Subscribe to Our Mailing List and Stay Up-to-Date! Subscribe

WordPress File Permissions Guide: Securing wp-config and .htaccess

By Krasen Slavov WordPress Security & Protection

File permissions are a critical yet often overlooked aspect of WordPress security. Incorrect permissions can allow hackers to modify your files, inject malware, or steal sensitive data like database credentials. Setting proper permissions is your first line of defense against unauthorized file access.

This guide explains Unix/Linux file permissions, provides recommended settings for WordPress, and shows you how to secure critical files like wp-config.php and .htaccess.

Understanding File Permissions

Permission Number System

Unix permissions use a three-digit system:

Read (r) = 4 Write (w) = 2 Execute (x) = 1

Each digit represents permissions for:

  1. Owner (user who owns the file)
  2. Group (users in the file’s group)
  3. Others (everyone else)

Example: 644

  • Owner: 6 (4+2) = Read + Write
  • Group: 4 = Read only
  • Others: 4 = Read only

Example: 755

  • Owner: 7 (4+2+1) = Read + Write + Execute
  • Group: 5 (4+1) = Read + Execute
  • Others: 5 (4+1) = Read + Execute
# Directories: 755
drwxr-xr-x = 755

# Files: 644
-rw-r--r-- = 644

# wp-config.php: 440 or 400 (most secure)
-r--r----- = 440
-r-------- = 400

NEVER use 777 – This allows anyone to read, write, and execute files.

Securing Critical WordPress Files

wp-config.php Protection

Your most important file contains database credentials:

# Set to 440 (readable by owner and group)
chmod 440 wp-config.php

# Or 400 (readable by owner only) - most secure
chmod 400 wp-config.php

# Verify
ls -l wp-config.php
# Output: -r--r----- 1 user group 3157 Nov 23 wp-config.php

Move wp-config.php Above Web Root:

# WordPress looks one directory up automatically
mv /public_html/wp-config.php /home/user/wp-config.php

This makes wp-config.php completely inaccessible via web.

Protect via .htaccess:

# Add to .htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>

Securing .htaccess

# Set to 644 (standard)
chmod 644 .htaccess

# Or 444 if you don't need to modify it
chmod 444 .htaccess

Protect .htaccess from modification:

# Inside .htaccess itself
<files .htaccess>
order allow,deny
deny from all
</files>

Complete WordPress Permission Setup

# Navigate to WordPress root
cd /path/to/wordpress

# Set directory permissions to 755
find . -type d -exec chmod 755 {} \;

# Set file permissions to 644
find . -type f -exec chmod 644 {} \;

# Secure wp-config.php
chmod 440 wp-config.php

# Secure .htaccess
chmod 644 .htaccess

Via WP-CLI

# Fix permissions automatically
wp cli has-command "secure" || wp package install wp-cli/secure-command

# Or manual approach
find /path/to/wordpress -type d -exec chmod 755 {} \;
find /path/to/wordpress -type f -exec chmod 644 {} \;

Via FTP (FileZilla)

  1. Connect to your server via FTP
  2. Navigate to WordPress root
  3. Right-click wp-config.php > File Permissions
  4. Enter 440 in numeric value
  5. Check “Recurse into subdirectories” for bulk changes
  6. Select “Apply to directories only” and enter 755
  7. Select “Apply to files only” and enter 644

Via cPanel File Manager

  1. Login to cPanel > File Manager
  2. Navigate to public_html
  3. Select all files/folders
  4. Click “Permissions” button
  5. Set directories to 755
  6. Set files to 644
  7. Click “Change Permissions”

Directory-Specific Permissions

wp-content Directory

# wp-content: 755
chmod 755 wp-content

# uploads directory: 755 (needs write access for media uploads)
chmod 755 wp-content/uploads

# Allow recursive write for subdirectories
find wp-content/uploads -type d -exec chmod 755 {} \;
find wp-content/uploads -type f -exec chmod 644 {} \;

Plugins Directory

# plugins: 755
chmod 755 wp-content/plugins

# Individual plugin directories: 755
find wp-content/plugins -type d -exec chmod 755 {} \;

# Plugin files: 644
find wp-content/plugins -type f -exec chmod 644 {} \;

Themes Directory

chmod 755 wp-content/themes
find wp-content/themes -type d -exec chmod 755 {} \;
find wp-content/themes -type f -exec chmod 644 {} \;

wp-admin and wp-includes

# Read-only for these core directories
chmod 755 wp-admin wp-includes
find wp-admin -type f -exec chmod 644 {} \;
find wp-includes -type f -exec chmod 644 {} \;

File Ownership

Understanding Users

# Check current ownership
ls -l wp-config.php
# -rw-r--r-- 1 username groupname 3157 Nov 23 wp-config.php

Common Web Server Users:

  • Apache: www-data, apache, httpd
  • Nginx: nginx, www-data
  • Your User: username (from hosting)

Setting Correct Ownership

# Change owner to your user
chown username:username -R /path/to/wordpress

# Or web server user (if needed for uploads)
chown www-data:www-data wp-content/uploads -R

# Verify
ls -l wp-content/uploads

Shared Hosting Considerations

On shared hosting, you typically can’t change ownership. The hosting provider manages this. Your permissions should be:

# User-owned files
Files: 644
Directories: 755

# If web server needs write access (uploads)
Directories: 755 with proper group ownership

Preventing Directory Browsing

# In .htaccess
Options -Indexes

# Or in each directory's .htaccess
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

Protecting Sensitive Files

Block Access to Critical Files

# In .htaccess - block common targets
<FilesMatch "^(wp-config\.php|php\.ini|\.htaccess|\.htpasswd)">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect readme and license files
<FilesMatch "(readme|license|changelog)\.(txt|html)$">
    Order allow,deny
    Deny from all
</FilesMatch>

Prevent PHP Execution in Uploads

# Create wp-content/uploads/.htaccess
<Files *.php>
    deny from all
</Files>

Or for Nginx:

# In nginx.conf
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

Temporary Permission Changes

When installing plugins/themes via WordPress admin, you may need temporary changes:

# Before installation
chmod 755 wp-content/plugins
chmod 755 wp-content/themes

# After installation
chmod 755 wp-content/plugins
chmod 755 wp-content/themes

# Restore secure file permissions
find wp-content/plugins -type f -exec chmod 644 {} \;
find wp-content/themes -type f -exec chmod 644 {} \;

Better approach – Use FTP credentials in wp-config.php:

// Define FTP credentials for WordPress
define('FS_METHOD', 'ftpext');
define('FTP_BASE', '/path/to/wordpress/');
define('FTP_CONTENT_DIR', '/path/to/wordpress/wp-content/');
define('FTP_PLUGIN_DIR', '/path/to/wordpress/wp-content/plugins/');
define('FTP_USER', 'ftp_username');
define('FTP_PASS', 'ftp_password');
define('FTP_HOST', 'ftp.example.com');

This allows WordPress to use FTP for file operations without insecure permissions.

Monitoring File Changes

Using File Integrity Monitoring

# Create baseline of file hashes
find . -type f -exec md5sum {} \; > /home/user/wordpress-baseline.md5

# Later, check for changes
md5sum -c /home/user/wordpress-baseline.md5

With Wordfence plugin:

  • Scans for modified core files
  • Alerts on permission changes
  • Detects new files

Troubleshooting Permission Issues

“Cannot create directory” Error

# Check wp-content/uploads ownership
ls -ld wp-content/uploads

# Fix ownership
chown www-data:www-data wp-content/uploads -R

# Fix permissions
chmod 755 wp-content/uploads

“Failed to write to disk” During Upload

# Check uploads directory
chmod 755 wp-content/uploads
chown www-data:www-data wp-content/uploads

# Create uploads subdirectories
mkdir -p wp-content/uploads/2025/11
chmod 755 wp-content/uploads/2025/11

Plugin Installation Fails

// Add to wp-config.php for direct filesystem access
define('FS_METHOD', 'direct');

Security note: Only use on trusted, single-user servers.

Security Best Practices

Do:

  • Set files to 644, directories to 755
  • Secure wp-config.php to 440 or 400
  • Use file integrity monitoring
  • Regular permission audits
  • Document any custom permissions

Don’t:

  • Use 777 permissions (except briefly for debugging)
  • Make wp-config.php writable
  • Give web server write access to core files
  • Ignore permission warnings
  • Set blanket 755 on all files

Automated Permission Script

#!/bin/bash
# save as fix-wordpress-permissions.sh

WP_PATH="/path/to/wordpress"
WP_OWNER="username"
WP_GROUP="www-data"

# Directories to 755
find ${WP_PATH} -type d -exec chmod 755 {} \;

# Files to 644
find ${WP_PATH} -type f -exec chmod 644 {} \;

# wp-config.php to 440
chmod 440 ${WP_PATH}/wp-config.php

# Set ownership
chown -R ${WP_OWNER}:${WP_GROUP} ${WP_PATH}

# Special: uploads needs web server write
chown -R www-data:www-data ${WP_PATH}/wp-content/uploads

echo "WordPress permissions fixed!"

Run with:

chmod +x fix-wordpress-permissions.sh
./fix-wordpress-permissions.sh

Properly configured file permissions are fundamental to WordPress security. They prevent unauthorized modifications, protect sensitive credentials, and limit damage if other security layers are breached. Audit your permissions regularly and maintain the principle of least privilege.

  1. WordPress File Permissions
  2. FileZilla FTP Client
  3. SSH Tutorial
  4. Linux File Permissions
  5. Hardening WordPress

Call to Action

Secure your site with bulletproof backups! Backup Copilot Pro offers automated security audits, malware scanning before backups, and instant recovery—try it free!