This section explains file write permissions, an important WordPress security issue.

What are permissions? How do I set them?

WordPress contains thousands of files and folders, all of which have permission attributes set for who can view, edit, and run the files.
This is called permissions.

Permissions can be set by connecting to the server with FTP software and right-clicking on a file.

What are proper WordPress permissions?

On many servers, WordPress is run by a user with the attribute of owner.
The only place where files are written in wordpress is the wp-content/upload folder.

However, when updating WordPress itself or a theme plugin, all other folders and files will be rewritten, so in order to be able to perform updates from the administration screen, all files and folders must be deleted from the

Read → Allowed for all
Write → Allowed for owner only
Execute → Allowed

This is the simplest and most secure general permission setting. This permission is expressed as a numerical value of 755 in the configuration.

What are the most secure permissions?

To prevent hackers from tampering and malware from writing to your site, you should make only the wp-content/upload folder writable and make all other files and folders writable, including owner permissions. Logically, all program files cannot be rewritten from the outside.

Some servers may restore the permissions on their own, so you may not be able to set these permissions.

Read → All are allowed
Write → Not allowed for all (except wp-content/upload folder)
Execute → All are allowed

However, in this case, you will not be able to update from the administration screen. This permission may be used to prevent re-infection of malware if you have been affected by malware and you want to keep this permission for a few months after cleaning up the site.

Check if WordPress is running with secure permissions

You can use the free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] to check if your files and folders are running with generally secure permissions.

In the WordPress admin panel? > Malware Scan > Security tab.

If permissions are weak, a red warning will be given for that item.

Related Posts:

  1. What are the strongest permissions to prevent malware infection in WordPress?
    We will introduce the strongest file write permissions (permissions) to prevent malware infection in cases such as repeated malware infections in WordPress....
  2. Checklist for Improving WordPress Security
    WordPress Doctor helps hundreds of sites a year clean up malware and create secure sites. Based on this experience, we have created a checklist for running WordPress securely according to its level of importance. We hope you find it helpful....
  3. Security Concerns When Automatic WordPress Updates Fail
    The automatic update of WordPress has failed. Please try updating again.” This page explains what kind of security concerns there are and how to deal with them....
  4. WordPress malware Random one-byte alphanumeric folders with large numbers of HTML files hosted illegally
    This article describes this type of tampering, as there have been an increasing number of cases in which WordPress has been hacked and a large number of malicious files have been hosted in random one-byte alphanumeric folders without permission....
  5. What to do if you can no longer rewrite or delete HTACCESS due to wordpress tampering
    Here is what to do when you can no longer rewrite or delete HTACCESS due to WordPress malware infection (tampering)....
  6. What to do for your site users when WordPress is hacked, tampered with, or hijacked.
    This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site)...