Services Hosting & Servers Tools Blog Search Company TürkçeTR
Get a Quote

This page lists the officially recommended permissions from the WordPress Codex's "Changing File Permissions" page. It's not an interactive form — no calculation needed, it's a direct reference. Read the permissions from the table below, or copy the ready-made commands and run them on your server (SSH/terminal).

Path Recommended Symbolic
All directories 755 drwxr-xr-x
All files 644 -rw-r--r--
wp-config.php 440 or 400 -r--r-----
.htaccess 644 -rw-r--r--
wp-content/ (must be writable by WP for uploads/plugin installs) 755 drwxr-xr-x
wp-content/uploads/ 755 drwxr-xr-x
find /path/to/wordpress/ -type d -exec chmod 755 {} \; find /path/to/wordpress/ -type f -exec chmod 644 {} \;
chmod 440 /path/to/wordpress/wp-config.php

Why is 755/644 the right balance?

For the web server (Apache, Nginx/PHP-FPM) to read and serve your files, directories need to be executable/enterable (755) and files need to be readable (644). But these permissions deliberately leave out write access for others: another user or process running on a shared host cannot modify, delete, or inject malicious code into your files without permission. That's the balance between "the minimum access the server needs" and "protection against abuse."

wp-config.php is kept even tighter (440 or even 400) because it stores your database username and password in plain text. Making this file unreadable by group and other (readable only by the owner) further reduces the risk of exposure — as long as the web server process is the file owner or a member of the correct group, otherwise the site won't work.

Never set permissions to 777. Some outdated tutorials suggest "getting a permission error? Set it to 777 and it'll work" — that's technically true but a dangerous shortcut, because it makes files writable by literally anyone on the system. On shared hosting, that means another account on the same server (or any compromised process) could inject malicious code into your files. The correct fix is almost never to loosen permissions — it's to make sure file ownership (owner/group) correctly matches the web server user.

The wp-content/uploads/ directory does need to stay writable by WordPress for media uploads, but that's achieved safely with the standard 755 permission by making sure the directory's ownership (or group) belongs to the web server user (e.g. www-data, apache) — not by loosening the permission to 777.

When should you use WordPress File Permissions Reference?

The KEYDAL WordPress File Permissions Reference tool is a browser-based utility that developers, system administrators, SEO specialists and enterprise technology teams use in their daily operations. It requires no installation, is free, and produces results instantly. It is designed so local teams can run audits without connecting to server environments and run analyses without touching production.

Typical scenarios include: post-migration verification, comparing domain or hosting providers, diagnosing customer issues, security auditing (pre-pentest reconnaissance), root-cause analysis of email deliverability problems, validating CDN or proxy configuration, surfacing technical audit data for SEO teams, and rapid information gathering during incident response. You can copy results as text and share them or paste them into internal documentation.

The KEYDAL infrastructure team provides web hosting, VPS, dedicated server management, server hardening, DNS configuration and SSL/TLS deployment services from Türkiye. Beyond these tools, we deliver server setup and operations support across Hetzner, OVHcloud, Contabo, DigitalOcean and Turkish providers.

Your queries are never stored on our servers

KEYDAL tools run stateless: domain names, IPs, URLs or other inputs are not persisted to any database. Logs are kept only for security purposes (rate limiting, abuse detection) and deleted within 30 days. For tools that handle sensitive data (tokens, API keys, JWTs), processing happens entirely in your browser — nothing is sent over the network. See our Privacy Policy for details.

All tools run over HTTPS with TLS 1.3 support. KEYDAL is a Türkiye-based technology company and complies fully with local data-protection regulations (KVKK) and GDPR principles.

You may also be looking for

The KEYDAL free tools collection includes DNS lookup, WHOIS lookup, SSL certificate checker, HTTP headers analyzer, IP geolocation, uptime checker, JSON formatter, JWT decoder, Base64 encode/decode, QR code generator, meta tag analyzer and robots.txt tester. All browser-based, free, no installation.

If you are comparing server prices, see our web hosting, VPS, VDS, cloud hosting, dedicated server and storage pages. See all tools →

WhatsApp