Comments on: Setup and secure your WordPress upload directory http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html Philippines, Technology, Mobile, Android, Games, Mac, Linux, WordPress Sat, 31 Dec 2011 04:26:41 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Coding memories - Unable to create directory …/wp-content/uploads/ http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-1199 Coding memories - Unable to create directory …/wp-content/uploads/ Thu, 29 Sep 2011 16:12:14 +0000 http://gerry.ws/?p=152#comment-1199 [...] a security risk. iGerry posted a nice tutorial about how to setup a more secure upload directory: http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html. In my opinon the most valuable thing comes from John Osmond‘s comment. He mention that if [...] [...] a security risk. iGerry posted a nice tutorial about how to setup a more secure upload directory: http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html. In my opinon the most valuable thing comes from John Osmond‘s comment. He mention that if [...]

]]> By: Daniel http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-1196 Daniel Wed, 21 Sep 2011 11:22:57 +0000 http://gerry.ws/?p=152#comment-1196 HI, is this part correct? Order Allow,Deny Deny from all Allow from all Don't think so, can somebody please tell me the correct code to allow only images? Thanks in advance HI, is this part correct?

Order Allow,Deny
Deny from all

Allow from all

Don’t think so, can somebody please tell me the correct code to allow only images?

Thanks in advance

]]> By: Guix http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-1140 Guix Fri, 29 Jul 2011 15:58:58 +0000 http://gerry.ws/?p=152#comment-1140 Hello, What is the exact content of the .htaccess file? All I see is: Order Allow,Deny Deny from all Allow from all Thanks a lot Hello,

What is the exact content of the .htaccess file? All I see is:
Order Allow,Deny
Deny from all
Allow from all

Thanks a lot

]]> By: James http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-307 James Fri, 15 Oct 2010 14:21:41 +0000 http://gerry.ws/?p=152#comment-307 John Osmond: If your webserver is running on Linux, you can also use "chmod 2775" on your uploads directory, which sets the "group sticky" bit. Any new directories created under uploads will keep the same ownership as the parent directory instead of becoming owned by nobody:nobody. However, this is a Linux-specific behavior. John Osmond: If your webserver is running on Linux, you can also use “chmod 2775″ on your uploads directory, which sets the “group sticky” bit. Any new directories created under uploads will keep the same ownership as the parent directory instead of becoming owned by nobody:nobody. However, this is a Linux-specific behavior.

]]> By: John Osmond http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-306 John Osmond Wed, 22 Sep 2010 20:52:13 +0000 http://gerry.ws/?p=152#comment-306 One thing I've recently discovered is that if you set apache to run phpsuexec (which most web hosts do anyway) then there is no problem with the uploads directory. It can remain 755 and the users will have no problems uploading images. Also, the automatic upgrades work properly every time. phpsuexec as I'm coming to understand it is also called cgi-mode in php5. If you run your own server it's an apache setting. If you have a web host ask them to turn it on. WARNING: It will break any http authentication scripts you might have, but there are work-arounds. I feel it's worth it. One thing I’ve recently discovered is that if you set apache to run phpsuexec (which most web hosts do anyway) then there is no problem with the uploads directory. It can remain 755 and the users will have no problems uploading images. Also, the automatic upgrades work properly every time.

phpsuexec as I’m coming to understand it is also called cgi-mode in php5. If you run your own server it’s an apache setting. If you have a web host ask them to turn it on.

WARNING: It will break any http authentication scripts you might have, but there are work-arounds. I feel it’s worth it.

]]> By: Cartman http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-305 Cartman Wed, 01 Sep 2010 05:45:37 +0000 http://gerry.ws/?p=152#comment-305 Hi thanks for overview. I am a newbie on these blogging stuff. I am searching everyday lots of articles. And I am absolutely amateur.Lol So my settings re now on Chmod 755 and i read some different articles which are saying `make CHMOD permissions 664` Does it work? And if you have a lil bit more time to answer I need to know sth about video security stuff. I will make some education videos also in near future. So If i put all my videos that wp-upload directory will they be still in safe like photos? If not. Please write a new article about this subject too Gerry :) Sorry for broken English btw. All my best wishes, Hi thanks for overview. I am a newbie on these blogging stuff. I am searching everyday lots of articles. And I am absolutely amateur.Lol So my settings re now on Chmod 755 and i read some different articles which are saying `make CHMOD permissions 664` Does it work?

And if you have a lil bit more time to answer I need to know sth about video security stuff. I will make some education videos also in near future. So If i put all my videos that wp-upload directory will they be still in safe like photos?

If not. Please write a new article about this subject too Gerry :)

Sorry for broken English btw.

All my best wishes,

]]> By: John Osmond http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-304 John Osmond Fri, 30 Jul 2010 04:08:06 +0000 http://gerry.ws/?p=152#comment-304 Fantastic post. Question for you. I like wp to organize uploads into year and month folders. When I setup my uploads folder according to your post here, then new folders created inside do not inherit userid:nobodyid, they inherit nobodyid:nobodyid. That creates a problem for the ftp programs. You can't do much with these folders until you run (or your web host admins) run a chown with -R recursive flag. So to the question, is there a way to chown the uploads dir to cause all future subdirs inherit the same userid:nobodyid owner/group permissions? Thanks. -- JO Fantastic post.

Question for you. I like wp to organize uploads into year and month folders. When I setup my uploads folder according to your post here, then new folders created inside do not inherit userid:nobodyid, they inherit nobodyid:nobodyid. That creates a problem for the ftp programs. You can’t do much with these folders until you run (or your web host admins) run a chown with -R recursive flag.

So to the question, is there a way to chown the uploads dir to cause all future subdirs inherit the same userid:nobodyid owner/group permissions?

Thanks.
– JO

]]> By: Jaki Levy http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-303 Jaki Levy Tue, 19 Jan 2010 20:24:05 +0000 http://gerry.ws/?p=152#comment-303 This is great - nice overview. I'm looking to have a list of files available for download (pdf's). Now, I want people to be able to download these files, but I don't want the wp-content/uploads directory to be accessible... So, right now, my uploads file is totally accessible to anyone that can get the path. How can I secure this folder so nobody can access it via a direct URL request, yet still allow people to access the files for download/viewing? This is great – nice overview. I’m looking to have a list of files available for download (pdf’s). Now, I want people to be able to download these files, but I don’t want the wp-content/uploads directory to be accessible…

So, right now, my uploads file is totally accessible to anyone that can get the path. How can I secure this folder so nobody can access it via a direct URL request, yet still allow people to access the files for download/viewing?

]]> By: ARMIN http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-302 ARMIN Sun, 04 Oct 2009 22:35:56 +0000 http://gerry.ws/?p=152#comment-302 "Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users." If another user on the server is able to execute scripts as "apache", "web", "www", "www-data", he can access these files, no? “Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users.”

If another user on the server is able to execute scripts as “apache”, “web”, “www”, “www-data”, he can access these files, no?

]]> By: gerry http://gerry.ws/2008/10/152/setup-and-secure-your-wordpress-upload-directory.html/comment-page-1#comment-301 gerry Wed, 05 Aug 2009 13:08:58 +0000 http://gerry.ws/?p=152#comment-301 your are welcome peter, you can checkout my recently put up site where I now put my wordpress stuff - http://www.codestuff.com your are welcome peter, you can checkout my recently put up site where I now put my wordpress stuff – http://www.codestuff.com

]]>