Setup and secure your WordPress upload directory
When you use WordPress as your blogging software, one of the things that you need to setup is an upload directory. By default WordPress is configured to use the wp-content/uploads directory. You can think of it as “box” where your media files or images are saved when you upload them while creating your articles under WordPress.
Create your WordPress upload directory
You would normally need to create the upload directory in order for you to start using/uploading photos in your WordPress articles (posts or pages). Creating the upload directory can be done in several ways.
- One way is to use a web-based file manager such as the one found in Cpanel.
- Another way to create the WordPress upload directory is to connect via the FTP account of your hosting account.
- A third way is to make the directory by logging into your server using a secure shell session.
What I’ll show here is how to create your upload directory using a Unix/Linux shell session. If you have secure shell (ssh) access to your web server, you can run the following commands after logging into your secure shell account:
cd public_html/wp-content mkdir uploads chmod 775 uploads
Most users would do a “chmod 777 uploads ” to set the permissions of the uploads directory to be writable by anybody. Although this is possible, it is more secure to set the permissions to 775 and perform an extra step that you need to request your hosting provider.
The extra step is to request your hosting provider to set the group ownership of the uploads directory to the group id by which your web server executes. Your hosting provider would know what the group setting should be. This may be apache, web, www, www-data or some other group that was set by your hosting provider. This is a required step so that files that you upload will be written successfully by WordPress into the uploads directory.
Leaving the owner set to your own user id and the group to the web server setting would give read/write access to only you and the web server denying access to other users.
Securing your upload directory
Although you have just allowed you and the web server as the only two entities allowed to write into the uploads directory, you can still do another extra step to increase the security of your upload directory.
Allowing write access to the web server program to your upload directory has the effect of actually allowing anybody on the Internet write access to the directory. Although this should not alarm you because the upload function will only be accessible to someone who is allowed to login to your WordPress system.
But an extra security measure should always be taken to decrease the risk of someone else being able to save files into your uploads directory.
The added security is configured using your .htaccess file. You would need to create an htaccess file in the uploads directory to take advantage of the added security.
The uploads directory functions mostly as a storage of images, photos or videos (although most of us use youtube these days). It is prudent therefore to just restrict access to these kind of files in the uploads directory. To restrict the access to merely images, you need to create a .htaccess file in the uploads directory you have just created. The file will contain the following lines:
Order Allow,Deny Deny from all Allow from all
What the commands above does is to only allow files ending in “jpeg or jpg or png or gif or gz” to be access from the Internet from the uploads directory.
That’s it. Just follow the above steps and you’ll have a more secure WordPress uploads directory that you can start using to be able to save those images you need to include into your blog posts.
Gerry Ilagan is into mobile apps and WordPress development at @speeqs. He loves to write about electronics, the Internet of Things, mobile phones, and #crazyideas.