Fix incorrect WordPress file and directory permissions in one click through WP Ghost’s Security Check, or manually via FTP or cPanel. Incorrect permissions are one of the most common server-level security issues. If directories are set to 777 or files are world-writable, attackers who exploit a plugin vulnerability can modify any file on your server, including wp-config.php. WP Ghost detects incorrect permissions during a Security Check and offers a one-click fix that sets directories to 0755, files to 0644, and config files to 0444. This is a Premium feature. The FTP and cPanel methods work without WP Ghost.
Why File Permissions Matter
File permissions control who can read, write, and execute files on your server. On a WordPress site, three types of users interact with files: the server owner (your hosting account), the web server process (Apache/Nginx), and everyone else. When permissions are too open (e.g., 777), any process on the server can modify your files. If an attacker exploits a vulnerability in any plugin, they can inject malicious code into core files, steal database credentials from wp-config.php, or install backdoors. Correct permissions limit what each user can do, containing the damage even if a vulnerability exists.
The Correct Permission Values
WordPress recommends these permission values for a secure installation:
Directories: 0755 – The owner can read, write, and execute. The web server group and others can read and execute (needed to serve files) but cannot modify.
Files: 0644 – The owner can read and write. The web server group and others can read only (needed to serve content) but cannot modify.
Config files (wp-config.php): 0444 – Read-only for everyone. This prevents any process from modifying your database credentials and security keys, even if a vulnerability is exploited.
Fix Permissions with WP Ghost (One Click)
The fastest method. WP Ghost detects incorrect permissions during a Security Check and fixes them in one click.
- Go to WP Ghost > Security Check.
- Click Start Scan.
- If file permissions are incorrect, WP Ghost flags them as a security task.
- Click Fix it and select your scope: fix all directories, files, and config files, or just the main directories.
- After the fix, run the Security Check again to confirm all tasks pass.
Fix Permissions via FTP
If you prefer to fix permissions manually or don’t have WP Ghost Premium, use an FTP client like FileZilla:
- Right-click the WordPress root folder and select File permissions. Set the value to 755. Check Recurse into subdirectories and select Apply to directories only. Click OK.
- Right-click the WordPress root folder again. Set the value to 644. Check Recurse into subdirectories and select Apply to files only. Click OK.
- Locate
wp-config.phpin the root folder. Right-click, select File permissions, and set it to 444. Click OK.
Fix Permissions via cPanel File Manager
If your hosting uses cPanel, you can modify permissions directly through the File Manager:
- Log in to your cPanel dashboard and open File Manager.
- Right-click a directory and choose Change Permissions. Set to 755. Repeat for all directories.
- Right-click a file (e.g.,
index.php) and choose Change Permissions. Set to 644. Repeat for all files. - Set
wp-config.phpto 444.
cPanel limitation: The cPanel File Manager doesn’t have a “recurse into subdirectories” option like FTP clients. You’ll need to set permissions on each directory individually, or use the Terminal feature in cPanel to run a bulk command: find /path/to/wordpress -type d -exec chmod 755 {} \; for directories and find /path/to/wordpress -type f -exec chmod 644 {} \; for files.
Customize Default Permission Values
If your hosting environment requires different permission values, you can override the defaults WP Ghost uses by adding constants to your wp-config.php file.
Custom file permissions (default is 0644):
define( 'HMW_FILE_PERMISSION', 0640);
Custom directory permissions (default is 0755):
define( 'HMW_DIR_PERMISSION', 0750);
These constants change what WP Ghost applies when you click “Fix it” in the Security Check. Adjust the values to match your hosting provider’s requirements. Common alternatives include 0640 for files (no read access for “others”) and 0750 for directories (no access for “others”).
Troubleshooting
Site shows “Permission denied” or blank page after fixing permissions
The web server may need slightly different permissions for your hosting configuration. Some shared hosting providers require 0750 for directories instead of 0755. Contact your hosting provider to confirm the correct values for your environment. Use the HMW_DIR_PERMISSION and HMW_FILE_PERMISSION constants to adjust.
Can’t update WordPress or install plugins after setting wp-config.php to 0444
The 0444 permission makes wp-config.php read-only, which is the secure setting. If WordPress or a plugin needs to write to wp-config.php (rare), temporarily change it to 0644 via FTP, make the update, then set it back to 0444. WP Ghost’s own settings don’t require writing to wp-config.php.
Permissions reset after a WordPress update
WordPress updates can reset file permissions to the server default. Run the Security Check again after any WordPress core update and use the “Fix it” button if needed.
Frequently Asked Questions
Why is 777 dangerous?
Permission 777 means every user on the server can read, write, and execute the file. On shared hosting, this means other accounts on the same server could modify your files. Even on dedicated servers, if an attacker exploits any vulnerability, they can write to any 777 file, injecting malicious code into core WordPress files or stealing your database credentials.
Do I need WP Ghost Premium for this?
The one-click fix through Security Check requires WP Ghost Premium. However, you can fix permissions manually using FTP or cPanel without any plugin. The correct values (755 for directories, 644 for files, 444 for wp-config.php) are the same regardless of the method.
Does this work with WooCommerce?
Yes. WooCommerce files follow the same permission requirements as all WordPress files. The standard 755/644 permissions are compatible with WooCommerce functionality including uploads, downloads, and order processing.
Does WP Ghost modify WordPress core files?
For this specific feature, WP Ghost changes the permission attributes on files and directories. It doesn’t modify file content. Permission changes are metadata operations handled by the operating system, not edits to the files themselves.
Related Tutorials
Server-level security and hardening:
- Website Security Check – The tool that detects and fixes permission issues along with 38 other security tasks.
- Change Database Prefix – Another server-level security fix available through Security Check.
- Prevent Hack Attacks – The complete WP Ghost security overview.
- WP Ghost Constants in wp-config.php – All wp-config.php constants including permission overrides.