Every WordPress site runs on hundreds of files and folders, from your themes and plugins to sensitive configuration files like wp-config.php.
When these files have insecure permissions, they become open doors for hackers to:
- Inject malware.
- Modify your code.
- Steal sensitive data.
- Take over your site entirely.
Many WordPress installs have risky default permissions without users even knowing.
What Can Go Wrong with Wrong Permissions?
|
Type of Permission Mistake |
What It Can Lead To |
|
Files set to 777 |
Anyone can read, write, or execute your files |
|
wp-config.php too open |
Hackers can view DB credentials and keys |
|
Uploads folder too open |
Malware injections via disguised PHP scripts |
|
Plugins/themes writable |
Code injections during attacks |
How to Fix and Secure Permissions Automatically
With WordPress Manager by Softaculous, you can fix permission issues across your entire WordPress site in one click. The tool applies the recommended security settings:
|
How to Secure File and Directory Permissions via WordPress Manager
STEP 1: Log in to your cPanel.
There are three methods to log into your cPanel.
- Method 1: Log in to your cPanel directly.
- Method 2: Log in to your cPanel through your Customer Portal.
Through your Customer Portal;
- Log in to your Customer Portal.
- Click on "Log in to cPanel".
- Method 3: Log in using the details sent to your Email.
Through your Email;
- When you purchase a hosting plan, your cPanel login details (including username, password, and cPanel URL) are automatically sent to your registered email address. Simply check your inbox (or spam folder), locate the email, and use the provided credentials to access your cPanel.
STEP 2: Locate the Software section and click on Softaculous Apps Installer.
STEP 3: Click the box for Installations.
An alternative is to select the “All Installations” icon from the menu in the upper-right corner.
STEP 4: Click the WordPress icon next to the installation you want to manage.
STEP 5: In WordPress Manager, select the website you want to secure.
STEP 6: Scroll to the Security Measures section.
STEP 7: Checkmark the box for “Restrict access to files and directories”, and click on Apply.
Your files are now locked down with safe, secure permissions.
WordPress Manager automatically:
- Sets wp-config.php to 600 to protect DB access credentials.
- Applies 644 to all other PHP and config files.
- Secures folders with 755, keeping them functional but safe.
- Ensures no publicly writable files or folders exist.
- Prevents common file injection and overwrite vulnerabilities.
Will This Affect your Website?
No. These are industry-standard permissions recommended by WordPress.org and top security experts. If any plugin or theme misbehaves after applying this fix (very rare), you can reverse the changes easily in the same panel.
Note: Always Scan for Permission Risks
After applying secure permissions:
- Use a security plugin or malware scanner to double-check.
- Avoid manually changing permissions via FTP unless you’re sure.
- Never set files or folders to 777, not even temporarily.
If you are not sure what your current permissions are, or you think you’ve accidentally changed something critical, kindly reach out to LyteHosting support.
