File permissions are one of the most misunderstood aspects of WordPress server administration, and incorrect permissions are a leading cause of both security vulnerabilities and frustrating “permission denied” errors. On a Linux server, every file and directory has three permission sets: owner, group, and others — and each set can grant read (r, value 4), write (w, value 2), and execute (x, value 1). The three-digit octal notation you see in commands like chmod 755 represents the combined values for owner, group, and others respectively. For WordPress specifically, the recommended permissions are 755 for directories (owner can read/write/execute; group and others can read and navigate) and 644 for files (owner can read/write; group and others can only read). The wp-config.php file should be 600 or 640 so only the owner can read it. The uploads directory needs to be writable by the web server process (usually the www-data user on Ubuntu/Debian) so WordPress can save uploaded media. A common misconfiguration is setting everything to 777 (world-writable) to “fix” a permissions error — this grants any script on the server write access to your files, making malware injection trivially easy. If you manage your server via SSH, the essential Linux commands guide covers the basic navigation and file management commands you need. The snippet below shows how to correct permissions recursively from the SSH command line.
Problem: WordPress files and directories have incorrect permissions causing either upload errors or a security vulnerability, and you need to fix them from the command line.
Solution: Run the following commands via SSH from your WordPress root directory:
# Navigate to WordPress root
cd /var/www/html
# ── Fix directory permissions (755) ─────────────────────────────────────────
find . -type d -exec chmod 755 {} \;
# ── Fix file permissions (644) ───────────────────────────────────────────────
find . -type f -exec chmod 644 {} \;
# ── Harden wp-config.php ─────────────────────────────────────────────────────
chmod 640 wp-config.php
# ── Make uploads writable by the web server user ─────────────────────────────
# Replace www-data with your web server user (apache on CentOS/RHEL)
chown -R www-data:www-data wp-content/uploads
chmod -R 755 wp-content/uploads
# ── Verify permissions ───────────────────────────────────────────────────────
ls -la wp-config.php
ls -la wp-content/uploads/
# ── Common permission reference ──────────────────────────────────────────────
# 644 = rw-r--r-- = owner:read+write, group:read, others:read
# 755 = rwxr-xr-x = owner:all, group:read+exec, others:read+exec
# 640 = rw-r----- = owner:read+write, group:read, others:none
# 600 = rw------- = owner:read+write, group:none, others:none
# ── Check current owner and group of a file ───────────────────────────────────
stat -c '%U %G %a' wp-config.php
# Output: www-data www-data 640NOTE: If you are on shared hosting and do not have SSH access, check whether your hosting panel (cPanel, Plesk) provides a file manager with a permission editor. On managed WordPress hosts (WP Engine, Kinsta, Pressable), file permissions are managed by the platform and you typically cannot change them directly — if you encounter a permission error, contact support. Never use chmod 777 in production, even as a temporary fix; an attacker with any shell access can write arbitrary PHP files to your installation.