<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>chmod Archives - Developry Plugins</title>
	<atom:link href="https://developryplugins.com/tag/chmod/feed/" rel="self" type="application/rss+xml" />
	<link>https://developryplugins.com/tag/chmod/</link>
	<description></description>
	<lastBuildDate>Mon, 24 Nov 2025 11:18:21 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://developryplugins.com/wp-content/uploads/2026/06/cropped-favicon-alt-32x32.webp</url>
	<title>chmod Archives - Developry Plugins</title>
	<link>https://developryplugins.com/tag/chmod/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>WordPress File Permissions Guide: Securing wp-config and .htaccess</title>
		<link>https://developryplugins.com/wordpress-file-permissions-guide-securing-wp-config-and-htaccess/</link>
		
		<dc:creator><![CDATA[Krasen Slavov]]></dc:creator>
		<pubDate>Sat, 15 Nov 2025 09:00:00 +0000</pubDate>
				<category><![CDATA[WordPress Security & Protection]]></category>
		<category><![CDATA[chmod]]></category>
		<category><![CDATA[file permissions]]></category>
		<category><![CDATA[htaccess security]]></category>
		<category><![CDATA[server security]]></category>
		<category><![CDATA[wp-config security]]></category>
		<guid isPermaLink="false">https://developryplugins.com/?p=166</guid>

					<description><![CDATA[<p>File permissions are a critical yet often overlooked aspect of WordPress security. Incorrect permissions can allow hackers to modify your files, inject malware, or steal sensitive data like database credentials....</p>
<p>The post <a href="https://developryplugins.com/wordpress-file-permissions-guide-securing-wp-config-and-htaccess/">WordPress File Permissions Guide: Securing wp-config and .htaccess</a> appeared first on <a href="https://developryplugins.com">Developry Plugins</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p><!-- @format --></p>
<p>File permissions are a critical yet often overlooked aspect of WordPress security. Incorrect permissions can allow hackers to modify your files, inject malware, or steal sensitive data like database credentials. Setting proper permissions is your first line of defense against unauthorized file access.</p>
<p>This guide explains Unix/Linux file permissions, provides recommended settings for WordPress, and shows you how to secure critical files like wp-config.php and .htaccess.</p>
<h2 id="understanding-file-permissions">Understanding File Permissions</h2>
<h3 id="permission-number-system">Permission Number System</h3>
<p>Unix permissions use a three-digit system:</p>
<p><strong>Read (r) = 4</strong> <strong>Write (w) = 2</strong> <strong>Execute (x) = 1</strong></p>
<p>Each digit represents permissions for:</p>
<ol type="1">
<li><strong>Owner</strong> (user who owns the file)</li>
<li><strong>Group</strong> (users in the file’s group)</li>
<li><strong>Others</strong> (everyone else)</li>
</ol>
<p><strong>Example: 644</strong></p>
<ul>
<li>Owner: 6 (4+2) = Read + Write</li>
<li>Group: 4 = Read only</li>
<li>Others: 4 = Read only</li>
</ul>
<p><strong>Example: 755</strong></p>
<ul>
<li>Owner: 7 (4+2+1) = Read + Write + Execute</li>
<li>Group: 5 (4+1) = Read + Execute</li>
<li>Others: 5 (4+1) = Read + Execute</li>
</ul>
<h3 id="wordpress-recommended-permissions">WordPress Recommended Permissions</h3>
<div class="sourceCode" id="cb1">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true"></a><span class="co"># Directories: 755</span></span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true"></a><span class="ex">drwxr-xr-x</span> = 755</span>
<span id="cb1-3"><a href="#cb1-3" aria-hidden="true"></a></span>
<span id="cb1-4"><a href="#cb1-4" aria-hidden="true"></a><span class="co"># Files: 644</span></span>
<span id="cb1-5"><a href="#cb1-5" aria-hidden="true"></a><span class="ex">-rw-r--r--</span> = 644</span>
<span id="cb1-6"><a href="#cb1-6" aria-hidden="true"></a></span>
<span id="cb1-7"><a href="#cb1-7" aria-hidden="true"></a><span class="co"># wp-config.php: 440 or 400 (most secure)</span></span>
<span id="cb1-8"><a href="#cb1-8" aria-hidden="true"></a><span class="ex">-r--r-----</span> = 440</span>
<span id="cb1-9"><a href="#cb1-9" aria-hidden="true"></a><span class="ex">-r--------</span> = 400</span></code></pre>
</div>
<p><strong>NEVER use 777</strong> &#8211; This allows anyone to read, write, and execute files.</p>
<h2 id="securing-critical-wordpress-files">Securing Critical WordPress Files</h2>
<h3 id="wp-config.php-protection">wp-config.php Protection</h3>
<p>Your most important file contains database credentials:</p>
<div class="sourceCode" id="cb2">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true"></a><span class="co"># Set to 440 (readable by owner and group)</span></span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true"></a><span class="fu">chmod</span> 440 wp-config.php</span>
<span id="cb2-3"><a href="#cb2-3" aria-hidden="true"></a></span>
<span id="cb2-4"><a href="#cb2-4" aria-hidden="true"></a><span class="co"># Or 400 (readable by owner only) - most secure</span></span>
<span id="cb2-5"><a href="#cb2-5" aria-hidden="true"></a><span class="fu">chmod</span> 400 wp-config.php</span>
<span id="cb2-6"><a href="#cb2-6" aria-hidden="true"></a></span>
<span id="cb2-7"><a href="#cb2-7" aria-hidden="true"></a><span class="co"># Verify</span></span>
<span id="cb2-8"><a href="#cb2-8" aria-hidden="true"></a><span class="fu">ls</span> -l wp-config.php</span>
<span id="cb2-9"><a href="#cb2-9" aria-hidden="true"></a><span class="co"># Output: -r--r----- 1 user group 3157 Nov 23 wp-config.php</span></span></code></pre>
</div>
<p><strong>Move wp-config.php Above Web Root:</strong></p>
<div class="sourceCode" id="cb3">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true"></a><span class="co"># WordPress looks one directory up automatically</span></span>
<span id="cb3-2"><a href="#cb3-2" aria-hidden="true"></a><span class="fu">mv</span> /public_html/wp-config.php /home/user/wp-config.php</span></code></pre>
</div>
<p>This makes wp-config.php completely inaccessible via web.</p>
<p><strong>Protect via .htaccess:</strong></p>
<div class="sourceCode" id="cb4">
<pre class="sourceCode apache"><code class="sourceCode apache"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true"></a><span class="co"># Add to .htaccess</span></span>
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true"></a><span class="fu">&lt;files</span><span class="at"> wp-config.php</span><span class="fu">&gt;</span></span>
<span id="cb4-3"><a href="#cb4-3" aria-hidden="true"></a><span class="ex">order</span><span class="ch"> </span><span class="kw">allow,deny</span></span>
<span id="cb4-4"><a href="#cb4-4" aria-hidden="true"></a>deny<span class="st"> from all</span></span>
<span id="cb4-5"><a href="#cb4-5" aria-hidden="true"></a><span class="fu">&lt;/files&gt;</span></span></code></pre>
</div>
<h3 id="securing-.htaccess">Securing .htaccess</h3>
<div class="sourceCode" id="cb5">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true"></a><span class="co"># Set to 644 (standard)</span></span>
<span id="cb5-2"><a href="#cb5-2" aria-hidden="true"></a><span class="fu">chmod</span> 644 .htaccess</span>
<span id="cb5-3"><a href="#cb5-3" aria-hidden="true"></a></span>
<span id="cb5-4"><a href="#cb5-4" aria-hidden="true"></a><span class="co"># Or 444 if you don&#39;t need to modify it</span></span>
<span id="cb5-5"><a href="#cb5-5" aria-hidden="true"></a><span class="fu">chmod</span> 444 .htaccess</span></code></pre>
</div>
<p><strong>Protect .htaccess from modification:</strong></p>
<div class="sourceCode" id="cb6">
<pre class="sourceCode apache"><code class="sourceCode apache"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true"></a><span class="co"># Inside .htaccess itself</span></span>
<span id="cb6-2"><a href="#cb6-2" aria-hidden="true"></a><span class="fu">&lt;files</span><span class="at"> .htaccess</span><span class="fu">&gt;</span></span>
<span id="cb6-3"><a href="#cb6-3" aria-hidden="true"></a><span class="ex">order</span><span class="ch"> </span><span class="kw">allow,deny</span></span>
<span id="cb6-4"><a href="#cb6-4" aria-hidden="true"></a>deny<span class="st"> from all</span></span>
<span id="cb6-5"><a href="#cb6-5" aria-hidden="true"></a><span class="fu">&lt;/files&gt;</span></span></code></pre>
</div>
<h2 id="complete-wordpress-permission-setup">Complete WordPress Permission Setup</h2>
<h3 id="via-ssh-recommended">Via SSH (Recommended)</h3>
<div class="sourceCode" id="cb7">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true"></a><span class="co"># Navigate to WordPress root</span></span>
<span id="cb7-2"><a href="#cb7-2" aria-hidden="true"></a><span class="bu">cd</span> /path/to/wordpress</span>
<span id="cb7-3"><a href="#cb7-3" aria-hidden="true"></a></span>
<span id="cb7-4"><a href="#cb7-4" aria-hidden="true"></a><span class="co"># Set directory permissions to 755</span></span>
<span id="cb7-5"><a href="#cb7-5" aria-hidden="true"></a><span class="fu">find</span> . -type d -exec chmod 755 {} <span class="dt">\;</span></span>
<span id="cb7-6"><a href="#cb7-6" aria-hidden="true"></a></span>
<span id="cb7-7"><a href="#cb7-7" aria-hidden="true"></a><span class="co"># Set file permissions to 644</span></span>
<span id="cb7-8"><a href="#cb7-8" aria-hidden="true"></a><span class="fu">find</span> . -type f -exec chmod 644 {} <span class="dt">\;</span></span>
<span id="cb7-9"><a href="#cb7-9" aria-hidden="true"></a></span>
<span id="cb7-10"><a href="#cb7-10" aria-hidden="true"></a><span class="co"># Secure wp-config.php</span></span>
<span id="cb7-11"><a href="#cb7-11" aria-hidden="true"></a><span class="fu">chmod</span> 440 wp-config.php</span>
<span id="cb7-12"><a href="#cb7-12" aria-hidden="true"></a></span>
<span id="cb7-13"><a href="#cb7-13" aria-hidden="true"></a><span class="co"># Secure .htaccess</span></span>
<span id="cb7-14"><a href="#cb7-14" aria-hidden="true"></a><span class="fu">chmod</span> 644 .htaccess</span></code></pre>
</div>
<h3 id="via-wp-cli">Via WP-CLI</h3>
<div class="sourceCode" id="cb8">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true"></a><span class="co"># Fix permissions automatically</span></span>
<span id="cb8-2"><a href="#cb8-2" aria-hidden="true"></a><span class="ex">wp</span> cli has-command <span class="st">&quot;secure&quot;</span> <span class="kw">||</span> <span class="ex">wp</span> package install wp-cli/secure-command</span>
<span id="cb8-3"><a href="#cb8-3" aria-hidden="true"></a></span>
<span id="cb8-4"><a href="#cb8-4" aria-hidden="true"></a><span class="co"># Or manual approach</span></span>
<span id="cb8-5"><a href="#cb8-5" aria-hidden="true"></a><span class="fu">find</span> /path/to/wordpress -type d -exec chmod 755 {} <span class="dt">\;</span></span>
<span id="cb8-6"><a href="#cb8-6" aria-hidden="true"></a><span class="fu">find</span> /path/to/wordpress -type f -exec chmod 644 {} <span class="dt">\;</span></span></code></pre>
</div>
<h3 id="via-ftp-filezilla">Via FTP (FileZilla)</h3>
<ol type="1">
<li>Connect to your server via FTP</li>
<li>Navigate to WordPress root</li>
<li>Right-click wp-config.php &gt; File Permissions</li>
<li>Enter <strong>440</strong> in numeric value</li>
<li>Check “Recurse into subdirectories” for bulk changes</li>
<li>Select “Apply to directories only” and enter <strong>755</strong></li>
<li>Select “Apply to files only” and enter <strong>644</strong></li>
</ol>
<h3 id="via-cpanel-file-manager">Via cPanel File Manager</h3>
<ol type="1">
<li>Login to cPanel &gt; File Manager</li>
<li>Navigate to public_html</li>
<li>Select all files/folders</li>
<li>Click “Permissions” button</li>
<li>Set directories to <strong>755</strong></li>
<li>Set files to <strong>644</strong></li>
<li>Click “Change Permissions”</li>
</ol>
<h2 id="directory-specific-permissions">Directory-Specific Permissions</h2>
<h3 id="wp-content-directory">wp-content Directory</h3>
<div class="sourceCode" id="cb9">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb9-1"><a href="#cb9-1" aria-hidden="true"></a><span class="co"># wp-content: 755</span></span>
<span id="cb9-2"><a href="#cb9-2" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content</span>
<span id="cb9-3"><a href="#cb9-3" aria-hidden="true"></a></span>
<span id="cb9-4"><a href="#cb9-4" aria-hidden="true"></a><span class="co"># uploads directory: 755 (needs write access for media uploads)</span></span>
<span id="cb9-5"><a href="#cb9-5" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/uploads</span>
<span id="cb9-6"><a href="#cb9-6" aria-hidden="true"></a></span>
<span id="cb9-7"><a href="#cb9-7" aria-hidden="true"></a><span class="co"># Allow recursive write for subdirectories</span></span>
<span id="cb9-8"><a href="#cb9-8" aria-hidden="true"></a><span class="fu">find</span> wp-content/uploads -type d -exec chmod 755 {} <span class="dt">\;</span></span>
<span id="cb9-9"><a href="#cb9-9" aria-hidden="true"></a><span class="fu">find</span> wp-content/uploads -type f -exec chmod 644 {} <span class="dt">\;</span></span></code></pre>
</div>
<h3 id="plugins-directory">Plugins Directory</h3>
<div class="sourceCode" id="cb10">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb10-1"><a href="#cb10-1" aria-hidden="true"></a><span class="co"># plugins: 755</span></span>
<span id="cb10-2"><a href="#cb10-2" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/plugins</span>
<span id="cb10-3"><a href="#cb10-3" aria-hidden="true"></a></span>
<span id="cb10-4"><a href="#cb10-4" aria-hidden="true"></a><span class="co"># Individual plugin directories: 755</span></span>
<span id="cb10-5"><a href="#cb10-5" aria-hidden="true"></a><span class="fu">find</span> wp-content/plugins -type d -exec chmod 755 {} <span class="dt">\;</span></span>
<span id="cb10-6"><a href="#cb10-6" aria-hidden="true"></a></span>
<span id="cb10-7"><a href="#cb10-7" aria-hidden="true"></a><span class="co"># Plugin files: 644</span></span>
<span id="cb10-8"><a href="#cb10-8" aria-hidden="true"></a><span class="fu">find</span> wp-content/plugins -type f -exec chmod 644 {} <span class="dt">\;</span></span></code></pre>
</div>
<h3 id="themes-directory">Themes Directory</h3>
<div class="sourceCode" id="cb11">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb11-1"><a href="#cb11-1" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/themes</span>
<span id="cb11-2"><a href="#cb11-2" aria-hidden="true"></a><span class="fu">find</span> wp-content/themes -type d -exec chmod 755 {} <span class="dt">\;</span></span>
<span id="cb11-3"><a href="#cb11-3" aria-hidden="true"></a><span class="fu">find</span> wp-content/themes -type f -exec chmod 644 {} <span class="dt">\;</span></span></code></pre>
</div>
<h3 id="wp-admin-and-wp-includes">wp-admin and wp-includes</h3>
<div class="sourceCode" id="cb12">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb12-1"><a href="#cb12-1" aria-hidden="true"></a><span class="co"># Read-only for these core directories</span></span>
<span id="cb12-2"><a href="#cb12-2" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-admin wp-includes</span>
<span id="cb12-3"><a href="#cb12-3" aria-hidden="true"></a><span class="fu">find</span> wp-admin -type f -exec chmod 644 {} <span class="dt">\;</span></span>
<span id="cb12-4"><a href="#cb12-4" aria-hidden="true"></a><span class="fu">find</span> wp-includes -type f -exec chmod 644 {} <span class="dt">\;</span></span></code></pre>
</div>
<h2 id="file-ownership">File Ownership</h2>
<h3 id="understanding-users">Understanding Users</h3>
<div class="sourceCode" id="cb13">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true"></a><span class="co"># Check current ownership</span></span>
<span id="cb13-2"><a href="#cb13-2" aria-hidden="true"></a><span class="fu">ls</span> -l wp-config.php</span>
<span id="cb13-3"><a href="#cb13-3" aria-hidden="true"></a><span class="co"># -rw-r--r-- 1 username groupname 3157 Nov 23 wp-config.php</span></span></code></pre>
</div>
<p><strong>Common Web Server Users:</strong></p>
<ul>
<li><strong>Apache:</strong> www-data, apache, httpd</li>
<li><strong>Nginx:</strong> nginx, www-data</li>
<li><strong>Your User:</strong> username (from hosting)</li>
</ul>
<h3 id="setting-correct-ownership">Setting Correct Ownership</h3>
<div class="sourceCode" id="cb14">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb14-1"><a href="#cb14-1" aria-hidden="true"></a><span class="co"># Change owner to your user</span></span>
<span id="cb14-2"><a href="#cb14-2" aria-hidden="true"></a><span class="fu">chown</span> username:username -R /path/to/wordpress</span>
<span id="cb14-3"><a href="#cb14-3" aria-hidden="true"></a></span>
<span id="cb14-4"><a href="#cb14-4" aria-hidden="true"></a><span class="co"># Or web server user (if needed for uploads)</span></span>
<span id="cb14-5"><a href="#cb14-5" aria-hidden="true"></a><span class="fu">chown</span> www-data:www-data wp-content/uploads -R</span>
<span id="cb14-6"><a href="#cb14-6" aria-hidden="true"></a></span>
<span id="cb14-7"><a href="#cb14-7" aria-hidden="true"></a><span class="co"># Verify</span></span>
<span id="cb14-8"><a href="#cb14-8" aria-hidden="true"></a><span class="fu">ls</span> -l wp-content/uploads</span></code></pre>
</div>
<h3 id="shared-hosting-considerations">Shared Hosting Considerations</h3>
<p>On shared hosting, you typically can’t change ownership. The hosting provider manages this. Your permissions should be:</p>
<div class="sourceCode" id="cb15">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true"></a><span class="co"># User-owned files</span></span>
<span id="cb15-2"><a href="#cb15-2" aria-hidden="true"></a><span class="ex">Files</span>: 644</span>
<span id="cb15-3"><a href="#cb15-3" aria-hidden="true"></a><span class="ex">Directories</span>: 755</span>
<span id="cb15-4"><a href="#cb15-4" aria-hidden="true"></a></span>
<span id="cb15-5"><a href="#cb15-5" aria-hidden="true"></a><span class="co"># If web server needs write access (uploads)</span></span>
<span id="cb15-6"><a href="#cb15-6" aria-hidden="true"></a><span class="ex">Directories</span>: 755 with proper group ownership</span></code></pre>
</div>
<h2 id="preventing-directory-browsing">Preventing Directory Browsing</h2>
<div class="sourceCode" id="cb16">
<pre class="sourceCode apache"><code class="sourceCode apache"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true"></a><span class="co"># In .htaccess</span></span>
<span id="cb16-2"><a href="#cb16-2" aria-hidden="true"></a><span class="ex">Options</span><span class="ch"> </span><span class="kw">-Indexes</span></span>
<span id="cb16-3"><a href="#cb16-3" aria-hidden="true"></a></span>
<span id="cb16-4"><a href="#cb16-4" aria-hidden="true"></a><span class="co"># Or in each directory&#39;s .htaccess</span></span>
<span id="cb16-5"><a href="#cb16-5" aria-hidden="true"></a><span class="fu">&lt;IfModule</span><span class="at"> mod_autoindex.c</span><span class="fu">&gt;</span></span>
<span id="cb16-6"><a href="#cb16-6" aria-hidden="true"></a>    <span class="ex">Options</span><span class="ch"> </span><span class="kw">-Indexes</span></span>
<span id="cb16-7"><a href="#cb16-7" aria-hidden="true"></a><span class="fu">&lt;/IfModule&gt;</span></span></code></pre>
</div>
<h2 id="protecting-sensitive-files">Protecting Sensitive Files</h2>
<h3 id="block-access-to-critical-files">Block Access to Critical Files</h3>
<div class="sourceCode" id="cb17">
<pre class="sourceCode apache"><code class="sourceCode apache"><span id="cb17-1"><a href="#cb17-1" aria-hidden="true"></a><span class="co"># In .htaccess - block common targets</span></span>
<span id="cb17-2"><a href="#cb17-2" aria-hidden="true"></a><span class="fu">&lt;FilesMatch</span><span class="at"> &quot;^(wp-config\.php|php\.ini|\.htaccess|\.htpasswd)&quot;</span><span class="fu">&gt;</span></span>
<span id="cb17-3"><a href="#cb17-3" aria-hidden="true"></a>    <span class="ex">Order</span><span class="ch"> </span><span class="kw">allow,deny</span></span>
<span id="cb17-4"><a href="#cb17-4" aria-hidden="true"></a>    Deny<span class="st"> from all</span></span>
<span id="cb17-5"><a href="#cb17-5" aria-hidden="true"></a><span class="fu">&lt;/FilesMatch&gt;</span></span>
<span id="cb17-6"><a href="#cb17-6" aria-hidden="true"></a></span>
<span id="cb17-7"><a href="#cb17-7" aria-hidden="true"></a><span class="co"># Protect readme and license files</span></span>
<span id="cb17-8"><a href="#cb17-8" aria-hidden="true"></a><span class="fu">&lt;FilesMatch</span><span class="at"> &quot;(readme|license|changelog)\.(txt|html)$&quot;</span><span class="fu">&gt;</span></span>
<span id="cb17-9"><a href="#cb17-9" aria-hidden="true"></a>    <span class="ex">Order</span><span class="ch"> </span><span class="kw">allow,deny</span></span>
<span id="cb17-10"><a href="#cb17-10" aria-hidden="true"></a>    Deny<span class="st"> from all</span></span>
<span id="cb17-11"><a href="#cb17-11" aria-hidden="true"></a><span class="fu">&lt;/FilesMatch&gt;</span></span></code></pre>
</div>
<h3 id="prevent-php-execution-in-uploads">Prevent PHP Execution in Uploads</h3>
<div class="sourceCode" id="cb18">
<pre class="sourceCode apache"><code class="sourceCode apache"><span id="cb18-1"><a href="#cb18-1" aria-hidden="true"></a><span class="co"># Create wp-content/uploads/.htaccess</span></span>
<span id="cb18-2"><a href="#cb18-2" aria-hidden="true"></a><span class="fu">&lt;Files</span><span class="at"> *.php</span><span class="fu">&gt;</span></span>
<span id="cb18-3"><a href="#cb18-3" aria-hidden="true"></a>    deny<span class="st"> from all</span></span>
<span id="cb18-4"><a href="#cb18-4" aria-hidden="true"></a><span class="fu">&lt;/Files&gt;</span></span></code></pre>
</div>
<p>Or for Nginx:</p>
<pre class="nginx"><code># In nginx.conf
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}</code></pre>
<h2 id="temporary-permission-changes">Temporary Permission Changes</h2>
<p>When installing plugins/themes via WordPress admin, you may need temporary changes:</p>
<div class="sourceCode" id="cb20">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb20-1"><a href="#cb20-1" aria-hidden="true"></a><span class="co"># Before installation</span></span>
<span id="cb20-2"><a href="#cb20-2" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/plugins</span>
<span id="cb20-3"><a href="#cb20-3" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/themes</span>
<span id="cb20-4"><a href="#cb20-4" aria-hidden="true"></a></span>
<span id="cb20-5"><a href="#cb20-5" aria-hidden="true"></a><span class="co"># After installation</span></span>
<span id="cb20-6"><a href="#cb20-6" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/plugins</span>
<span id="cb20-7"><a href="#cb20-7" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/themes</span>
<span id="cb20-8"><a href="#cb20-8" aria-hidden="true"></a></span>
<span id="cb20-9"><a href="#cb20-9" aria-hidden="true"></a><span class="co"># Restore secure file permissions</span></span>
<span id="cb20-10"><a href="#cb20-10" aria-hidden="true"></a><span class="fu">find</span> wp-content/plugins -type f -exec chmod 644 {} <span class="dt">\;</span></span>
<span id="cb20-11"><a href="#cb20-11" aria-hidden="true"></a><span class="fu">find</span> wp-content/themes -type f -exec chmod 644 {} <span class="dt">\;</span></span></code></pre>
</div>
<p><strong>Better approach &#8211; Use FTP credentials in wp-config.php:</strong></p>
<div class="sourceCode" id="cb21">
<pre class="sourceCode php"><code class="sourceCode php"><span id="cb21-1"><a href="#cb21-1" aria-hidden="true"></a><span class="co">// Define FTP credentials for WordPress</span></span>
<span id="cb21-2"><a href="#cb21-2" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FS_METHOD&#39;</span><span class="ot">,</span> <span class="st">&#39;ftpext&#39;</span><span class="ot">);</span></span>
<span id="cb21-3"><a href="#cb21-3" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FTP_BASE&#39;</span><span class="ot">,</span> <span class="st">&#39;/path/to/wordpress/&#39;</span><span class="ot">);</span></span>
<span id="cb21-4"><a href="#cb21-4" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FTP_CONTENT_DIR&#39;</span><span class="ot">,</span> <span class="st">&#39;/path/to/wordpress/wp-content/&#39;</span><span class="ot">);</span></span>
<span id="cb21-5"><a href="#cb21-5" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FTP_PLUGIN_DIR&#39;</span><span class="ot">,</span> <span class="st">&#39;/path/to/wordpress/wp-content/plugins/&#39;</span><span class="ot">);</span></span>
<span id="cb21-6"><a href="#cb21-6" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FTP_USER&#39;</span><span class="ot">,</span> <span class="st">&#39;ftp_username&#39;</span><span class="ot">);</span></span>
<span id="cb21-7"><a href="#cb21-7" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FTP_PASS&#39;</span><span class="ot">,</span> <span class="st">&#39;ftp_password&#39;</span><span class="ot">);</span></span>
<span id="cb21-8"><a href="#cb21-8" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FTP_HOST&#39;</span><span class="ot">,</span> <span class="st">&#39;ftp.example.com&#39;</span><span class="ot">);</span></span></code></pre>
</div>
<p>This allows WordPress to use FTP for file operations without insecure permissions.</p>
<h2 id="monitoring-file-changes">Monitoring File Changes</h2>
<h3 id="using-file-integrity-monitoring">Using File Integrity Monitoring</h3>
<div class="sourceCode" id="cb22">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb22-1"><a href="#cb22-1" aria-hidden="true"></a><span class="co"># Create baseline of file hashes</span></span>
<span id="cb22-2"><a href="#cb22-2" aria-hidden="true"></a><span class="fu">find</span> . -type f -exec md5sum {} <span class="dt">\;</span> <span class="op">&gt;</span> <span class="ex">/home/user/wordpress-baseline.md5</span></span>
<span id="cb22-3"><a href="#cb22-3" aria-hidden="true"></a></span>
<span id="cb22-4"><a href="#cb22-4" aria-hidden="true"></a><span class="co"># Later, check for changes</span></span>
<span id="cb22-5"><a href="#cb22-5" aria-hidden="true"></a><span class="ex">md5sum</span> -c /home/user/wordpress-baseline.md5</span></code></pre>
</div>
<p><strong>With Wordfence plugin:</strong></p>
<ul>
<li>Scans for modified core files</li>
<li>Alerts on permission changes</li>
<li>Detects new files</li>
</ul>
<h2 id="troubleshooting-permission-issues">Troubleshooting Permission Issues</h2>
<h3 id="cannot-create-directory-error">“Cannot create directory” Error</h3>
<div class="sourceCode" id="cb23">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb23-1"><a href="#cb23-1" aria-hidden="true"></a><span class="co"># Check wp-content/uploads ownership</span></span>
<span id="cb23-2"><a href="#cb23-2" aria-hidden="true"></a><span class="fu">ls</span> -ld wp-content/uploads</span>
<span id="cb23-3"><a href="#cb23-3" aria-hidden="true"></a></span>
<span id="cb23-4"><a href="#cb23-4" aria-hidden="true"></a><span class="co"># Fix ownership</span></span>
<span id="cb23-5"><a href="#cb23-5" aria-hidden="true"></a><span class="fu">chown</span> www-data:www-data wp-content/uploads -R</span>
<span id="cb23-6"><a href="#cb23-6" aria-hidden="true"></a></span>
<span id="cb23-7"><a href="#cb23-7" aria-hidden="true"></a><span class="co"># Fix permissions</span></span>
<span id="cb23-8"><a href="#cb23-8" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/uploads</span></code></pre>
</div>
<h3 id="failed-to-write-to-disk-during-upload">“Failed to write to disk” During Upload</h3>
<div class="sourceCode" id="cb24">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb24-1"><a href="#cb24-1" aria-hidden="true"></a><span class="co"># Check uploads directory</span></span>
<span id="cb24-2"><a href="#cb24-2" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/uploads</span>
<span id="cb24-3"><a href="#cb24-3" aria-hidden="true"></a><span class="fu">chown</span> www-data:www-data wp-content/uploads</span>
<span id="cb24-4"><a href="#cb24-4" aria-hidden="true"></a></span>
<span id="cb24-5"><a href="#cb24-5" aria-hidden="true"></a><span class="co"># Create uploads subdirectories</span></span>
<span id="cb24-6"><a href="#cb24-6" aria-hidden="true"></a><span class="fu">mkdir</span> -p wp-content/uploads/2025/11</span>
<span id="cb24-7"><a href="#cb24-7" aria-hidden="true"></a><span class="fu">chmod</span> 755 wp-content/uploads/2025/11</span></code></pre>
</div>
<h3 id="plugin-installation-fails">Plugin Installation Fails</h3>
<div class="sourceCode" id="cb25">
<pre class="sourceCode php"><code class="sourceCode php"><span id="cb25-1"><a href="#cb25-1" aria-hidden="true"></a><span class="co">// Add to wp-config.php for direct filesystem access</span></span>
<span id="cb25-2"><a href="#cb25-2" aria-hidden="true"></a><span class="fu">define</span><span class="ot">(</span><span class="st">&#39;FS_METHOD&#39;</span><span class="ot">,</span> <span class="st">&#39;direct&#39;</span><span class="ot">);</span></span></code></pre>
</div>
<p><strong>Security note:</strong> Only use on trusted, single-user servers.</p>
<h2 id="security-best-practices">Security Best Practices</h2>
<p>✅ <strong>Do:</strong></p>
<ul>
<li>Set files to 644, directories to 755</li>
<li>Secure wp-config.php to 440 or 400</li>
<li>Use file integrity monitoring</li>
<li>Regular permission audits</li>
<li>Document any custom permissions</li>
</ul>
<p>❌ <strong>Don’t:</strong></p>
<ul>
<li>Use 777 permissions (except briefly for debugging)</li>
<li>Make wp-config.php writable</li>
<li>Give web server write access to core files</li>
<li>Ignore permission warnings</li>
<li>Set blanket 755 on all files</li>
</ul>
<h2 id="automated-permission-script">Automated Permission Script</h2>
<div class="sourceCode" id="cb26">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb26-1"><a href="#cb26-1" aria-hidden="true"></a><span class="co">#!/bin/bash</span></span>
<span id="cb26-2"><a href="#cb26-2" aria-hidden="true"></a><span class="co"># save as fix-wordpress-permissions.sh</span></span>
<span id="cb26-3"><a href="#cb26-3" aria-hidden="true"></a></span>
<span id="cb26-4"><a href="#cb26-4" aria-hidden="true"></a><span class="va">WP_PATH=</span><span class="st">&quot;/path/to/wordpress&quot;</span></span>
<span id="cb26-5"><a href="#cb26-5" aria-hidden="true"></a><span class="va">WP_OWNER=</span><span class="st">&quot;username&quot;</span></span>
<span id="cb26-6"><a href="#cb26-6" aria-hidden="true"></a><span class="va">WP_GROUP=</span><span class="st">&quot;www-data&quot;</span></span>
<span id="cb26-7"><a href="#cb26-7" aria-hidden="true"></a></span>
<span id="cb26-8"><a href="#cb26-8" aria-hidden="true"></a><span class="co"># Directories to 755</span></span>
<span id="cb26-9"><a href="#cb26-9" aria-hidden="true"></a><span class="fu">find</span> <span class="va">${WP_PATH}</span> -type d -exec chmod 755 {} <span class="dt">\;</span></span>
<span id="cb26-10"><a href="#cb26-10" aria-hidden="true"></a></span>
<span id="cb26-11"><a href="#cb26-11" aria-hidden="true"></a><span class="co"># Files to 644</span></span>
<span id="cb26-12"><a href="#cb26-12" aria-hidden="true"></a><span class="fu">find</span> <span class="va">${WP_PATH}</span> -type f -exec chmod 644 {} <span class="dt">\;</span></span>
<span id="cb26-13"><a href="#cb26-13" aria-hidden="true"></a></span>
<span id="cb26-14"><a href="#cb26-14" aria-hidden="true"></a><span class="co"># wp-config.php to 440</span></span>
<span id="cb26-15"><a href="#cb26-15" aria-hidden="true"></a><span class="fu">chmod</span> 440 <span class="va">${WP_PATH}</span>/wp-config.php</span>
<span id="cb26-16"><a href="#cb26-16" aria-hidden="true"></a></span>
<span id="cb26-17"><a href="#cb26-17" aria-hidden="true"></a><span class="co"># Set ownership</span></span>
<span id="cb26-18"><a href="#cb26-18" aria-hidden="true"></a><span class="fu">chown</span> -R <span class="va">${WP_OWNER}</span>:<span class="va">${WP_GROUP}</span> <span class="va">${WP_PATH}</span></span>
<span id="cb26-19"><a href="#cb26-19" aria-hidden="true"></a></span>
<span id="cb26-20"><a href="#cb26-20" aria-hidden="true"></a><span class="co"># Special: uploads needs web server write</span></span>
<span id="cb26-21"><a href="#cb26-21" aria-hidden="true"></a><span class="fu">chown</span> -R www-data:www-data <span class="va">${WP_PATH}</span>/wp-content/uploads</span>
<span id="cb26-22"><a href="#cb26-22" aria-hidden="true"></a></span>
<span id="cb26-23"><a href="#cb26-23" aria-hidden="true"></a><span class="bu">echo</span> <span class="st">&quot;WordPress permissions fixed!&quot;</span></span></code></pre>
</div>
<p>Run with:</p>
<div class="sourceCode" id="cb27">
<pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb27-1"><a href="#cb27-1" aria-hidden="true"></a><span class="fu">chmod</span> +x fix-wordpress-permissions.sh</span>
<span id="cb27-2"><a href="#cb27-2" aria-hidden="true"></a><span class="ex">./fix-wordpress-permissions.sh</span></span></code></pre>
</div>
<p>Properly configured file permissions are fundamental to WordPress security. They prevent unauthorized modifications, protect sensitive credentials, and limit damage if other security layers are breached. Audit your permissions regularly and maintain the principle of least privilege.</p>
<h2 id="external-links">External Links</h2>
<ol type="1">
<li><a href="https://wordpress.org/support/article/changing-file-permissions/">WordPress File Permissions</a></li>
<li><a href="https://filezilla-project.org/">FileZilla FTP Client</a></li>
<li><a href="https://www.ssh.com/academy/ssh">SSH Tutorial</a></li>
<li><a href="https://www.linux.com/training-tutorials/understanding-linux-file-permissions/">Linux File Permissions</a></li>
<li><a href="https://wordpress.org/support/article/hardening-wordpress/">Hardening WordPress</a></li>
</ol>
<h2 id="call-to-action">Call to Action</h2>
<p>Secure your site with bulletproof backups! <a href="https://backupcopilotplugin.com/">Backup Copilot Pro</a> offers automated security audits, malware scanning before backups, and instant recovery—try it free!</p>
<p>The post <a href="https://developryplugins.com/wordpress-file-permissions-guide-securing-wp-config-and-htaccess/">WordPress File Permissions Guide: Securing wp-config and .htaccess</a> appeared first on <a href="https://developryplugins.com">Developry Plugins</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
