WordPress chmod Settings

Having the right chmod settings for your WordPress files and folders not only makes your WordPress blog secure but also allows smooth functioning of its features. This includes the right permission for search engine bots, proper generation and updation of sitemaps etc.

One of my blogs suddenly stopped working following a couple FTP uploads day before yesterday. It took me a good half an hour before I figured out that the .htaccess file on my root had a chmod value of 640 which prevented external access of the site. That experience is what prompted me to write this little WordPress blog tip post. By the way, if you don’t know what chmod is, it is nothing but a command/value that sets the read/write/execute permission for files and folders for different types of users.

WordPress File Permissions

The following picture shows the right file and folder chmod settings for important files in your WordPress blog installation directory. You can set the chmod for any file or folder either using the File manager or your FTP client. If you are using cPanel file manager, you can mark the files and use the “Change Permissions” option to set chmod on any file or folder.

wordpress chmod

Explanation for WordPress chmod settings

Folders (e.g. Downloads in the above picture)

By default all folders should have a chmod of 755 to help with accessing and executing the sub folder files. However, writing is executed only to the logged in ‘user’. Most of the time, the installers mark all folders 755 which is the right setting.


Next, you have to mark all your WordPress files (exceptions below in the next section) starting with ‘wp-‘ and set a chmod of 644 to them.


This one is a very important file as it contains your login information and password in encrypted form. The best chmod setting for wp-config is 640 which prevents any outsider to write into your config file.


This file should have 644 chmod settings as 640 would prevent anybody from accessing your site, including you.


This is probably the most important file for your site’s visibility to search engines. In order to allow access to search engine bots but to prevent anybody from writing into it, your robots.txt must be on chmod 755.

sitemap.xml & sitemap.xml.gz

Ideally, the sitemap is something that is automatically updated by your sitemap generator plugins or relevant CMS modules. To help with this update, ideally these two files should be on chmod 666.

The above setting when clubbed with the right folder access permissions mentioned in the robot.txt file helps to secure your WordPress blog. Of course, there are security scanning plugins available, but you don’t necessarily need such tools if you can take care of the above settings. Further, avoiding default folder name and default user for WP installations will help secure WordPress blogs further.

Happy Blogging!


  1. Praveen Rajarao :

    Nice. Gave me a 2min review of all my settings, corrected the one on robot.

  2. I’ve always thought that the default chmod was the right one, as you would assume WP would have all the right settings when installing it to your site. Now I’m not so sure so I reckon I better go and check mine out.

    • @Sire, the funny thing is that some hosting services set lowest possible access rights whereas some others allow everything before you restrict the access. I am wondering why can’t they take care of this during installation itself.

  3. Great tips Ajith.

    Thanks. Today in the night, I will check this post again and check out the permissions of all the above things for my blogs and see if they are right. correct it otherwise.

    Thanks for this post!

  4. Ajith, I can’t figure out how to get into all the settings. I see the read-write thing, but can’t find the numbers.

    • @Mitch, are you using cPanel file manager or specific FTP client? File manager should show the numbers as described above. In some cases, even if it doesn’t show the numbers, just make sure that the read-write-execute properties as checked/unchecked as per the instruction.

  5. Not all is correct in this tuttorial! 666 for sitemap??? That makes it publicly writeable! Sitemap should be chmod 644

    And about .htaccess! it should have 644 as well since it must be executed…

    I do apologise for giving my own perspective but thought it could help…

    If I’m mistakeing please do tell since I’d like to set CHMOD settings as it should be.

    Best regards

    • @Leon, if sitemap is kept at 644, the Google XML sitemap plugin wouldn’t be able to build it I think, hence it needs to be 666 (The plugin author recommends 777 which I wouldn’t do)

      As for .htaccess, what I mentioned in the post is 644 🙂

      • Correction: I am sorry, it’s sufficient to keep 644 or 664 to sitemap as the world do not need to write to it 🙂 I shall correct the post on that. Thank you for notifying me on this. Well, in reality it is not a major security loop I guess.

        • 🙂 I’m trying to be usefull as your assistance was usefull for me! Best regards and we need to advice eachother 😉

  6. Thanx brother. I am so depressed today as one of subdomain was hacked today. i was searching for details about file permission and in your blog i have found it in detailed manner. Please write about total security of wordpress blog. Thanx in advance.

  7. Thanks Ajith, I modify my blog permission according your introduction, it final works.:)

  8. These guidelines roughly match the wp-codex guidelines, but if I set wp-config to 640, the entire site gets error 500, 644 makes it work. So…. not sure about this.

  9. thanks for the great instructions, i was hackd someone put some java script in my wp-config that but i removed it and changed my passwords and did the above, now i can sleep good 😀

  10. With wp-config chmod 640 the website wont work

Speak Your Mind