Having the right chmod settings for your WordPress files and folders not only makes your WordPress blog secure but also allows smooth functioning of its features. This includes the right permission for search engine bots, proper generation and updation of sitemaps etc.
One of my blogs suddenly stopped working following a couple FTP uploads day before yesterday. It took me a good half an hour before I figured out that the .htaccess file on my root had a chmod value of 640 which prevented external access of the site. That experience is what prompted me to write this little WordPress blog tip post. By the way, if you don’t know what chmod is, it is nothing but a command/value that sets the read/write/execute permission for files and folders for different types of users.
WordPress File Permissions
The following picture shows the right file and folder chmod settings for important files in your WordPress blog installation directory. You can set the chmod for any file or folder either using the File manager or your FTP client. If you are using cPanel file manager, you can mark the files and use the “Change Permissions” option to set chmod on any file or folder.
Explanation for WordPress chmod settings
Folders (e.g. Downloads in the above picture)
By default all folders should have a chmod of 755 to help with accessing and executing the sub folder files. However, writing is executed only to the logged in ‘user’. Most of the time, the installers mark all folders 755 which is the right setting.
Next, you have to mark all your WordPress files (exceptions below in the next section) starting with ‘wp-‘ and set a chmod of 644 to them.
This one is a very important file as it contains your login information and password in encrypted form. The best chmod setting for wp-config is 640 which prevents any outsider to write into your config file.
This file should have 644 chmod settings as 640 would prevent anybody from accessing your site, including you.
This is probably the most important file for your site’s visibility to search engines. In order to allow access to search engine bots but to prevent anybody from writing into it, your robots.txt must be on chmod 755.
sitemap.xml & sitemap.xml.gz
Ideally, the sitemap is something that is automatically updated by your sitemap generator plugins or relevant CMS modules. To help with this update, ideally these two files should be on chmod 666.
The above setting when clubbed with the right folder access permissions mentioned in the robot.txt file helps to secure your WordPress blog. Of course, there are security scanning plugins available, but you don’t necessarily need such tools if you can take care of the above settings. Further, avoiding default folder name and default user for WP installations will help secure WordPress blogs further.