Change .htaccess Permission to Read Only (444)

Set your .htaccess file permissions to 444 (read-only) on Linux/Unix servers, or mark it as Read-Only on Windows servers, to prevent attackers from modifying your server configuration. The .htaccess file controls critical Apache and LiteSpeed behavior including URL rewrites, access controls, and security headers. If an attacker gains write access to this file, they can redirect your visitors, inject malicious code, or disable WP Ghost’s path security entirely. Setting it as read-only is a simple hardening step that adds a meaningful barrier without affecting normal site operation.

Why Set .htaccess to Read Only

Apache and LiteSpeed Servers (Linux/Unix)

On Linux and Unix systems (which run most Apache and LiteSpeed servers), file permissions use the chmod numeric system. The recommended permission for .htaccess is 444:

• 4 = read for owner
• 4 = read for group
• 4 = read for others

Nobody can write to or execute the file. The web server reads it normally, but PHP scripts (including any malware) cannot modify it.

Method 1: Change Permissions via FTP

This is the most common method for users without shell access.

1. Connect to your server with an FTP client like FileZilla or WinSCP.
2. Navigate to your WordPress root directory.
3. Find the .htaccess file. If you don’t see it, enable “Show hidden files” in your FTP client settings (in FileZilla: Server > Force showing hidden files).
4. Right-click .htaccess and select File Permissions (or File Attributes).
5. Enter 444 in the numeric value field, or check only the three “Read” boxes (Owner, Group, Public).
6. Click OK to apply.

Method 2: Change Permissions via cPanel File Manager

If your hosting provider uses cPanel, you can change permissions through the File Manager without needing an FTP client.

1. Log in to cPanel.
2. Open File Manager.
3. Click Settings in the top right and check Show Hidden Files (dotfiles), then click Save.
4. Navigate to your WordPress root directory (usually public_html).
5. Right-click the .htaccess file and select Change Permissions.
6. Set the permission value to 0444 or check only the three “Read” boxes (User, Group, World).
7. Click Change Permissions.

Method 3: Change Permissions via SSH

If you have SSH access to your server, this is the fastest method.

1. Connect to your server via SSH.
2. Navigate to your WordPress root directory:

cd /path/to/your/wordpress/

3. Set the permissions to 444:

chmod 444 .htaccess

4. Verify the change:

ls -l .htaccess

You should see something like -r--r--r-- at the start of the line, which means read-only for owner, group, and others.

Windows Servers (IIS)

On Windows Server with IIS, file permissions work differently than Linux. You set the file as Read-Only through the file properties.

1. Open File Explorer and navigate to your website’s document root.
2. Right-click the .htaccess file (or the equivalent web.config on IIS) and select Properties.
3. On the General tab, check the Read-only attribute checkbox.
4. Click the Security tab.
5. For each user/group (especially IUSR for IIS, SYSTEM, and Apache user if applicable), set permissions to Read & Execute only – no Write or Modify.
6. Click Apply, then OK.

IIS uses web.config: If your Windows server runs pure IIS (without Apache), the equivalent of .htaccess is web.config. Apply the same Read-Only attribute and security restrictions to web.config instead. WP Ghost writes its rewrite rules to web.config on IIS servers.

Important Considerations

Important: When .htaccess is read-only, WP Ghost cannot automatically save new rewrite rules. Before making changes to WP Ghost settings (changing paths, switching modes, etc.), temporarily revert the permissions to 644 with chmod 644 .htaccess or via FTP/cPanel. After saving your WP Ghost changes, set it back to 444.

Other plugins that write to .htaccess are also affected by this:

• Cache plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache) – they write rewrite rules for browser caching and Gzip compression.
• Security plugins (Wordfence, Solid Security) – they write firewall and access control rules.
• Redirect plugins (Redirection, Yoast SEO Premium) – they write 301 redirect rules.
• WordPress core – changing permalink settings rewrites the file.

Plan ahead: configure all plugins fully before locking the file, and revert to 644 temporarily when you need to make changes.

Troubleshooting

WP Ghost shows “.htaccess not writable” notification

This is expected when the file is set to 444. To save WP Ghost changes, temporarily change permissions to 644: chmod 644 .htaccess, save your settings in WP Ghost, then change back to 444: chmod 444 .htaccess.

Cannot find .htaccess in FTP or File Manager

Files starting with a dot are hidden by default. In FileZilla, go to Server > Force showing hidden files. In cPanel File Manager, click Settings and check Show Hidden Files (dotfiles). The file should now appear.

.htaccess file doesn’t exist at all

WordPress only creates .htaccess if you’ve set up pretty permalinks and Apache mod_rewrite is enabled. Go to Settings > Permalinks and click Save Changes – this triggers WordPress to create the file. If it still doesn’t appear, check that AllowOverride All is set on your server (see Set AllowOverride All).

Permalinks broke after setting permissions to 444

You may have set the permissions before WordPress finished writing all the necessary rules. Change permissions to 644, go to Settings > Permalinks, click Save Changes to regenerate the file, then set permissions back to 444.

Cannot change permissions – “Operation not permitted”

You don’t have ownership of the file. Contact your hosting provider for assistance, or use SSH with sudo if you have root access: sudo chmod 444 .htaccess.

Frequently Asked Questions

What about 444 vs 440 vs 400?

444 is read for everyone (owner, group, others) and is the most compatible. 440 limits read access to owner and group only – works on most hosts but may cause issues on some shared hosting setups. 400 limits read to owner only and is the most restrictive but rarely needed. Use 444 unless you have a specific reason to be more restrictive.

Should I lock other files too?

Yes. wp-config.php should also be locked down (typically to 440 or 400 since the web server still needs to read it but no one else does). Most security guides recommend 644 for general WordPress files and 755 for directories. WP Ghost includes a File Permissions tool that scans and fixes permissions across your entire WordPress installation.

Do I need to do this on managed hosting?

Managed WordPress hosts (Kinsta, WP Engine, Flywheel, SiteGround) typically handle file permissions automatically and may not allow you to change them. If you can’t change permissions, your host already enforces secure permissions at the platform level.

Does this stop all hacks targeting .htaccess?

No. Read-only permissions stop PHP-based attacks that try to modify the file through standard file write functions. They do not stop attackers who gain SSH access or compromise your hosting account credentials. This is one layer of defense – combine it with strong passwords, 2FA, hosting-level security, and regular backups for full protection.

Does WP Ghost modify WordPress core files?

No. WP Ghost writes to .htaccess (a config file, not a core file) and uses WordPress hooks for application-level changes. No core files are modified. The .htaccess file is part of your site’s configuration and is allowed to be modified by plugins for legitimate purposes.

Related Tutorials

WordPress security hardening:

• File Permissions – WP Ghost’s automated permission scanner and fixer.
• Set AllowOverride All on Apache – Enable .htaccess processing.
• Run a Security Check – Verify your full WP Ghost configuration.
• Server Types – All server types supported by WP Ghost.
• Emergency Disable – Recovery if rewrite rules cause issues.