On Linux servers, file permissions play a crucial role in both site security and functionality. Incorrectly configured permissions can expose a site to attacks or, conversely, break normal operation. Every web developer and site owner needs to understand the chmod command and the main permission combinations. The Sayt.uz technical support team receives daily questions about permissions, and this article covers the most common cases.
How Linux permissions work
For every file or folder, permissions are set for three user groups: owner, group, others. Each group has three operation types: read, write, execute. Permissions are expressed numerically: read = 4, write = 2, execute = 1. These numbers add up: 7 = 4+2+1 (full permissions), 6 = 4+2 (read and write), 5 = 4+1 (read and execute), 4 = 4 (read only). Three digits are written sequentially, for example 755 means 7 for owner, 5 for group, 5 for others.
644 — standard for files
For regular site files (HTML, CSS, JS, PHP, images), the standard permission is 644. This gives the owner read and write (6) and group and others only read (4). This combination allows visitors to view the site but they cannot modify files. Only the owner (FTP user) can edit files. This is the safest and standard option, suitable for almost all web files. WordPress also recommends exactly these permissions.
755 — for folders and executable files
For folders the standard permission is 755: full access for the owner (7 = read, write, enter), read and enter (5) for group and others. For folders, execute means the ability to enter; for regular files, it means executing a script. Bash scripts and CGI files also use 755. In WordPress, public_html and all folders inside should have 755. Recursive setup: find /path/to/site -type d -exec chmod 755 {} \;
777 — dangerous, not recommended
The 777 permission grants full access to all users. This should never be used because any user, including malicious code, can modify the file. Many beginners set 777 on all files to fix "my site does not work" — this is a serious mistake. If the site needs broader permissions, 755 or 775 is sufficient. 777 is often flagged by hosting companies as a source of infection and the account may be suspended.
Strict permissions for sensitive files
Files containing confidential data need stricter permissions. The wp-config.php file in WordPress stores the database password, so 600 or even 400 is recommended. 600 means read and write only for the owner with no rights for others. Files like .env and .htpasswd should be protected similarly. Such restrictions ensure these files cannot be accessed externally and dramatically improve security.
Sayt.uz practice
For Sayt.uz hosting customers, file permissions are configured correctly automatically. In the File Manager section of the dashboard you can view and change permissions of any file or folder. If you accidentally set 777 on all files, the Reset Permissions button automatically returns files to 644 and folders to 755. This feature works with WordPress, Joomla, and other CMS. Sayt.uz support helps in any situation.
Commands to check and change
Via SSH, permissions are checked with ls -la, which shows the permissions of each file or folder. The first character indicates type (d = folder, - = file), the rest are permissions. For bulk changes, find is useful: all files to 644 — find . -type f -exec chmod 644 {} \;, all folders to 755 — find . -type d -exec chmod 755 {} \;. These commands quickly restore standard permissions across the site.