644
644 Permission Code**
Permission Code: 644 Standard File Permissions for WordPress
644 gives **read/write access to the owner, and **read-only access to group and others.
rw-r--r--
This is the **default and recommended file permission mode for WordPress files on a VPS.
It ensures files are editable by the site owner but not by the public or other system users.
Technical Structure
| No | Role | Bits | Access | Allowed? |
|---|---|---|---|---|
| 1 | Owner | rw- | read/write | ✅ |
| 2 | Group | r-- | read only | ✅ |
| 3 | Others | r-- | read only | ✅ |
Behavior
- Owner can edit and modify files
- Group and everyone else can read, but not modify
- Safe for theme files, plugin files, core files, PHP files
This mode prevents unauthorized changes while ensuring WordPress and the web server can read files to render pages.
WordPress Use Cases
| No | Location | Suitability | Reason |
|---|---|---|---|
| 1 | Theme files | ✅ | editable by owner, readable by server |
| 2 | Plugin files | ✅ | prevents malicious modification |
| 3 | WordPress core files | ✅ | recommended by WP security |
| 4 | PHP files in public WP path | ✅ | safe required baseline |
| 5 | wp-config.php | ❌ | needs stricter permission (600) |
Why 644 Works for WordPress
- Web server only needs to **read files, not write
- Prevents write access from unauthorized users
- Avoids accidental permission escalations
- Meets hosting and security best practices
This is the **security default across professional WP infrastructures.
Commands for WordPress VPS
Apply 644 to ALL files
find . -type f -exec chmod 644 {} ;
Secure config file separately
chmod 600 wp-config.php
Recommended directory permissions
find . -type d -exec chmod 755 {} ;
When to Use 644
| No | Scenario | Use 644 | Reason |
|---|---|---|---|
| 1 | Single-site VPS | ✅ | best security-to-function balance |
| 2 | Managed hosting | ✅ | default WP convention |
| 3 | Standard WP file install | ✅ | works out-of-the-box |
| 4 | CI/CD pipelines | ✅ | unless auto-write needed |
| 5 | Shared server with unknown users | ✅ | restrict write access |
When NOT to Use 644
| No | Scenario | Avoid | Reason |
|---|---|---|---|
| 1 | wp-config.php | ❌ | should be 600 |
| 2 | Uploads folder files (temporary write phase) | ❌ | WordPress needs to write but still ok for final state |
| 3 | Private scripts or SSH files | ❌ | may require 600 or 700 |
Example Correct Application on WordPress
cd /var/www/your-site/
find . -type d -exec chmod 755 {} ;
find . -type f -exec chmod 644 {} ;
chmod 600 wp-config.php
Also ensure ownership is correct:
chown -R wpuser:www-data .
Real Troubleshooting Notes
| No | Issue | Cause | Remedy |
|---|---|---|---|
| 1 | WP can't write config/plugins | normal with 644 | use wp-cli or SFTP to edit |
| 2 | Plugin editor can't save | security by default | edit via SFTP or raise perms temporarily |
| 3 | Uploads fail | directory perms issue, not file perms | fix with 755 directories |
Exercise
- Apply 644 to all files in a test WP directory
- Try editing via SFTP (allowed)
- Try editing via public user (denied)
- Confirm integrity via:
stat wp-settings.php
Expected:
Access: (0644/-rw-r--r--)
Key Takeaways
| No | Rule | Status |
|---|---|---|
| 1 | 644 is standard WP file permission | ✅ |
| 2 | Owner writes, others read only | ✅ |
| 3 | Public cannot modify files | ✅ |
| 4 | Works with Nginx / OLS / Apache | ✅ |
| 5 | Must secure wp-config.php separately (600) | ✅ |
Summary:
For all WordPress files: 644
For directories: 755
For wp-config.php: 600