Website Security plugin now automatically scans your WordPress files and folders for unsafe permissions and recommends how to change them if necessary.
What are WordPress File Permissions
WordPress file permissions protect your site’s files and directories from unauthorized access by hackers. Securing the proper permissions adds security to your site and makes it less vulnerable.
There are 3 types of file permissions in WordPress: read, write, and execute and are denoted in 2 ways. One of them is numerical.
| Permission | What it means | Denotion | |
| Read | User can view the contents of a file or directory, but not change anything | 4 | |
| Write | User allowed to modify the contents of a file or directory, but not execute it | 2 | |
| Execute | User allowed to run script files, or run scripts inside a directory | 1 | |
| No permission | User has no access to the file or directory | 0 |
Also, there are 3 categories of roles: user owner (single account), group owner (a set of users), and world (every other user). So, in the numeric schema, the permission number is a sum of all available permissions for each role. And here are 4 examples of how a file or folder permission is recognized by WordPress:
| User | Group | World | |||||||
| 777 | Read | Write | Execute | Read | Write | Execute | Read | Write | Execute |
| 644 | Read | Write | – | Read | – | – | Read | – | – |
| 755 | Read | Write | Execute | Read | – | Execute | Read | – | Execute |
| 440 | Read | – | – | Read | – | – | – | – | – |
While 000 or 440 seem to be the safest file permissions, they are impractical. And as you can see 777 is very dangerous as it leaves the file or directory open to modification by any user.
How to scan my website for unsafe permissions
The Website Security plugin automatically scans your website every 24 hours and checks all the permissions of the files and folders. Here is a list of all the files the plugin checks.
/.htaccess
/index.php
/wp-config.php
/wp-admin
/wp-includes
/wp-content
/wp-content/themes
/wp-content/plugins
/wp-content/uploads
You can see the results of your last scan on the main page of the plugin: go to Settings → Security by CleanTalk in your side menu. When you enter this page, a scan is immediately started to give you the most up-to-date information about your site’s security.
If there are some unsafe permissions you will see the message:
Permissions for files and directories from the list are unsafe. We recommend change it to 755 for each file and 644 for each directory from the list.
In that case, follow the instructions in the message. It is always recommended 755 for files and 644 for directories.
How to change access rights (using Linux as an example)
The Linux permissions for all files in your WordPress base directory should be set to readable and writable by the owning user (you), and readable only by everyone else. This creates a baseline where the web server can read all files. It will need read access in order to serve static content like images, CSS and Javascript files. Unlike the method above we will be adjusting script permissions to be more stringent later on.
find </path/to/wordpress> -type f \-exec chmod 644 {} \;If possible, the permissions for all files should be set to read and writable to your user, readable by the group, and no permissions for others. In some instances this may cause issues with other software or plugins, but it is possible to restrict these permissions in some instances.
Lockdown permissions for all PHP scripts so that only your user can read them. This is ideal because only your user should need to know the contents of scripts.
find </path/to/wordpress> -type f -name "*.php" \-exec chmod 640 {} \;Also, feel free to use Security by CleanTalk plugin to check wp-content automatically on a daily basis.
