File permissions (chmod) define who can do what with each file and folder on the hosting server: read, write, execute. On shared hosting, correct permissions are critical both for the smooth operation of your application and for security. A file with wrong permissions may return a "Forbidden" error; permissions that are too broad (especially 777) open the door for malicious code to be injected into your site.
1. Changing Permissions via File Manager
- Log in to cPanel.
- In the Files section, click File Manager.
- Select the file or folder whose permissions you want to change.
- Click the Permissions button in the top toolbar (alternatively, right-click the file and choose Change Permissions).
- In the dialog, type a three-digit number in the Permission field (e.g.
644) or check the boxes to produce the value. - Click the Change Permissions button.
2. What Permission Codes Mean
The three digits represent the permissions of owner, group and world in order. Each digit is the sum of the following values:
- 4 — Read
- 2 — Write
- 1 — Execute (for folders: "enter into")
For example, in 755:
- 7 (owner) = 4 + 2 + 1 → read + write + execute
- 5 (group) = 4 + 1 → read + execute
- 5 (world) = 4 + 1 → read + execute
3. Commonly Used Permission Values
- 644 — Standard web files: HTML, CSS, JS, PHP, images,
.htaccess. The owner can read and write; the web server can read. - 755 — All folders and executable scripts (e.g. files in
cgi-bin). The owner has full access; others can read and enter. - 600 — Sensitive configuration files (e.g. WordPress
wp-config.php,.envcontaining API keys). Only the owner can read and write. - 400 — Read-only private keys (SSH private key, SSL key, etc.). Only the owner can read.
- 444 — Files that no one should modify but everyone should be able to read (rarely used).
4. Why Are 777 and 666 Dangerous?
Some plugin or theme installation instructions may suggest "set permissions to 777, your problem will be solved". Don't follow such advice.
- 777 gives everyone (including other users on the server and malicious scripts) read, write and execute permissions. It opens the door for malicious PHP files to be written into your site from outside.
- 666 has no execute permission, but everyone can still write; equally dangerous.
If an application really needs write permission, 664 (owner+group write) is enough instead of 644; there's hardly any modern application that needs 777.
5. Bulk Application to Subfolders
To fix all files of an application at once, there are two methods:
- File Manager: You can select multiple files/folders and apply the same value with the Permissions button; unfortunately File Manager doesn't offer "apply to subdirectories" by default, so you need to repeat for the folder and each file inside.
- SSH (Terminal): If you have SSH access, you can fix the whole tree with a single command:
The first command sets 644 on all files, the second sets 755 on all folders.find /home/username/public_html -type f -exec chmod 644 {} \; find /home/username/public_html -type d -exec chmod 755 {} \;
If your site returns a 500 Internal Server Error or Forbidden after a permission change, you likely set permissions too narrowly (e.g. 400 instead of 600). Reverting to standard 644/755 values usually fixes it; if not, you can open a support ticket.