When someone gains unauthorised access to a WordPress site, wrong file permissions are often part of how they got in — or how they made the damage worse. Most site owners focus on passwords, plugins, and firewalls, but file permissions are a foundational security layer that’s easy to overlook and rarely checked.
File permissions control what the server, WordPress itself, and external processes are allowed to do with each file and folder. Set them too open, and your server becomes an easy target. Set them too restrictive, and WordPress breaks — images won’t upload, plugins stop functioning, and automatic updates fail.
Getting this right is largely a one-time task. Once the correct values are in place, you rarely need to revisit them. If you’ve recently built a new site, migrated a host, or noticed unexplained file errors, now is the right time to check. You can also combine this with a wider WordPress security audit to catch other common vulnerabilities at the same time.
What Are the Correct WordPress File Permissions?
The standard recommended permissions for a WordPress installation are:
- Files: 644
- Folders: 755
- wp-config.php: 640 (or 644 at minimum)
These values control three things: what the file owner can do, what the owner’s group can do, and what everyone else on the server can do. A value of 644 means the owner can read and write, while everyone else can only read. A value of 755 means the owner can read, write, and execute, while the group and others can only read and execute.
Never set permissions to 777. That grants full read, write, and execute access to all users on the server — a serious risk on any shared hosting environment.
Why File Permissions Affect Your Site’s Security
On shared hosting, your WordPress site shares a server with other websites. If file permissions are set too loosely, other processes or users on that server may be able to read or overwrite your files — including your database credentials stored in wp-config.php.
The most dangerous setting is 777 on executable files or sensitive folders. Attackers who find a vulnerability in any site on the server can use loose permissions to pivot — uploading malicious scripts, reading configuration files, or modifying your site’s code directly.
Correct permissions also reduce what an attacker can do after a successful intrusion. Even if someone gains access through a compromised plugin, tighter permissions limit how far they can spread. Pairing this with a WordPress firewall gives you a layered approach to defence.
How to Check and Fix WordPress File Permissions
Check Your Permissions in cPanel
Log in to your hosting account and open cPanel. Navigate to Files > File Manager and go to your WordPress root directory — usually public_html. File Manager shows a Perms column next to each file and folder displaying the current permission value.
If you see any files set to 777, those are the ones to fix first. Folders at 777 are equally problematic. Anything at 644 (files) or 755 (folders) is already correct.
Set Correct Permissions for WordPress Files
WordPress core files — everything inside wp-admin and wp-includes — should all be set to 644. These files do not need to be writable by the web server and should be readable by everyone but modifiable only by the file owner.
Your wp-config.php file deserves special attention. This file stores your database name, username, password, and authentication keys. Set it to 640 if your host supports it — this makes it unreadable to everyone except the owner and their group. If 640 causes issues, 644 is acceptable but 640 is the stronger choice.
Set Correct Permissions for WordPress Folders
Most WordPress folders should be set to 755. This includes the root WordPress directory, wp-admin, and wp-includes.
The wp-content folder is the exception — WordPress needs to write to this folder to save uploaded images, install plugins, and update themes. It typically stays at 755, but some hosts require 775 for uploads to work. In my experience, 755 works on most managed WordPress hosts without issue. If your media uploads fail after setting this, try 775 before going higher.
The uploads folder inside wp-content also needs to be writable. Keep it at 755 by default and only move to 775 if uploads are failing.
Change Permissions in cPanel File Manager
In cPanel’s File Manager, right-click the file or folder you want to update and select Change Permissions. A dialogue box appears with tick boxes for owner, group, and public read, write, and execute access. Tick the boxes that match the permission value you need, then click Change Permissions to save.
To update a folder and all its contents at once, right-click the folder, choose Change Permissions, and tick the option to apply recursively. Use this carefully — applying file permissions recursively to a folder also sets all sub-folders to that value, which can over-restrict directories that need to remain writable.
Change Permissions via FTP
If you prefer an FTP client, connect to your server using FileZilla or a similar tool. Right-click a file or folder and select File Permissions. Enter the numeric value (644, 755, or 640) directly into the Numeric value field. To apply recursively to folders, tick Recurse into subdirectories and choose Apply to all files and directories — but again, do this selectively rather than applying one value to everything.
Practical Tips for Managing File Permissions
In most sites I build, the default permissions set by the hosting provider are already correct, or close to it. The problems usually appear after a botched migration, a manual file upload via FTP, or when someone has tried to fix a different issue by setting everything to 777. Start by identifying the problematic files rather than resetting everything.
WordPress resets file permissions automatically during core updates — files go back to 644 and folders to 755. So if a core update has just run and your customisations are intact, your permissions are likely already in a safe state.
The WordPress developer documentation on hardening WordPress covers file permissions in detail alongside other server-level security measures. It’s worth reading alongside setting up HTTP security headers, which tackles a different but complementary layer of server security.
Common Mistakes with WordPress File Permissions
Setting everything to 777 to fix an unrelated error. This is the most common mistake. When a plugin isn’t working or uploads fail, 777 is often the first thing people try because it makes the problem go away. It does fix the immediate symptom, but it leaves your site exposed. Diagnose the actual cause instead.
Applying recursive permissions carelessly. A recursive change on the entire WordPress directory with a single value causes problems — files and folders need different values, and folders inside wp-content may need to remain writable even when you’re tightening things elsewhere.
Ignoring wp-config.php. This file is the highest-value target on your server. Set it to 640 if your host allows it and check it every time you run a permission audit.
cPanel vs SSH: Which Should You Use?
cPanel File Manager works well for checking and fixing permissions on individual files or a small group of items. It’s visual and straightforward, which makes it the right choice for most site owners who only need to correct a handful of values.
SSH command line is faster for bulk changes — you can reset an entire WordPress installation to correct values in two commands using find with chmod. Most managed WordPress hosts don’t offer SSH access on entry-level plans, so cPanel or FTP is usually the practical option. If you do have SSH access, the WordPress hardening guide includes the exact commands to use.
Building a secure WordPress site covers more than just file permissions — the step-by-step guide to building a WordPress website walks through the foundational setup steps that keep your site stable and protected from launch.
Conclusion
Set WordPress files to 644, folders to 755, and wp-config.php to 640. Check cPanel or FTP for any values sitting at 777 and fix those first. Once correct permissions are in place, WordPress maintains them through core updates — so this is a task you do once and then verify periodically rather than manage continuously.
Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.