Securing WordPress File Permissions and Configuration Without Breaking Your Site

Learn practical, low-risk steps to lock down WordPress file permissions and configuration files so your site stays secure without constant developer help.

Why File Permissions and Configuration Security Matter

Most successful WordPress hacks don’t start with Hollywood-style “brute force” attacks. They usually exploit weak file permissions, unsafe upload folders, or exposed configuration files. When attackers can write or execute files on your server, they can often take over the entire site.

WordPress itself provides guidance on safe file permissions and hardening techniques, but many site owners never touch them because they’re afraid of breaking something.Source

This guide walks you through practical, low-risk steps you can take (or ask your host to take) to secure your WordPress file system and configuration.

Before You Change Anything: Safety First

• Take a full backup (files + database) using your hosting panel or your usual backup plugin.
• Confirm you have restore access (hosting control panel, backup dashboard, or Compass Production support).
• Plan a quiet time window in case you need 15–30 minutes to revert a change.

Recommended WordPress File Permission Basics

File permissions control who can read, write, and execute files on your server. WordPress’s own hardening guide recommends a simple baseline:

• Files: 644 (readable by everyone, writable only by the owner)
• Directories: 755 (enterable by everyone, writable only by the owner)

These values are a good balance between security and compatibility for most shared hosting environments.Source

How to Check and Fix Permissions via Hosting File Manager

1. Log in to your hosting control panel (cPanel, Plesk, or custom dashboard).
2. Open File Manager and navigate to your WordPress root folder (often public_html or a subfolder).
3. Right-click the WordPress folder and choose Change Permissions or similar.
4. For folders (directories):
   • Set permissions to 755.
   • Apply changes recursively to directories only (your file manager usually has this option).
5. For files:
   • Set permissions to 644.
   • Apply changes recursively to files only.

What You Should See

• Your site loads normally on the front end.
• You can still log in to /wp-admin and edit content.
• Media uploads (images, PDFs) still work.

If anything breaks (for example, you can’t upload media), restore from backup or contact support and mention the exact permission values you changed.

Locking Down Sensitive WordPress Files

Some files are especially attractive to attackers because they contain configuration, credentials, or routing logic. These should be tightly controlled:

• wp-config.php – database credentials, security keys, and salts
• .htaccess (on Apache) or web.config (on IIS) – rewrite rules, access control
• /wp-admin/ and /wp-includes/ – core logic that should almost never be writable by the web server

Recommended Settings

• wp-config.php: 400 or 440 if your host allows it; otherwise 640 is acceptable.
• .htaccess: 444 (read-only) once your permalinks are set and stable.
• /wp-admin/ and /wp-includes/: keep at 755 for directories, 644 for files, owned by your user, not world-writable.

WordPress recommends that only the minimal set of files be writable by the web server process, usually within /wp-content/.Source

Moving wp-config.php (Optional)

On many hosts, you can move wp-config.php one directory above the web root so it’s not directly web-accessible. WordPress will still find it automatically as long as it’s in the parent directory of your installation folder.Source

If you’re not comfortable with file moves, ask your host or Compass Production support to do this for you.

Securing Uploads and User-Generated Files

Upload directories are a common attack path. If an attacker can upload a script and then execute it, they can often take over the server. OWASP recommends disabling execution in upload folders and strictly validating file types.Source

Practical Steps for WordPress

1. Limit where files can be uploaded
   • By default, WordPress uses /wp-content/uploads/. Avoid plugins that create additional writable folders unless necessary.
2. Disable script execution in uploads (Apache)
   • Inside /wp-content/uploads/, create or edit a .htaccess file with rules that deny execution of PHP and other scripts. Your host or developer can add a standard rule set for this.
3. Keep upload folders non-executable
   • Ensure directories are 755 and files 644; never 777.
4. Review plugins that accept file uploads
   • Contact form, membership, or LMS plugins that accept file uploads should be kept updated and configured to restrict file types to what you truly need.

What You Should See

• Media Library uploads continue to work.
• Any forms that upload files still function as expected.
• No change to normal front-end behavior.

Protecting wp-config.php with Strong Security Keys

Your wp-config.php file contains eight security keys and salts that protect login cookies and sessions. Rotating these keys periodically helps invalidate stolen cookies and reduce the impact of certain attacks.Source

How to Safely Refresh Security Keys

1. Back up your site.
2. Open wp-config.php in your hosting file manager’s code editor.
3. Locate the lines that start with define('AUTH_KEY', SECURE_AUTH_KEY, and so on.
4. In a new browser tab, open the official WordPress secret key generator.Source
5. Copy the entire block of generated define() lines.
6. Paste them over the existing key and salt lines in wp-config.php and save.

What You Should See

• You will be logged out of WordPress on all devices (this is expected).
• Logging back in with your username and password works normally.
• No change to the front end of the site.

Using Safe Automatic Updates Without Losing Control

Many serious WordPress compromises come from outdated plugins and themes. Security teams and hosting providers strongly recommend keeping all components updated and enabling automatic security updates where possible.Source

Balanced Approach to Auto Updates

• Enable automatic minor and security updates for WordPress core (this is the default on most installs).
• Consider automatic updates for trusted plugins that are actively maintained and widely used.
• Keep a few critical plugins on manual updates if they deeply affect layout or checkout, and test them on staging first.

Some update manager plugins can help you allow only minor and patch updates while holding back major versions until you’ve tested them.Source

What You Should See

• In Dashboard ? Updates, you’ll see fewer “Update now” notices because minor updates apply automatically.
• Your site continues to function normally after scheduled updates.
• Your backup system runs regularly so you can roll back if a rare bad update slips through.

Quick Maintenance Routine You Can Reuse

To keep your file system and configuration secure without constant deep dives, follow this simple monthly routine:

• Confirm backups are running and restorable.
• Check that file permissions still match the 644/755 baseline.
• Review /wp-content/uploads/ for unusual files or folders.
• Verify wp-config.php and .htaccess haven’t been modified unexpectedly (many hosts show last-modified dates).
• Apply any pending plugin or theme updates, starting with security and maintenance releases.

If anything feels unclear or risky, pause and contact Compass Production support. It’s always better to ask before changing low-level settings than to fix a preventable security incident later.