Security

Linux File Permissions: Keeping Your Hosting Account Secure

by dotCanada Team
Linux File Permissions: Keeping Your Hosting Account Secure

Every file and directory on a Linux server has a set of permissions that controls who can read it, write to it, or execute it. Get these wrong and you create security vulnerabilities that attackers actively look for. Get them right and you eliminate a whole category of potential exploits.

If you run a WordPress site on cPanel hosting, this matters directly to you.

The Three Permission Types

Linux permissions are built around three actions:

  • Read (r): View the contents of a file, or list the contents of a directory
  • Write (w): Modify or delete a file, or create/delete files within a directory
  • Execute (x): Run a file as a program, or enter/traverse a directory

And three groups of users:

  • Owner: Usually your cPanel user account - the account that owns the files
  • Group: Other users in the same group as the file owner
  • Others (World): Everyone else - other users on the server, web visitors, processes running as nobody/apache

Reading Permission Numbers

Permissions are commonly displayed as a three-digit number. Each digit represents one group (owner, group, others) and is the sum of the values for each permission:

  • Read = 4
  • Write = 2
  • Execute = 1

So:

  • 7 = read + write + execute (4+2+1)
  • 6 = read + write (4+2)
  • 5 = read + execute (4+1)
  • 4 = read only

The most common permission sets you will encounter:

755 - Owner can read, write, execute. Group and others can read and execute. Standard for directories.

644 - Owner can read and write. Group and others can read only. Standard for files.

777 - Everyone can read, write, and execute. This is the dangerous one.

Correct WordPress Permissions

WordPress has a specific recommended permission structure. Get this wrong and you either lock WordPress out of its own files or you open the door to malicious file modifications.

Files: 644 WordPress files should be readable by the web server but writable only by your owner account. This includes all .php files, your wp-config.php, .htaccess, and all theme and plugin files.

Directories: 755 WordPress directories need to be executable so the web server can traverse them. The web server can read and enter, but only the owner can write to them.

wp-config.php: 640 or 600 This file contains your database credentials. Lock it down tighter - 640 means group can read but others cannot; 600 means only the owner can read or write it. Either is better than 644 for this specific file.

Never use 777 on anything in a web-accessible directory. When every user on the server can write to a file, a compromised account anywhere on the server can modify your files. On shared hosting, this is a genuine risk.

How to Check and Change Permissions in cPanel

Using File Manager:

  1. Log into cPanel and open File Manager
  2. Navigate to your website's root directory (usually public_html)
  3. Right-click on a file or folder and select Change Permissions
  4. A permission grid appears - check or uncheck boxes to adjust, or type the number directly
  5. For directories, check Recurse into subdirectories and select Apply to directories only to fix all directory permissions at once, then repeat with Apply to files only for file permissions

Using Terminal (if you have SSH access):

To fix WordPress file permissions recursively:

find /home/yourusername/public_html -type f -exec chmod 644 {} \;
find /home/yourusername/public_html -type d -exec chmod 755 {} \;
chmod 640 /home/yourusername/public_html/wp-config.php

Common Permission Problems

WordPress cannot write to wp-content/uploads. WordPress needs write access to the uploads directory to save uploaded images and files. If uploads are failing, check that the /wp-content/uploads/ directory is set to 755 (or temporarily 775 if 755 is not sufficient - never go to 777).

Plugin and theme automatic updates failing. WordPress updates files during automatic plugin updates and needs write access to those directories. If this is failing, the issue is usually that file ownership (not just permissions) is mismatched - the web server cannot write files owned by a different user.

Files set to 777 by a plugin installer. Some poorly configured install scripts set permissions to 777 for convenience. If a plugin or theme installation asked you to set directories to 777, set them back to 755 immediately after installation is complete.

Concerned about your hosting security setup? dotCanada's support team can help you audit your file permissions and harden your hosting account against common vulnerabilities.

#security#linux#file-permissions#wordpress#cpanel

Related Articles

Cloud Backup Strategies for Your Website: Beyond the Hosting Backup
Security

Cloud Backup Strategies for Your Website: Beyond the Hosting Backup

Hosting backups are a safety net with a hole in it. Here is how to build a real backup strategy that protects your site even if your server burns down.

Read more →
How to Back Up Your Website Using cPanel Backup Tools
Security

How to Back Up Your Website Using cPanel Backup Tools

Backups are the safety net every website needs. cPanel includes powerful backup tools that make it straightforward to protect your files, databases, and email data - and to restore everything quickly if the unexpected happens.

Read more →
SSL Certificates and HTTPS: Securing Your Website on Shared Hosting
Security

SSL Certificates and HTTPS: Securing Your Website on Shared Hosting

SSL certificates are no longer optional - they protect your visitors, build trust, and affect your Google search rankings. This guide explains what SSL is and shows you how to enable HTTPS on your shared hosting account quickly and for free.

Read more →

100% Satisfaction Guarantee

We're so confident you'll love dotCanada that we offer a 30-day money-back guarantee. Not satisfied? Get a full refund, no questions asked.

Ready to Get Started?

Join thousands of Canadian website owners who trust dotCanada for reliable, fast web hosting.

Get Started Today