Join Jeff Starr for an in-depth discussion in this video Set proper file permissions, part of WordPress: Developing Secure Sites .
- [Narrator] Most web hosts do a good job at setting default permissions for files and directories. But it's a good idea to check that everything is configured for optimal security. In this screen, rephrase, in this video we'll see how to check for proper file permissions for your WordPress powered site. According to the WordPress codex, the default permissions for all WordPress files is 644 and the default permissions for all WordPress directories is 755. These settings are optimal for giving WordPress the access it needs while protecting itself from external requests.
Let's take a look at our WordPress files on the server and check their file permissions. Here we are looking at the list of files in the WordPress installation directory. Here we can check permissions for directories and check permissions for files and we can even drill down further and check other permissions as desired. Examining the permissions for these items, we see that the directories are all 755 and the files are all 644, so everything is right on track.
What we don't want to see are any permissions that are greater than 755 for directories or greater than 644 for files. If you see anything like that consult your host immediately. Note, if your web host file manager displays permissions like this, or this, you can use a free online converter to translate the values. For example, here is a good converter that's freely available online. For further discussion about converting permissions, check out my previous video on Protecting the WordPress Configuration File.
If you don't have access to your server's file manager, you can check your file permissions using a handy plugin such as WP-File-Permission-Check which is available at GetHub. Once the plugin is installed and activated as it is here, navigate to the tools menu and select file checker. Here on the plugin settings page you can scan your directories and files for proper permissions and size. Let's go ahead and check our files by clicking Run File Check.
Once the job is complete you can scan down the columns to check the permissions of your folders and files. Folder names are displayed in bold text so that makes it a little easier to discern values. Note that this plugin is not hosted in the WordPress plugin directory, so gotta recommend to uninstall after using it just to play it safe. Chances are good that if you're using a decent host your site's already set up with proper file permissions. But if that's not the case, and you need to change something, consult with your host for the best way forward.
With most web hosts, the default permission settings normally are just fine. But you should not take it for granted. Verifying proper permissions is a simple process and it could save you a lot of grief down the road.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security