Understanding file permissions on your WordPress site

This article explains how file permissions work on your WordPress site and what to do if you encounter permission errors.

What are file permissions

File permissions control who can read, write, and execute files on your server. Every file and directory has three permission levels:

Owner: the user who owns the file
Group: other users in the same group
Others: everyone else

Each level can have read (r), write (w), and execute (x) permissions. These are represented as a three-digit number where each digit controls one level.

Standard WordPress permissions

WordPress requires specific permissions to work correctly. These are the standard values:

Type	Permission	Meaning
Directories	755	Owner can read, write, execute. Group and others can read and execute.
Files	644	Owner can read and write. Group and others can only read.
wp-config.php	600	Only the owner can read and write. No access for anyone else.

Web60 sets these permissions by default when your site is created. Under normal circumstances, you do not need to change them.

Why permissions matter

Too open (777)

Setting a file or directory to 777 means anyone on the server can read, write, and execute it. This is a serious security vulnerability. An attacker who gains any foothold on the server could modify your files, inject malicious code, or steal data. Never use 777 on any file or directory.

Too restrictive (600 on everything)

If permissions are too restrictive, WordPress cannot function properly. Common symptoms include:

Media uploads failing with a "Could not create directory" error
Plugin and theme updates failing
Cache files not being created, causing slow page loads
White screen or error pages where WordPress cannot read its own files

When permission problems occur

The most common scenario is after uploading files via SFTP. Some SFTP clients upload files with permissions that differ from the WordPress defaults. If you upload a theme, plugin, or media files and something stops working, incorrect permissions are likely the cause.

How to fix permissions in FileZilla

If you use FileZilla (or a similar SFTP client) and encounter permission issues:

Connect to your site via SFTP using the credentials from the portal.
Navigate to the file or directory with the issue.
Right-click the file or folder.
Select File Permissions (or Properties depending on your SFTP client).
Enter the correct numeric value:
- 644 for files
- 755 for directories
If fixing a directory, you can tick "Recurse into subdirectories" and apply 755 to directories and 644 to files in one step.

wp-config.php is special

The wp-config.php file contains your database credentials and security keys. It should always be set to 600, which means only the file owner can read and write it. If this file has broader permissions, other users on the server could potentially read your database password.

Web60 sets wp-config.php to 600 by default. If you ever need to edit this file via SFTP, make sure you set it back to 600 after saving.

FAQ

Q: What permissions should WordPress files have?

A: Files should be set to 644, directories to 755, and wp-config.php to 600. These are the standard WordPress permissions and what Web60 sets by default.

Q: Why should I never use 777 permissions?

A: Permission 777 means anyone on the server can read, write, and execute the file. This is a serious security risk and can allow attackers to modify your files.

Q: How do I fix permissions after uploading files via SFTP?

A: In FileZilla, right-click the file or folder, select File Permissions, and enter the correct value: 644 for files or 755 for directories. You can apply to all files in a directory at once.