Safe and secure file permissions for WordPress

You are centos server administrator, and you want check, what is correct wordpress permissions and shell commands how to correct file permissions, .htaccess and wp-config.php

The correct WordPress file permissions for WordPress are as follows:

  • Directories: 755
  • Files: 644


Directories should be set to 755, which means that the owner (usually your web server user) has read, write, and execute permissions, while others have read and execute permissions. This ensures that your web server can read and write files in the directory, while everyone else can only read the files.


Files should be set to 644, which means that the owner has read and write permissions, while others only have read permissions. This ensures that your web server can write to the files, while users can only read them.


The .htaccess file is a configuration file that allows you to customize the behavior of your WordPress installation. The correct permissions for the .htaccess file are 644. This ensures that your web server can read the file, while users cannot modify it.


The wp-config.php file is the most important file in your WordPress installation. It contains your database connection details and other important settings. The correct permissions for the wp-config.php file are 400. This ensures that only your web server user can read the file.

The above command also ensures that the security plugin has required read write access for its proper function.

Directory and Files Permissions

# Set all directories permissions to 755
sudo find . -type d -exec chmod 755 {} \;

# Set all files permissions to 644
sudo find . -type f -exec chmod 644 {} \;

Set the permissions for wp-config.php to 600 so that only wp-user can read this file and no one else. Permissions of 400 didn’t work for me with above file ownership.

sudo chmod 444 wp-config.php (Option)

sudo chmod 400 wp-config.php (Better)

Here are the shell commands you can use to set these permissions:

chmod -R 755 /path/to/wordpress
chmod 644 /path/to/wordpress/*.php /path/to/wordpress/*.htaccess
chmod 400 /path/to/wordpress/wp-config.php

This command will set the permissions of all directories and files in the /path/to/wordpress directory to 755, and the permissions of all .php and .htaccess files to 644. It will also set the permissions of the wp-config.php file to 400.

Here are some additional tips for setting WordPress file permissions:

  • If you are using an FTP client to set file permissions, be sure to use the “recursive” option. This will ensure that the permissions are set for all files and directories in the specified directory.
  • If you are using the command line, be sure to use the “-R” option with the chmod command. This will also ensure that the permissions are set for all files and directories in the specified directory.
  • Be careful when setting file permissions. If you set the permissions too restrictive, your web server may not be able to read or write files. If you set the permissions too permissive, users may be able to modify files that they should not be able to.

Securing your WordPress admin are with .htaccess

Securing your WordPress admin area is crucial to protect your website from unauthorized access and potential attacks. One effective method is to restrict access based on IP addresses using the .htaccess file. This guide will explain how to secure the /wp-admin/ directory with .htaccess restrictions by IP.


  1. Access to a File Transfer Protocol (FTP) client: You’ll need an FTP client to connect to your website’s server and modify the .htaccess file. Popular FTP clients include FileZilla, Cyberduck, and File Transfer Agent.
  2. List of allowed IP addresses: Make a note of all the IP addresses that should be permitted access to the WordPress admin area. This typically includes your own IP address and any other devices or locations from which you regularly access the admin dashboard.


  1. Locate the .htaccess file: The .htaccess file is typically located in the root directory of your WordPress installation. You can use your FTP client to access the root directory and locate the file.
  2. Download the existing .htaccess file: Before making any modifications, download the existing .htaccess file to your local computer. This will ensure you have a backup in case of any issues.
  3. Add IP access restrictions to the .htaccess file: Open the downloaded .htaccess file in a text editor. Add the following code to the file, replacing “” with your first allowed IP address:
<Files wp-admin/>
order deny,allow
deny from all
allow from

or new version

    Require ip

Where is your IP address.

Repeat this block for each additional allowed IP address, replacing “” with the respective IP address.

  1. Save the modified .htaccess file: Save the .htaccess file with the added IP access restrictions.
  2. Upload the modified .htaccess file to the server: Upload the modified .htaccess file back to the root directory of your WordPress installation using your FTP client.
  3. Verify IP access restrictions: After uploading the file, try accessing the WordPress admin area from different IP addresses. You should only be able to access the admin dashboard from the IP addresses specified in the .htaccess file.

Additional Considerations:

  • If you frequently access the admin dashboard from different IP addresses, consider using a plugin like “WP-Ban” or “Wordfence” to dynamically manage IP restrictions based on your login activity.
  • While IP-based restrictions can provide an extra layer of security, it’s important to note that IP addresses can be spoofed or changed, potentially allowing unauthorized access. Employ additional security measures, such as strong passwords and two-factor authentication, to further protect your WordPress admin area.

I hope this helps!