Countless tutorials and Stack Overflow answers end with chmod 777 as the fix for a permission error. It works — and that is precisely the problem. chmod 777 sets rwxrwxrwx: every user, group, and process on the system can read, write, and execute the file. On a web server that means any compromised script, any other user on shared hosting, and any web request can overwrite your files. It is one of the most common self-inflicted security vulnerabilities on Linux servers.
chmod 777 on production servers. If you ran it to fix a permission error, scroll to the safe alternatives section below and fix it now.
Calculate the right chmod mode for your situation
Open Chmod Calculator →What chmod 777 actually does
rwxrwxrwx. Owner, group, and others all get read + write + execute. The red bit is the world-writable flag — green = granted, gray = denied.Each digit in 777 is the sum of read (4) + write (2) + execute (1) = 7 — all three permissions, for all three classes:
Owner: 7 = 4+2+1 = rwx (full access)
Group: 7 = 4+2+1 = rwx (full access)
Others: 7 = 4+2+1 = rwx (full access)
Result: rwxrwxrwx"Others" means any user account on the system that is not the owner and not in the file's group. On a web server, the web server process (Apache, Nginx, PHP-FPM) often runs as www-data or nobody — accounts that typically fall into "others". This means every web request your server handles can modify any file you have set to 777.
Why tutorials tell you to use chmod 777
The typical scenario: you get a "Permission denied" error. You search, find a quick fix, and run chmod 777. It works. You move on.
What the tutorial is not telling you: the actual problem is almost always one of these:
- Wrong owner — the file belongs to root but your web server runs as
www-data. Fix:chown www-data:www-data filename, then keep 644 or 755. - Wrong group — the web server user is not in the file's group. Fix:
usermod -aG yourgroup www-dataand use chmod 775. - Missing execute bit on a directory — the directory has 644, so nobody can enter it. Fix:
chmod 755 dirname.
chmod 777 masks all three problems by giving everyone access, but it does not fix any of them.
Real attack vectors
Malicious file upload via a world-writable directory
If a web-accessible directory is set to 777, a PHP upload form (or any vulnerability in a plugin) can write an arbitrary file there. An attacker uploads a PHP shell, navigates to it in a browser, and now has code execution on your server. This is the most common exploitation of 777 in the wild.
Plugin / theme modification on WordPress
WordPress checks whether wp-content/plugins is writable and, if so, allows plugin upgrades and installs without FTP. Setting that directory to 777 means any process running on the server — including a compromised plugin — can overwrite other plugins or core files.
Shared hosting user isolation bypass
On shared hosting, multiple customers run under different system users. A world-writable file (777) in your web root can be read or overwritten by PHP code running under another customer's account. Hosting providers explicitly prohibit 777 for this reason.
What to use instead — decision table
| Situation | Use instead | Why |
|---|---|---|
| Public directories, executables | 755 | Everyone reads/executes; only owner writes |
| Web files (HTML, CSS, PHP) | 644 | World-readable, only owner can modify |
| Laravel storage / WordPress uploads | 775 + correct group | Group writes; world cannot |
SSH keys, .env files | 600 | Owner-only access |
/tmp shared sticky directory | 1777 | World-writable but sticky bit prevents deletion by others |
WordPress uploads fix
# Correct approach — NOT chmod 777
chown -R www-data:www-data wp-content/uploads
chmod -R 755 wp-content/uploads
find wp-content/uploads -type f -exec chmod 644 {} \;Laravel storage fix
# Add web server to the deploy group, then use 775
chown -R deployer:www-data storage bootstrap/cache
chmod -R 775 storage bootstrap/cacheFinding and auditing world-writable files
If you have already run chmod 777 on a server, scan for the damage:
# All world-writable regular files in the web root
find /var/www -perm -o+w -type f
# Exact 777 files anywhere in the current directory
find . -type f -perm 777
# System-wide scan for world-writable files (excluding /proc and /sys)
find / -perm -0002 -type f \
! -path "/proc/*" ! -path "/sys/*" 2>/dev/null
# World-writable directories (also a risk)
find /var/www -perm -o+w -type dReview each result. Any file that is web-accessible and world-writable should be tightened to 644 (or 755 if it is a directory) after verifying ownership is correct.
Frequently Asked Questions
What does chmod 777 mean?
chmod 777 sets rwxrwxrwx — read, write, and execute for the owner, the group, and all other users. Any user or process on the system can modify or overwrite the file. It is almost always a security risk and should not be used on production servers.
Is chmod 777 ever safe?
Rarely. On a single-user local development machine with no network exposure and no sensitive data, 777 is harmless. On any server with multiple users, shared hosting, or web-accessible files, 777 is a risk. Even on local dev it can mask ownership problems that will bite you when you deploy.
What should I use instead of chmod 777 for WordPress uploads?
Use chmod 755 for the uploads directory and chmod 644 for uploaded files. Make sure the directory is owned by the web server user: chown -R www-data:www-data wp-content/uploads. If your deploy user needs write access too, use chmod 775 and add both users to a shared group.
What should I use instead of chmod 777 for Laravel storage?
Use chmod -R 775 storage bootstrap/cache and ensure the web server user (www-data) is in the same group as your deploy user: chown -R deployer:www-data storage bootstrap/cache. This gives the group write access without making the directories world-writable.
How do I find world-writable files on my server?
Run find /var/www -perm -o+w -type f to list world-writable files in your web root. For an exact 777 match: find . -type f -perm 777. For a system-wide scan: find / -perm -0002 -type f ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null. Tighten any results to 644 or 755 after confirming correct ownership.
Calculate the right permission for your situation
Open Chmod Calculator →Related permission guides
- chmod 755 explained — the safe alternative for directories and scripts
- chmod 644 explained — the standard for web files
- chmod 775 for Laravel and WordPress — group-writable without world-writable
- chmod 600 for SSH keys and .env files