Setting the right file and folder permissions is one of the most overlooked yet critical aspects of securing your Craft CMS website. Incorrect permissions can expose sensitive files, allow unauthorized access, or even lead to full-scale website takeovers.
This blog post outlines seven key steps to implement correct file and folder permissions for a Craft CMS website, helping you ensure optimal security and functionality.
1. Understand Why File and Folder Permissions Matter
Every file and directory in your Craft CMS website has a set of permissions that determine who can read, write, or execute them. If these permissions are too lax, attackers can exploit vulnerabilities to upload malicious content, delete files, or access configuration data.
By implementing correct file and folder permissions, you:
Reduce the attack surface of your website
Prevent unauthorized changes to core system files
Limit potential damage if one user or service is compromised
2. Follow the Principle of Least Privilege
The principle of least privilege means giving each file or directory only the permissions it needs—nothing more. For example, a file that only needs to be read should not have write or execute permissions.
This is particularly important for:
Configuration files (e.g., .env)
Template folders
Upload directories
Only specific processes should have write access to folders like storage or web/assets.
Recommended Reading:
Cybersecurity Framework by NIST
3. Assign Ownership Correctly
Correct ownership ensures that only intended system users can modify files. Typically:
The web server user (like www-data or apache) should own files it needs to write to.
The developer user should retain ownership of source code and configurations that the web server does not need to change.
Improper ownership can either block functionality or create security holes.
4. Set Proper File Permissions
Craft CMS files should generally have permission levels set to restrict unauthorized modification while allowing the CMS to function. A standard practice includes:
Files: readable and writable only by the owner (644 permissions)
Sensitive configuration files: restrict even read access for non-owners
This prevents global write access that can be exploited if the server is compromised.
5. Set Proper Directory Permissions
Directories in your Craft CMS project should be restricted based on their role:
General directories: 755 permissions (owner can write; group and others can read/execute)
Writable directories (like storage/ or web/assets/): can be given limited write access by the web server user only
Never allow 777 permissions (read/write/execute for all) as this poses a severe security risk.
6. Restrict Access to Sensitive Folders
Certain folders should not be publicly accessible, such as:
config/
vendor/
storage/
To enhance security:
Store sensitive directories outside of the web root
Use .htaccess or server-level rules to deny direct access to restricted folders
This prevents attackers from accessing configuration files or log data that could reveal system information.
7. Perform Regular Permission Audits
Even if you initially set correct file and folder permissions, changes in deployment, plugin installations, or hosting configurations might alter them. That’s why regular audits are necessary.
To maintain ongoing security:
Periodically review permission levels across directories
Keep logs of permission changes
Incorporate permission checks into your DevOps or CI/CD workflows
Regular audits help catch misconfigurations early before they become vulnerabilities.
Conclusion
Implementing correct file and folder permissions for a Craft CMS website is a foundational security step that should not be overlooked. By following these seven steps, you can protect your site from a wide range of threats and ensure it functions reliably.
Security is not a one-time task—it’s an ongoing responsibility. Make proper permission management a regular part of your website maintenance routine.