Fix incorrect WordPress file and directory permissions in one click through WP Ghost’s Security Check, or manually via FTP or cPanel. Incorrect permissions are one of the most common server-level security issues. If directories are set to 777 or files are world-writable, attackers who exploit a plugin vulnerability can modify any file on your server, including wp-config.php. WP Ghost detects incorrect permissions during a Security Check and offers a one-click fix that sets directories to 0755, files to 0644, and config files to 0444. This is a Premium feature. The FTP and cPanel methods work without WP Ghost.
File permissions control who can read, write, and execute files on your server. On a WordPress site, three types of users interact with files: the server owner (your hosting account), the web server process (Apache/Nginx), and everyone else. When permissions are too open (e.g., 777), any process on the server can modify your files. If an attacker exploits a vulnerability in any plugin, they can inject malicious code into core files, steal database credentials from wp-config.php, or install backdoors. Correct permissions limit what each user can do, containing the damage even if a vulnerability exists.
WordPress recommends these permission values for a secure installation:
Directories: 0755 – The owner can read, write, and execute. The web server group and others can read and execute (needed to serve files) but cannot modify.
Files: 0644 – The owner can read and write. The web server group and others can read only (needed to serve content) but cannot modify.
Config files (wp-config.php): 0444 – Read-only for everyone. This prevents any process from modifying your database credentials and security keys, even if a vulnerability is exploited.
The fastest method. WP Ghost detects incorrect permissions during a Security Check and fixes them in one click.
If you prefer to fix permissions manually or don’t have WP Ghost Premium, use an FTP client like FileZilla:
wp-config.php in the root folder. Right-click, select File permissions, and set it to 444. Click OK.If your hosting uses cPanel, you can modify permissions directly through the File Manager:
index.php) and choose Change Permissions. Set to 644. Repeat for all files.wp-config.php to 444.cPanel limitation: The cPanel File Manager doesn’t have a “recurse into subdirectories” option like FTP clients. You’ll need to set permissions on each directory individually, or use the Terminal feature in cPanel to run a bulk command: find /path/to/wordpress -type d -exec chmod 755 {} \; for directories and find /path/to/wordpress -type f -exec chmod 644 {} \; for files.
If your hosting environment requires different permission values, you can override the defaults WP Ghost uses by adding constants to your wp-config.php file.
Custom file permissions (default is 0644):
define( 'HMW_FILE_PERMISSION', 0640);
Custom directory permissions (default is 0755):
define( 'HMW_DIR_PERMISSION', 0750);
These constants change what WP Ghost applies when you click “Fix it” in the Security Check. Adjust the values to match your hosting provider’s requirements. Common alternatives include 0640 for files (no read access for “others”) and 0750 for directories (no access for “others”).
The web server may need slightly different permissions for your hosting configuration. Some shared hosting providers require 0750 for directories instead of 0755. Contact your hosting provider to confirm the correct values for your environment. Use the HMW_DIR_PERMISSION and HMW_FILE_PERMISSION constants to adjust.
The 0444 permission makes wp-config.php read-only, which is the secure setting. If WordPress or a plugin needs to write to wp-config.php (rare), temporarily change it to 0644 via FTP, make the update, then set it back to 0444. WP Ghost’s own settings don’t require writing to wp-config.php.
WordPress updates can reset file permissions to the server default. Run the Security Check again after any WordPress core update and use the “Fix it” button if needed.
Permission 777 means every user on the server can read, write, and execute the file. On shared hosting, this means other accounts on the same server could modify your files. Even on dedicated servers, if an attacker exploits any vulnerability, they can write to any 777 file, injecting malicious code into core WordPress files or stealing your database credentials.
The one-click fix through Security Check requires WP Ghost Premium. However, you can fix permissions manually using FTP or cPanel without any plugin. The correct values (755 for directories, 644 for files, 444 for wp-config.php) are the same regardless of the method.
Yes. WooCommerce files follow the same permission requirements as all WordPress files. The standard 755/644 permissions are compatible with WooCommerce functionality including uploads, downloads, and order processing.
For this specific feature, WP Ghost changes the permission attributes on files and directories. It doesn’t modify file content. Permission changes are metadata operations handled by the operating system, not edits to the files themselves.
Server-level security and hardening:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…