Consider itreported here. Had my images directory wiped out across 5 different WP sites I was running due to 777 *(all files wiped out, and an index.html “hacker signature” file put in their place). This can happen to any 777 directory, not necessarily the just one you have designated for upload (trust me).
From what I have read, there are conflicting reports. Some say it is the hosting situation whether 755 will work, yet I saw another post mentioning that he had other scripts using 755 that worked, yet WP needed 777 on the same host.
Many other posts say things like “they are only images, so it will be ok” – you can say that until 100 or more images are wiped out and your site looks like a disaster. Or worse yet, explain it to a paying client.
The one thing I have used that seems to work is a technique used by other CMS’s such as Mambo – put a blank “index.html” file in each of these image/upload directories. That will prevent the hacker from reading the dir from http. We got targeted again recently, and that seemed to work.
That said, would still love a definitive answer from the WP team as to what the minimum CHMOD we can use and still be able to upload safely. Would also love to see a “How to Secure WP” doc from any experienced user who has the time. Thanks in advance!!
