When you use Wordpress as your blogging software, one of the things that you need to setup is an upload directory. By default Wordpress is configured to use the wp-content/uploads directory. You can think of it as “box” where your media files or images are saved when you upload them while creating your articles under Wordpress.
Create your Wordpress upload directory
You would normally need to create the upload directory in order for you to start using/uploading photos in your Wordpress articles (posts or pages). Creating the upload directory can be done in several ways.
- One way is to use a web-based file manager such as the one found in Cpanel.
- Another way to create the Wordpress upload directory is to connect via the FTP account of your hosting account.
- A third way is to make the directory by logging into your server using a secure shell session.
What I’ll show here is how to create your upload directory using a Unix/Linux shell session. If you have secure shell (ssh) access to your web server, you can run the following commands after logging into your secure shell account:
1 2 3 | cd public_html/wp-content mkdir uploads chmod 775 uploads |
Most users would do a “chmod 777 uploads ” to set the permissions of the uploads directory to be writable by anybody. Although this is possible, it is more secure to set the permissions to 775 and perform an extra step that you need to request your hosting provider.
The extra step is to request your hosting provider to set the group ownership of the uploads directory to the group id by which your web server executes. Your hosting provider would know what the group setting should be. This may be apache, web, www, www-data or some other group that was set by your hosting provider. This is a required step so that files that you upload will be written successfully by Wordpress into the uploads directory.
Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users.
Securing your upload directory
Although you have just allowed you and the web server as the only two entities allowed to write into the uploads directory, you can still do another extra step to increase the security of your upload directory.
Allowing write access to the web server program to your upload directory has the effect of actually allowing anybody on the Internet write access to the directory. Although this should not alarm you because the upload function will only be accessible to someone who is allowed to login to your Wordpress system.
But an extra security measure should always be taken to decrease the risk of someone else being able to save files into your uploads directory.
The added security is configured using your .htaccess file. You would need to create an htaccess file in the uploads directory to take advantage of the added security.
The uploads directory functions mostly as a storage of images, photos or videos (although most of us use youtube these days). It is prudent therefore to just restrict access to these kind of files in the uploads directory. To restrict the access to merely images, you need to create a .htaccess file in the uploads directory you have just created. The file will contain the following lines:
1 2 3 4 5 | Order Allow,Deny Deny from all <Files ~ "\.(jpeg|jpg|png|gif|gz)$"> Allow from all </Files> |
What the commands above does is to only allow files ending in “jpeg or jpg or png or gif or gz” to be access from the Internet from the uploads directory.
That’s it. Just follow the above steps and you’ll have a more secure Wordpress uploads directory that you can start using to be able to save those images you need to include into your blog posts.
If you don’t chmod 777 and do it that way you explained, wouldn’t a 770 suffice?
You can do that. By doing that you won’t allow anybody else access to the directory and the files inside it.
thanks a bunch for this inspiration gerry,
i have now changed all folders away from 777 to more secure alternatives!
Awesome, I’ve always had my host set the “blogs.dir” directory in wpmu (similar to normal wordpress “uploads”) to nobody:nobody to give PHP the right permissions.
Unfortunately I could never alter anything in the folder through ftp after that (cause only the system had those permissions).
This could take away at least a few hassles. (Also my host refused to change the owner to “nobody” this time, I guess it was a newbie at the desk before).
Thank you
your are welcome peter, you can checkout my recently put up site where I now put my wordpress stuff – http://www.codestuff.com
“Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users.”
If another user on the server is able to execute scripts as “apache”, “web”, “www”, “www-data”, he can access these files, no?
This is great – nice overview. I’m looking to have a list of files available for download (pdf’s). Now, I want people to be able to download these files, but I don’t want the wp-content/uploads directory to be accessible…
So, right now, my uploads file is totally accessible to anyone that can get the path. How can I secure this folder so nobody can access it via a direct URL request, yet still allow people to access the files for download/viewing?
Fantastic post.
Question for you. I like wp to organize uploads into year and month folders. When I setup my uploads folder according to your post here, then new folders created inside do not inherit userid:nobodyid, they inherit nobodyid:nobodyid. That creates a problem for the ftp programs. You can’t do much with these folders until you run (or your web host admins) run a chown with -R recursive flag.
So to the question, is there a way to chown the uploads dir to cause all future subdirs inherit the same userid:nobodyid owner/group permissions?
Thanks.
– JO