In my time of managing large quantities of WordPress sites, an almost universal mistake that I see from sites that added to my portfolio of managed sites are Administrators who incorrectly set the file and folder permissions of their WordPress instances. It has gotten to a point where I prefer to assume that the file and folder permissions were set incorrectly, and just force set them to what they should be, every time.
The cause of this is twofold:
1. Laziness on the part on the Administrator, many of whom are looking to get a site up right now, and do not care much about security or long term, instead handling things with dozens of poorly written plugins.
2. Documentation that is unread by the Administrator. WordPress.org has This Page dedicated to permissions, and it’s a long (but important) read that will save a lot of headaches down the road.
The gist of it is this:
- WordPress files should have
644permissions, giving the owner read and write access, while others can only read.
- Directories should have
755permissions, allowing the owner to read, write, and execute, with others limited to read and execute.
- For security, set the
wp-config.phpfile to440or400to restrict access to the owner only.
Handling it the easy way
After years of needing to type in the permissions management commands by hand, I created this repo as a way of handling WordPress permissions easily. You don’t even need to clone the repo, just copy and paste the following command into your terminal (root access required)
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/JackPala/Wordpress-Lazy-Permsetter/main/permsetter.sh)"It will ask you what directory your site is in, usually this is something like /var/www/html if you simply have a default Apache2 setup. It will also ask you what your webserver user this, this is usually www-data so you can just leave it blank and hit enter.
And that’s it! Your permissions are setup correctly (Double check yourself, of course).