What permissions should my website files/folders have on a Linux webserver?

Better Stack Team
Updated on November 9, 2023

On a Linux web server, setting the correct permissions for website files and folders is crucial for security and functionality. Here are general recommendations for permissions on website files and folders:

Folder Permissions:

  • Root Folder (/var/www/html or similar):
    • The root folder of your website should have permissions set to 755 (drwxr-xr-x).
    • The owner should typically be the web server user (e.g., www-data for Apache).
  • Subfolders and Files:
    • Folders inside the root should generally have permissions set to 755 (drwxr-xr-x).
    • Files within the folders should have permissions set to 644 (rw-r--r--).

Special Folders:

  • Upload Folders:
    • Folders where users can upload files should have stricter permissions, typically 755 for folders and 644 for files.
    • Ensure the uploaded files cannot be executed (e.g., PHP files) if it's not intended.
  • Config Files:
    • Configuration files that contain sensitive information (database passwords, API keys, etc.) should have limited access.
    • Set permissions to 600 (rw-------) or 640 (rw-r-----), limiting access to the owner and specific groups that need access.


  • Ownership should typically be set to:
    • User: The user that the web server runs as (e.g., www-data for Apache).
    • Group: The group that the web server belongs to (also often www-data for Apache).

Additional Tips:

  • Avoid setting global write permissions if not necessary:
    • Giving write permissions to everyone (777) can pose security risks.
    • Limit write access to specific folders where necessary.
  • Use chown and chmod commands:
    • Use these commands in the terminal to change ownership and permissions of files and directories.
    • For example:
      • sudo chown -R www-data:www-data /var/www/html
      • sudo chmod -R 755 /var/www/html
  • Consider SELinux or AppArmor:
    • Security-Enhanced Linux (SELinux) or AppArmor can add an extra layer of security by defining policies that control access based on the defined security contexts.

It's important to find the right balance between security and functionality when setting file and folder permissions. Regularly review and update permissions to ensure your website remains secure. Be cautious with granting excessive permissions, especially to files that handle sensitive data or execute server-side code.

Make your mark

Join the writer's program

Are you a developer and love writing and sharing your knowledge with the world? Join our guest writing program and get paid for writing amazing technical guides. We'll get them to the right readers that will appreciate them.

Write for us
Writer of the month
Marin Bezhanov
Marin is a software engineer and architect with a broad range of experience working...
Build on top of Better Stack

Write a script, app or project on top of Better Stack and share it with the world. Make a public repository and share it with us at our email.


or submit a pull request and help us build better products for everyone.

See the full list of amazing projects on github