BugWP logo BugWP
Back to Community
Home / Community / CoreInstalling wordpress

Solving WordPress File Permission and Ownership Issues: A Secure Guide

24 threads Sep 16, 2025 CoreInstalling wordpress

Content

Struggling with the infamous "Could not create directory" error when updating WordPress? You're not alone. File and folder permissions are one of the most common hurdles for new WordPress administrators, but they are also a critical component of your site's security. This guide will explain why these errors occur and walk you through the standard, secure way to resolve them.

Why Do WordPress Permission Errors Happen?

At its core, a WordPress installation is a collection of files and folders on a web server. Your web server software (like Apache or Nginx) runs as a specific system user (often www-data or apache). For WordPress to create files—such as when installing a plugin, updating a theme, or writing to wp-config.php during installation—this web server user must have the correct write permissions on the necessary directories.

These errors typically surface in two scenarios:

  1. Fresh Installations: Files were extracted or uploaded by a user (e.g., root) that is different from the web server user.
  2. Security Hardening: Permissions were tightened after installation, inadvertently removing the web server's ability to write to required locations.

The Standard, Secure Permission Scheme

Based on community best practices and official documentation, the following permission and ownership settings are recommended for a balance of functionality and security. These settings assume your web server's PHP process runs as the user www-data and group www-data (common on Debian/Ubuntu systems). Your specific user may differ (apache, nginx, etc.).

1. Correct Ownership

The most crucial step is ensuring the web server user owns the files. From the command line, navigate to your WordPress root directory and run:

sudo chown -R www-data:www-data /path/to/your/wordpress/install/

This command recursively sets the owner and group of all files and folders to the web server user. As noted in the threads, for enhanced security on servers hosting multiple sites, it is considered a best practice to create a unique system user for each site and configure PHP-FPM to run a separate pool for each.

2. Correct Permissions

Once ownership is correct, apply these standard permissions:

  • All Files: 644 (-rw-r--r--)
  • All Folders: 755 (drwxr-xr-x)

You can apply these permissions with these commands:

find /path/to/wordpress/ -type d -exec chmod 755 {} ;
find /path/to/wordpress/ -type f -exec chmod 644 {} ;

3. The wp-content Directory

The wp-content directory requires special attention because it needs to be writable for updates and uploads. The standard permissions above (755 for the folder) are often sufficient. However, if you continue to have issues, you can set the ownership specifically on this directory without changing the entire site:

sudo chown -R www-data:www-data /path/to/wordpress/wp-content/

What About Using 777? (Spoiler: Don't!)

It can be tempting to run chmod -R 777 to solve all permission problems, as one user did out of "desperation." This makes every file and folder writable by every user on the server. This is a significant security risk and should never be a permanent solution. It can make your site vulnerable to malware and unauthorized changes.

Alternative Solution: Using FTP/SSH Credentials

If you cannot or do not want to change system-level file ownership, WordPress can use FTP or SSH credentials to perform updates. When an update is requested, WordPress will prompt you for FTP/SFTP credentials and use those to write files. This allows the web server itself to run with fewer privileges. To enable this, you often need to define the connection details in your wp-config.php file.

Conclusion

Most WordPress file permission issues boil down to a mismatch between file ownership and the user the web server runs as. The secure solution is not to make everything world-writable but to ensure the correct user owns the files. By following the standard scheme of 755/644 permissions and www-data:www-data ownership (or a unique user per site), you can keep your site both functional and secure.

Related Support Threads Support