Secure File and Directory Permissions
Setting the right file and directory permissions is essential to prevent unauthorised access to — or modification of — your WordPress site. Incorrect permissions can allow attackers to overwrite files, inject malicious code, or take full control of your website.
wp-config.php to 440. Recommended permissions
- Files:
644— The owner can read and write; everyone else can only read. - Directories:
755— The owner can read, write, and execute; everyone else can read and execute. wp-config.php:440— Restricts access to sensitive configuration details.
Tips:
- Never use
777. It grants write access to everyone and is a major security risk. - Audit permissions regularly, especially after installing new plugins or themes.
Set WordPress core files to 444
Applying 444 (read-only) permissions to all files inside the wp-includes directory is a simple but effective hardening step.
The wp-includes folder contains core libraries that WordPress needs to read and execute — but never modifies during normal operation. Making these files read-only prevents malicious code, vulnerable plugins, or compromised admin accounts from injecting or altering core functionality. This significantly reduces the risk of persistent malware infections.
444 to the wp-includes directory itself — only to the files inside it. Directories need the execute permission to be accessible. If you accidentally remove it, log in via SFTP and reset the directory permissions to 755. To set secure permissions across all wp-includes files:
- Log in via SSH.
- Go to your main website directory:bash
cd public_html - Run the following command:bash
find wp-admin wp-includes -type f -exec chmod 444 {} \;
How to edit permissions
You can change permissions on any file or folder by right-clicking it and selecting Permissions from the menu.