When you upload a website, reset a broken file permission, or harden a fresh server, chmod 644 is the mode you reach for first. It is the permission you will apply to the vast majority of files on a Linux web server — HTML, CSS, PHP, images, and config files all belong here. This guide explains exactly what it controls and which files should (and should not) use it.
chmod 644 means rw-r--r--. The owner gets read+write (6 = 4+2). The group and others get read-only (4). No execute bit is set. Use it for HTML, CSS, PHP, config files, and most regular files on a web server.
Need to calculate or convert a chmod mode?
Open Chmod Calculator →How 644 is calculated
rw-r--r-- — owner read + write (6), group and others read-only (4), no execute. Green = granted, gray = denied.Each octal digit is the sum of three permission bits: read (4), write (2), execute (1). For chmod 644:
Owner: 6 = 4 (read) + 2 (write) + 0 = rw-
Group: 4 = 4 (read) + 0 + 0 = r--
Others: 4 = 4 (read) + 0 + 0 = r--
Result: rw-r--r--Neither the group nor others has the write or execute bit, so a file with 644 can be read by anyone on the system but modified only by its owner.
What files should be 644?
Web server files
HTML, CSS, JavaScript, PHP, images, and most other files served by a web server should be 644. Apache and Nginx read these files as a server process — they do not need the Unix execute bit to interpret PHP or serve HTML. Giving web files the execute bit (e.g. 755) does not help anything and slightly widens the attack surface.
Configuration files
Config files that are not sensitive (e.g. nginx.conf snippets in a shared directory, .htaccess) work well at 644. The web server can read them and the owner can update them. If a config file contains credentials that the group should not see, use 640 or 600 instead.
.htaccess files
Apache's .htaccess should always be 644. The web server reads it on every request. Setting it to 777 on shared hosting is a security risk — any other user on the server could overwrite your rewrite rules.
SSH authorized_keys
The ~/.ssh/authorized_keys file should be 644 (or stricter: 600). OpenSSH will refuse to use an authorized_keys file that is group- or world-writable.
Shell examples
# Set a single file
chmod 644 index.html
# Set all regular files in a directory tree
find /var/www -type f -exec chmod 644 {} \;
# Set files AND directories correctly at once
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;
# Verify
ls -l index.html
# -rw-r--r-- 1 www-data www-data 2048 Jun 17 index.htmlThe two-command find approach above is the recommended way to reset a web root: directories get 755 (so they can be entered) and files get 644 (world-readable, owner-writable only).
chmod 644 vs other common modes
| Mode | Symbolic | Others can read? | Typical use |
|---|---|---|---|
| 644 | rw-r--r-- | Yes | Web files, configs, most regular files |
| 640 | rw-r----- | No | Group-readable configs (DB credentials) |
| 600 | rw------- | No | SSH private keys, .env files |
| 755 | rwxr-xr-x | Yes + execute | Directories, shell scripts |
| 664 | rw-rw-r-- | Yes | Group-collaborative files (use with sgid dir) |
Frequently Asked Questions
What does chmod 644 mean?
chmod 644 sets rw-r--r--. The owner can read and write the file (6 = 4+2). The group and others can only read it (4). No one but the owner can modify the file. It is the standard permission for web content, config files, and most regular files on a Linux server.
Should PHP files be 644 or 755?
PHP files should be 644. The web server (Apache/Nginx) interprets PHP server-side — it does not need the Unix execute bit. Setting PHP files to 755 is harmless but unnecessary. Setting them to 777 is a security risk because it makes them world-writable.
What should .htaccess permissions be?
.htaccess files should be 644. Apache needs to read them on every request. On shared hosting, never set .htaccess to 777 — other users on the same server could overwrite your configuration.
What is the difference between 644 and 640?
chmod 644 allows everyone to read the file. chmod 640 blocks others entirely — only the owner can write and the group can read. Use 640 for config files with credentials that your web server group (e.g. www-data) needs to read but the public should not access.
How do I set 644 on all files recursively?
Use find /path -type f -exec chmod 644 {} \;. This targets only regular files, not directories. Directories need the execute bit to be entered, so they should be set to 755 separately: find /path -type d -exec chmod 755 {} \;. Avoid chmod -R 644 because it strips the execute bit from directories and makes them inaccessible.
Calculate any chmod permission instantly
Open Chmod Calculator →Related permission guides
- chmod 755 explained — for directories and executable scripts
- chmod 600 for SSH keys and .env files
- chmod 777: why it's a security risk
- chmod 775 for Laravel and WordPress directories