Support » Fixing WordPress » What should the permissions be? Really!

  • I am coming to the quick realization that some WordPress (2.6) features, some that I am very used to, others that are new to 2.6, won’t work if the permissions on directories and files aren’t set correctly. After some lengthy Googling, what “correct” is seems to be anyones guess based on what OS, webserver, WP version, plugin or theme you happen to be running.

    So here is my question:

    What should the permissions be on every directory and file within a WordPress 2.6 installation be for the application to work as intended?

    I would really like to hear from everyone – the community at large as well as those close to the WordPress development. But at the end of the day, I would appreciate hearing from an official source.

Viewing 8 replies - 1 through 8 (of 8 total)
  • I think it depends on how you use WP. Some recommended permissions are listed here but that’s all the help I can give you I’m afraid.



    Forum Janitor

    The link that finkyfeke gave should help you, but unfortunately it is very dependant on how your web hosting is configured as to what permissions will work best (and be most secure).

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    There is no way to give a generic set of permissions like that, because the correct permissions depend entirely on how your web host is configured.

    A good general principle is to start out with everything at 644, and then increase them to the minimum needed to make specific things work when you need them to work.

    The “safest” set of permissions is always “the lowest permissions that still work”. 🙂

    You have to choose between security and convenience.


    Those who choose convenience over security, deserve neither security nor convenience!
    ~~ Benny “the orginal wordpresser” Franklin

    Sorry I couldn’t resist. Having said that, is there a reson why the WP-SUPERCACHE plugin I believe) says that the ‘root’ directory for the site root should not be writable by the anyone including the owner? This of course make upgrading difficult, but beyond that, why?

    So I find this interesting. The software has these great features but only if you reduce your security (at least temporarily). Otherwise they don’t work and in most cases don’t even tell you why.

    If they are going to continue with this model, if it is in fact true, I do like the approach that some plugins use where they notify you of their inability to function and ask for credentials so they can.

    As a software developer I find the model incomplete and lacking. That said the benefits of WordPress far out way this deficiency.

    Thanks all who have added to this thread.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Otherwise they don’t work and in most cases don’t even tell you why.

    Actually, most of the time it does check and does tell you why it won’t work.

    A few quick examples:

    – If you change your permalinks, it creates an .htaccess for you. If it is unable to do so, it gives you the .htaccess rules instead and tells you to put them in the file yourself.

    – If you try to use the theme or plugin editor, and the file is not writable, then it will give you the file, but also a message saying “if this file was writable then you could edit it”.

    – The plugin updater works in one of two ways. If it can’t write the files itself, then it tries to FTP to itself by asking the user for FTP credentials.

    The software has these great features but only if you reduce your security (at least temporarily).

    I take some exception to that… There’s security and then there is paranoia. Security is not a matter of “improved” or “reduced” in any meaningful sense by making a few changes. That’s oversimplification of reality.

    If I make a file world writable, then it doesn’t affect my security in any way if the world still has no access to my system. Securing a system is far more complex than a set of rules that you have to follow. People like those sets of rules because they’re easy to understand, but they then get the mistaken impression that the rules must be followed, because anything less is “less secure”. It’s not true and it’s the wrong way to think about security, because it leads people into doing stupid things for no good reason.

    This is what I did on mine based on all the stuff I read and it worked pretty well so far on a Media Temple host.

    So like Otto basically said… chmod the entire root to 644 and work your way up from there.

    For Directories
    chmod 755;

    For Files
    chmod 644;

    **** REQUIRED FOR WP-SUPER-CACHE/ I tried 755 to no avail ****
    /wp-content/ 777
    /wp-content/wp-cache-config.php 666

    wp-config 600
    .htaccess 666

    IMPORTANT— according to the wordpress doc
    You have to omit to use this command for /wp-includes/
    Usually 444

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘What should the permissions be? Really!’ is closed to new replies.