This section explains file write permissions, an important WordPress security issue.

What are permissions? How do I set them?

WordPress contains thousands of files and folders, all of which have permission attributes set for who can view, edit, and run the files.
This is called permissions.

Permissions can be set by connecting to the server with FTP software and right-clicking on a file.

What are proper WordPress permissions?

On many servers, WordPress is run by a user with the attribute of owner.
The only place where files are written in wordpress is the wp-content/upload folder.

However, when updating WordPress itself or a theme plugin, all other folders and files will be rewritten, so in order to be able to perform updates from the administration screen, all files and folders must be deleted from the

Read → Allowed for all
Write → Allowed for owner only
Execute → Allowed

This is the simplest and most secure general permission setting. This permission is expressed as a numerical value of 755 in the configuration.

What are the most secure permissions?

To prevent hackers from tampering and malware from writing to your site, you should make only the wp-content/upload folder writable and make all other files and folders writable, including owner permissions. Logically, all program files cannot be rewritten from the outside.

Some servers may restore the permissions on their own, so you may not be able to set these permissions.

Read → All are allowed
Write → Not allowed for all (except wp-content/upload folder)
Execute → All are allowed

However, in this case, you will not be able to update from the administration screen. This permission may be used to prevent re-infection of malware if you have been affected by malware and you want to keep this permission for a few months after cleaning up the site.

Check if WordPress is running with secure permissions

You can use the free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal] to check if your files and folders are running with generally secure permissions.

In the WordPress admin panel? > Malware Scan > Security tab.

If permissions are weak, a red warning will be given for that item.