Navigate / search

Setup and secure your WordPress upload directory

When you use WordPress as your blogging software, one of the things that you need to setup is an upload directory. By default WordPress is configured to use the wp-content/uploads directory. You can think of it as “box” where your media files or images are saved when you upload them while creating your articles under WordPress.

wordpress-upload-dir

Create your WordPress upload directory

You would normally need to create the upload directory in order for you to start using/uploading photos in your WordPress articles (posts or pages). Creating the upload directory can be done in several ways.

  1. One way is to use a web-based file manager such as the one found in Cpanel.
  2. Another way to create the WordPress upload directory is to connect via the FTP account of your hosting account.
  3. A third way is to make the directory by logging into your server using a secure shell session.

What I’ll show here is how to create your upload directory using a Unix/Linux shell session. If you have secure shell (ssh) access to your web server, you can run the following commands after logging into your secure shell account:

cd public_html/wp-content
mkdir uploads
chmod 775 uploads

Most users would do a “chmod 777 uploads ” to set the permissions of the uploads directory to be writable by anybody. Although this is possible, it is more secure to set the permissions to 775 and perform an extra step that you need to request your hosting provider.

The extra step is to request your hosting provider to set the group ownership of the uploads directory to the group id by which your web server executes. Your hosting provider would know what the group setting should be. This may be apache, web, www, www-data or some other group that was set by your hosting provider. This is a required step so that files that you upload will be written successfully by WordPress into the uploads directory.

Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users.

Securing your upload directory

Although you have just allowed you and the web server as the only two entities allowed to write into the uploads directory, you can still do another extra step to increase the security of your upload directory.

Allowing write access to the web server program to your upload directory has the effect of actually allowing anybody on the Internet write access to the directory. Although this should not alarm you because the upload function will only be accessible to someone who is allowed to login to your WordPress system.

But an extra security measure should always be taken to decrease the risk of someone else being able to save files into your uploads directory.

The added security is configured using your .htaccess file. You would need to create an htaccess file in the uploads directory to take advantage of the added security.

The uploads directory functions mostly as a storage of images, photos or videos (although most of us use youtube these days). It is prudent therefore to just restrict access to these kind of files in the uploads directory. To restrict the access to merely images, you need to create a .htaccess file in the uploads directory you have just created. The file will contain the following lines:

Order Allow,Deny
Deny from all

Allow from all

What the commands above does is to only allow files ending in “jpeg or jpg or png or gif or gz” to be access from the Internet from the uploads directory.

That’s it. Just follow the above steps and you’ll have a more secure WordPress uploads directory that you can start using to be able to save those images you need to include into your blog posts.

Gerry Ilagan

Gerry Ilagan is into mobile apps and WordPress development at @speeqs. He loves to write about electronics, the Internet of Things, mobile phones, and #crazyideas.

Comments

jack
Reply

If you don’t chmod 777 and do it that way you explained, wouldn’t a 770 suffice?

gerry
Reply

You can do that. By doing that you won’t allow anybody else access to the directory and the files inside it.

jez
Reply

thanks a bunch for this inspiration gerry,
i have now changed all folders away from 777 to more secure alternatives!

Peter
Reply

Awesome, I’ve always had my host set the “blogs.dir” directory in wpmu (similar to normal wordpress “uploads”) to nobody:nobody to give PHP the right permissions.

Unfortunately I could never alter anything in the folder through ftp after that (cause only the system had those permissions).

This could take away at least a few hassles. (Also my host refused to change the owner to “nobody” this time, I guess it was a newbie at the desk before).

Thank you

gerry
Reply

your are welcome peter, you can checkout my recently put up site where I now put my wordpress stuff – http://www.codestuff.com

ARMIN
Reply

“Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users.”

If another user on the server is able to execute scripts as “apache”, “web”, “www”, “www-data”, he can access these files, no?

Jaki Levy
Reply

This is great – nice overview. I’m looking to have a list of files available for download (pdf’s). Now, I want people to be able to download these files, but I don’t want the wp-content/uploads directory to be accessible…

So, right now, my uploads file is totally accessible to anyone that can get the path. How can I secure this folder so nobody can access it via a direct URL request, yet still allow people to access the files for download/viewing?

John Osmond
Reply

Fantastic post.

Question for you. I like wp to organize uploads into year and month folders. When I setup my uploads folder according to your post here, then new folders created inside do not inherit userid:nobodyid, they inherit nobodyid:nobodyid. That creates a problem for the ftp programs. You can’t do much with these folders until you run (or your web host admins) run a chown with -R recursive flag.

So to the question, is there a way to chown the uploads dir to cause all future subdirs inherit the same userid:nobodyid owner/group permissions?

Thanks.
— JO

Cartman
Reply

Hi thanks for overview. I am a newbie on these blogging stuff. I am searching everyday lots of articles. And I am absolutely amateur.Lol So my settings re now on Chmod 755 and i read some different articles which are saying `make CHMOD permissions 664` Does it work?

And if you have a lil bit more time to answer I need to know sth about video security stuff. I will make some education videos also in near future. So If i put all my videos that wp-upload directory will they be still in safe like photos?

If not. Please write a new article about this subject too Gerry 🙂

Sorry for broken English btw.

All my best wishes,

John Osmond
Reply

One thing I’ve recently discovered is that if you set apache to run phpsuexec (which most web hosts do anyway) then there is no problem with the uploads directory. It can remain 755 and the users will have no problems uploading images. Also, the automatic upgrades work properly every time.

phpsuexec as I’m coming to understand it is also called cgi-mode in php5. If you run your own server it’s an apache setting. If you have a web host ask them to turn it on.

WARNING: It will break any http authentication scripts you might have, but there are work-arounds. I feel it’s worth it.

James
Reply

John Osmond: If your webserver is running on Linux, you can also use “chmod 2775” on your uploads directory, which sets the “group sticky” bit. Any new directories created under uploads will keep the same ownership as the parent directory instead of becoming owned by nobody:nobody. However, this is a Linux-specific behavior.

Guix
Reply

Hello,

What is the exact content of the .htaccess file? All I see is:
Order Allow,Deny
Deny from all
Allow from all

Thanks a lot

Daniel
Reply

HI, is this part correct?

Order Allow,Deny
Deny from all

Allow from all

Don’t think so, can somebody please tell me the correct code to allow only images?

Thanks in advance

Leave a comment

name*

email* (not published)

website