Recommended WordPress Server Directory and File Permissions

ByAmos Lee

WordPress usually runs on Linux servers, and Linux gives us detailed control over directory and file permissions. If those permissions are set incorrectly, WordPress often starts behaving badly: uploads may fail, theme and plugin updates may stop working, and the built-in editors in the dashboard may no longer be able to save files.

Set the correct permissions for the WordPress site directory

For WordPress to work normally, the user running PHP-FPM needs read and write access to the site directory. For safety, other users usually only need read access. If the PHP-FPM user on your server is www, a common command looks like this:

chmod 775 www:www /www/wwwroot/wpzhiku.com -Rf

In that command, chmod is the command name, 775 is the permission mode, www:www is the user and group, /www/wwwroot/wpzhiku.com is the site path, and -Rf applies the change recursively and forcefully to the target files and directories.

Make the theme directory read-only

Sometimes you do not plan to edit or update the theme at all. In that case, setting the theme directory to read-only can prevent accidental changes from breaking the site.

chattr -R +i /www/wwwroot/wpzhiku.com/wp-content/themes

After that command runs, no one and no process can add, delete, or modify files in the theme directory until the immutable flag is removed. To unlock it later, change +i to -i.

Set permissions for the .ssh directory

The SSH daemon is very strict about permissions, especially around private keys. If the permissions are too loose, key-based login may fail because the private key is no longer considered safe.

  • The .ssh directory itself is usually set to 755 or 700.
  • id_rsa is the private key file and should normally be 600, because no other user should be able to read it.
  • id_rsa.pub and authorized_keys are usually set to 644, because others may read them but should not be able to modify them.

In short, correct permissions matter both for normal site operation and for server security. If permissions are too strict, WordPress features can stop working. If they are too loose, you introduce unnecessary security risks.

The best rule is the principle of least privilege: give each file and directory only the permissions required for normal operation, and nothing more.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *