WordPress file permissions control who can read, write, and execute files on your server, and incorrect settings can trigger update failures, plugin errors, or security risks.
This guide explains how to fix WordPress file permissions safely and what settings matter most across Linux hosting, cPanel, and FTP workflows.
What WordPress file permissions do
File permissions are an operating system feature used on Linux and Unix-based servers to define access for the file owner, group, and everyone else.
In WordPress, these permissions determine whether core files, themes, plugins, uploads, and configuration files can be edited by the web server or only read by it.
The most common permission types are read, write, and execute.
On many hosts, they are represented as three-digit numbers such as 644 or 755, which are shorthand for user, group, and public access.
Why incorrect permissions break WordPress
When permissions are too restrictive, WordPress may not be able to update plugins, create image thumbnails, or write cache files.
When they are too permissive, malicious scripts or unauthorized users may be able to modify sensitive files.
- Update failures: WordPress cannot write to core, plugin, or theme folders.
- Media upload issues: The wp-content/uploads directory may reject new images.
- Security exposure: Overly open permissions can allow unwanted file changes.
- White screen or error messages: Misconfigured files can prevent PHP from loading properly.
Recommended WordPress file permission settings
For most WordPress sites on standard Linux hosting, the safest and most common settings are simple:
- Directories: 755
- Files: 644
- wp-config.php: 640, 644, or stricter if your host supports it
These values usually allow WordPress to function normally while limiting unnecessary write access.
If your host uses a different PHP handler or ownership model, the exact values may vary slightly, but 755 and 644 are the standard starting point.
How to fix WordPress file permissions with FTP
If you use an FTP client such as FileZilla, you can correct permissions directly from your computer.
This method works well for small to medium sites and gives you clear control over directories and files.
- Connect to your server using FTP credentials from your hosting account.
- Open the root folder of your WordPress installation, often named public_html, www, or the site domain.
- Select folders such as wp-admin, wp-content, and wp-includes.
- Set directory permissions to 755 and apply recursively to subdirectories.
- Select files in the same location and set permissions to 644.
- Locate wp-config.php and adjust it to 640 or 644 if needed.
Be careful not to set all files and folders to the same value.
A common mistake is giving both directories and files 777, which is unnecessary and unsafe on almost every hosting environment.
How to fix WordPress file permissions in cPanel
Many shared hosting providers include a File Manager in cPanel, which lets you change permissions without FTP software.
This is useful if you need a quick fix from the browser.
- Log in to cPanel and open File Manager.
- Go to the WordPress root folder.
- Right-click a folder and choose Permissions or Change Permissions.
- Set folders to 755.
- Open individual files and set them to 644.
- Review wp-config.php separately and keep it more restrictive if possible.
Some hosts provide a bulk permission tool.
Use it carefully, because one incorrect recursive action can change the entire site in seconds.
How to fix permissions with SSH and chmod
If you have SSH access, you can correct permissions quickly with the chmod command.
This method is efficient for larger sites or developers managing multiple installations.
Typical commands look like this:
- Directories:
find /path/to/wordpress -type d -exec chmod 755 {} \; - Files:
find /path/to/wordpress -type f -exec chmod 644 {} \; - wp-config.php:
chmod 640 wp-config.php
Before running commands, confirm the correct path to your site.
If you are unsure about ownership or user-group mapping, ask your host before changing anything, because permissions alone cannot always solve ownership problems.
What about file ownership and server user mismatch?
File permissions and file ownership are related but not identical.
Ownership determines which system user and group control the file, while permissions define what those users can do.
If WordPress cannot update files even when permissions look correct, ownership may be the real issue.
This often happens on VPS, dedicated servers, or sites migrated from another host.
In those cases, the web server user may not match the file owner, so PHP cannot write to directories that appear to be set correctly.
Signs ownership may be the problem
- Updates fail even after setting directories to 755 and files to 644.
- Uploads work in one folder but not another.
- One site in a multi-site server works while another does not.
- PHP error logs show permission denied messages despite normal-looking settings.
Which WordPress folders need special attention?
Most folders follow the standard rules, but a few deserve extra care because they are updated frequently or may contain sensitive data.
- wp-content/uploads: Must be writable for media uploads.
- wp-content/cache: Often needs write access for caching plugins.
- wp-content/plugins: Should remain writable only when updates are required.
- wp-content/themes: Usually 755 for folders and 644 for files.
- wp-config.php: Should be protected as much as your host allows.
If a plugin asks for 777 permissions, treat that as a warning sign.
Reputable plugins should work with standard server settings on properly configured hosting.
How to verify the fix worked
After adjusting permissions, test the exact actions that were failing.
This is the fastest way to confirm whether the site is back to normal.
- Upload a test image to the Media Library.
- Update a plugin or theme.
- Save a draft post or page.
- Check whether cache folders create files properly.
- Review the site’s error log for remaining permission warnings.
If the site still fails, the issue may involve ownership, disk quota, security rules from ModSecurity, or a hosting-level restriction rather than permissions alone.
Common mistakes to avoid
Many WordPress permission problems come from a few repeatable errors.
Avoid these to reduce downtime and security exposure.
- Setting all files and folders to 777.
- Changing permissions without checking the specific folder that failed.
- Applying recursive changes to the wrong directory.
- Ignoring file ownership after a migration.
- Leaving wp-config.php more open than necessary.
Security tools such as Wordfence or host-level malware scanners may also flag dangerous permission changes, so keep settings conservative unless a specific application requirement says otherwise.
Best practices for maintaining safe permissions
Once you know how to fix WordPress file permissions, the next step is keeping them stable.
Standardize your workflow after updates, migrations, and plugin installs so your server remains predictable.
- Use 755 for directories and 644 for files by default.
- Limit write access to the folders that truly need it.
- Review permissions after migrations, restores, and staging-to-live pushes.
- Keep backups before making server-wide changes.
- Check logs when a plugin or theme update fails instead of guessing.
On managed WordPress hosting, many of these settings are handled for you, but it is still important to know what the correct values should look like so you can troubleshoot quickly when something changes.