How to Fix WordPress File and Folder Permissions Using a Simple PHP Script (No SSH Required)
Important Warning: Always take a full backup of your website before running this script. This includes your files and database. While the script only updates permissions, having a backup ensures you can recover quickly if anything unexpected happens.
Managing correct file and folder permissions is a fundamental part of WordPress security. Incorrect permissions can allow malicious actors to upload scripts, modify files, or install backdoors. When you don’t have SSH/terminal access and your site contains thousands of files, the fastest solution is to run a small PHP script from your cPanel File Manager.
Recommended permission values
- Files: 644
- Folders: 755
Overview
This script recursively scans the directory where it’s placed and applies 755 to directories and 644 to files. It does not modify file contents—only the file system permissions.
Before you run the script
- Take a full backup first. This is essential.
- Place the file in your WordPress root (usually public_html or the folder where WordPress is installed).
- Run it once through the browser (see instructions below).
- Immediately delete the script after use—leaving it on the server is a security risk.
- If you have a non-standard server setup, consult your host first.
Step-by-step: create and run
- Open cPanel → File Manager.
- Navigate to your WordPress root folder.
- Create a new file named fix-permissions.php.
- Paste the script (see code block below) into that file and save.
- Open your browser and visit:
https://yourwebsite.com/fix-permissions.php - When it completes you will see a confirmation message. Then delete fix-permissions.php from the server.
Script (copy exactly)
<?php
// Set your target directory
$path = __DIR__; // current folder
// Permissions
$filePerm = 0644;
$folderPerm = 0755;
function fixPermissions($dir, $filePerm, $folderPerm) {
$items = scandir($dir);
foreach ($items as $item) {
if ($item === '.' || $item === '..') continue;
$fullPath = $dir . '/' . $item;
if (is_dir($fullPath)) {
chmod($fullPath, $folderPerm);
fixPermissions($fullPath, $filePerm, $folderPerm);
} else {
chmod($fullPath, $filePerm);
}
}
}
fixPermissions($path, $filePerm, $folderPerm);
echo "Permissions updated successfully!";
?>Safety notes & troubleshooting
- Always take a backup before running the script.
- Run the script only once. Repeated runs are harmless but unnecessary.
- If the script times out on very large sites, run it inside subfolders only (such as wp-content or uploads).
- If permissions remain incorrect afterward, your host may be enforcing ownership restrictions.
- Delete the script immediately after use.
When to use this
- After malware cleanup to restore secure permissions.
- After a hosting migration with broken permissions.
- When uploads, updates, or installations fail.
Need a safer or customized version? I can provide a logging-enabled script, a restricted version for wp-content only, or a timeout-safe version for large websites. Just let me know.
