prefix – Another server-level security fix available through Security Check.
Change .htaccess Permission to Read-Only – Lock down .htaccess specifically to prevent malicious modification.
Prevent Hack Attacks on WordPress – The complete WP Ghost security overview.
Preset Security Options – One-click security configurations for fast setup.
