Correct file permissions for WordPress

I've had a look over [here][1] but didn't find any details on the best file permissions. I also took a look at some of WordPress's form's questions over [here too][2] but anybody that suggests 777 obviously needs a little lesson in security.

In short my question is this. What permissions should I have for the following:

1. root folder storing all the WordPress content
2. wp-admin
3. wp-content
4. wp-includes

and then all the files in each of those folders?

[1]:

[To see links please register here]

[2]:

[To see links please register here]

Giving the full access to all wp files to `www-data` user (which is in this case the web server user) can be dangerous.
So rather do *NOT* do this:

chown www-data:www-data -R *

It can be useful however in the moment when you're installing or upgrading WordPress and its plug-ins. But when you finished it's no longer a good idea to keep wp files owned by the web server.

It basically allows the web server to put or overwrite any file in your website.
This means that there is a possibility to take over your site if someone manage to use the web server (or a security hole in some .php script) to put some files in your website.

To protect your site against such an attack you should to the following:

> All files should be owned by your user account, and should be writable
> by you. Any file that needs write access from WordPress should be
> writable by the web server, if your hosting set up requires it, that
> may mean those files need to be group-owned by the user account used
> by the web server process.
> `/`
> ---
> The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to
> automatically generate rewrite rules for you.
> `/wp-admin/`
> ------------
> The WordPress administration area: all files should be writable only by your user account.
> `/wp-includes/`
> ---------------
> The bulk of WordPress application logic: all files should be writable only by your user account.
> `/wp-content/`
> --------------
> User-supplied content: intended to be writable by your user account and the web server process.
>
> Within `/wp-content/` you will find:
>
> `/wp-content/themes/`
> ---------------------
> Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not
> want to use the built-in theme editor, all files can be writable only
> by your user account.
> `/wp-content/plugins/`
> ----------------------
> Plugin files: all files should be writable only by your user account.
>
> Other directories that may be present with `/wp-content/` should be
> documented by whichever plugin or theme requires them. Permissions may
> vary.

Source and additional information:

[To see links please register here]

I think the below rules are recommended for a default wordpress site:

- For folders inside wp-content, set 0755 permissions:

**chmod -R 0755 plugins**

**chmod -R 0755 uploads**

**chmod -R 0755 upgrade**

- Let apache user be the owner for the above directories of wp-content:

**chown apache uploads**

**chown apache upgrade**

**chown apache plugins**

For those who have their wordpress root folder under their home folder:

** Ubuntu/apache

1. Add your user to www-data group:

CREDIT [Granting write permissions to www-data group][1]

You want to call `usermod` on your user. So that would be:

sudo usermod -aG www-data yourUserName

** Assuming `www-data` group exists

2. Check your user is in `www-data` group:

`groups yourUserName`

You should get something like:

youUserName : youUserGroupName www-data

** youUserGroupName is usually similar to you user name

3. Recursively change group ownership of the wp-content folder keeping your user ownership

`chown yourUserName:www-data -R youWebSiteFolder/wp-content/*`

4. Change directory to youWebSiteFolder/wp-content/

`cd youWebSiteFolder/wp-content`

5. Recursively change group permissions of the folders and sub-folders to enable write permissions:

`find . -type d -exec chmod -R 775 {} \;`

** mode of `/home/yourUserName/youWebSiteFolder/wp-content/' changed from 0755 (rwxr-xr-x) to 0775 (rwxrwxr-x)

6. Recursively change group permissions of the files and sub-files to enable write permissions:

`find . -type f -exec chmod -R 664 {} \;`

The result should look something like:

WAS:
-rw-r--r-- 1 yourUserName www-data 7192 Oct 4 00:03 filename.html
CHANGED TO:
-rw-rw-r-- 1 yourUserName www-data 7192 Oct 4 00:03 filename.html

Equivalent to:

chmod -R ug+rw foldername

Permissions will be like 664 for files or 775 for directories.

P.s. if anyone encounters error `'could not create directory'` when updating a plugin, do:<br />
`server@user:~/domainame.com$ sudo chown username:www-data -R wp-content`<br />
when you are at the root of your domain.<br />
Assuming: **`wp-config.php`** has<br />
[FTP credentials on LocalHost][2]<br />
`define('FS_METHOD','direct');`<br />


[1]:

[To see links please register here]

[2]:

[To see links please register here]

I can't tell you whether or not this is correct, but I am using a Bitnami image over Google Compute App Engine. I has having problems with plugins and migration, and after further messing things up by chmod'ing permissions, I found these three lines which solved all my problems. Not sure if it's the proper way but worked for me.

sudo chown -R bitnami:daemon /opt/bitnami/apps/wordpress/htdocs/
sudo find /opt/bitnami/apps/wordpress/htdocs/ -type f -exec chmod 664 {} \;
sudo find /opt/bitnami/apps/wordpress/htdocs/ -type d -exec chmod 775 {} \;

Correct permissions for the file is 644
Correct permissions for the folder is 755

To change the permissions , use terminal and following commands.

find foldername -type d -exec chmod 755 {} \;
find foldername -type f -exec chmod 644 {} \;

755 for folders and 644 for files.