CRAFT CMS DEVELOPER

7 Key Steps to Implement Correct File and Folder Permissions for a Craft CMS Website

Published on May 28, 2025

File of craft

Setting the right file and folder permissions is one of the most overlooked yet critical aspects of securing your Craft CMS website. Incorrect permissions can expose sensitive files, allow unauthorized access, or even lead to full-scale website takeovers.

This blog post outlines seven key steps to implement correct file and folder permissions for a Craft CMS website, helping you ensure optimal security and functionality.

 

 

1. Understand Why File and Folder Permissions Matter

 

Every file and directory in your Craft CMS website has a set of permissions that determine who can read, write, or execute them. If these permissions are too lax, attackers can exploit vulnerabilities to upload malicious content, delete files, or access configuration data.

By implementing correct file and folder permissions, you:

Reduce the attack surface of your website

Prevent unauthorized changes to core system files

Limit potential damage if one user or service is compromised

 

 

2. Follow the Principle of Least Privilege

 

The principle of least privilege means giving each file or directory only the permissions it needs—nothing more. For example, a file that only needs to be read should not have write or execute permissions.

This is particularly important for:

Configuration files (e.g., .env)

Template folders

Upload directories

Only specific processes should have write access to folders like storage or web/assets.

Recommended Reading:
Cybersecurity Framework by NIST

 

 

3. Assign Ownership Correctly

 

Correct ownership ensures that only intended system users can modify files. Typically:

The web server user (like www-data or apache) should own files it needs to write to.

The developer user should retain ownership of source code and configurations that the web server does not need to change.

Improper ownership can either block functionality or create security holes.

 

 

4. Set Proper File Permissions

 

Craft CMS files should generally have permission levels set to restrict unauthorized modification while allowing the CMS to function. A standard practice includes:

Files: readable and writable only by the owner (644 permissions)

Sensitive configuration files: restrict even read access for non-owners

This prevents global write access that can be exploited if the server is compromised.

 

 

5. Set Proper Directory Permissions

 

Directories in your Craft CMS project should be restricted based on their role:

General directories: 755 permissions (owner can write; group and others can read/execute)

Writable directories (like storage/ or web/assets/): can be given limited write access by the web server user only

Never allow 777 permissions (read/write/execute for all) as this poses a severe security risk.

 

 

6. Restrict Access to Sensitive Folders

 

Certain folders should not be publicly accessible, such as:

config/

vendor/

storage/

To enhance security:

Store sensitive directories outside of the web root

Use .htaccess or server-level rules to deny direct access to restricted folders

This prevents attackers from accessing configuration files or log data that could reveal system information.

 

 

7. Perform Regular Permission Audits

 

Even if you initially set correct file and folder permissions, changes in deployment, plugin installations, or hosting configurations might alter them. That’s why regular audits are necessary.

To maintain ongoing security:

Periodically review permission levels across directories

Keep logs of permission changes

Incorporate permission checks into your DevOps or CI/CD workflows

Regular audits help catch misconfigurations early before they become vulnerabilities.

 

 

Conclusion

 

Implementing correct file and folder permissions for a Craft CMS website is a foundational security step that should not be overlooked. By following these seven steps, you can protect your site from a wide range of threats and ensure it functions reliably.

Security is not a one-time task—it’s an ongoing responsibility. Make proper permission management a regular part of your website maintenance routine.