I had always had apache suexec turned on but did not have phpsuexec (also called cgi-mode). I turned it on and now everything works that was problematic before. For example, the uploads directory no longer need special permissions or ownership. (755 on the dir and 644 on all files, and no need to assign ‘nobody’ as the group id)

Also, the automatic updates work with both the wordpress installation and the plugin updates. And if that’s not enough, it seems to run faster!

Why doesn’t the wordpress community recommend more strongly that you should have apache configured to run phpsuexec? Am I missing the catch-22?

I’m reviewing all my permissions, trying to make it as secure as possible without losing any core functionality. I can assure you, I’ve searched for weeks, far and wide before asking for help on this.

My key question is, many people seem to believe that it is okay to have the permissions of 777 on the /wp-content folder. Looking at all of these forum posts, there is a lot of people that use 777 because they’re told it’s what you have to do to be able to upload files, but then there are an equal number of people saying that you should only use 755 for folders at the most, and definitely avoid using 777.

This unofficial article suggests to avoid 777 on any folder with a ten foot pole, whereas the codex states that 777 is required on /wp-content to be able to upload files. It also suggests to use 777 on /wp-content here.

However, a moderator wrote a post a couple years ago stating that 755 should be the highest folder permission used! The guy (Podz) goes on to explain that:

755 can be done by hosts (my directories are all 755) that take security seriously

but doesn’t explain how it can be done. My host seems to not be able to do it for 755, even though I’ve verified with the host that ownership is me.

If 777 is a security risk, then why does the Codex state that it is a prerequisite for using WP to upload?

It would be great if someone like Podz who knows about how to get uploads to work for 755 on a host could explain what is required, then many forum posts need not be created (and would be solved). Otherwise, I will have to make my uploads folder 777 which is clearly introduces security concerns.

The only other solution I found in the forum posts is the “Open_Basedir” solution, but I don’t what relevance that has in the scheme of things. In the meantime I will check, but what I really want to know is if 777 on /wp-content is really a security threat or not.

Thanks in advance,
Tom

I know that the server uses PHPSuExec

Mainly, I cannot upload photos anymore. Whenever I try, I get the infamous “Could not create directory 07 …”

I checked my permissions and all my folders are 755. So after going back and forth with my host, I finally got the following reply.

<– Begin Quote
The error that you were getting was bacause the script was unable to create folder within ‘public_html/blog/wp-content/uploads/2006. Now we have given 777 permission to folder ‘2006’ and upload works fine. As you know it is vulnerable but there are not much options to prevent this. The only thing that you can do is to change the folder permission back to 755 after uploading the images.
<– End Quote

I was under the impression that with phpsuexec, this was not necessary.

Am I being lied to or is this really the truth?

Thanks in advance for any help. I have found so much useful info in these forums and finally found reason to register!

This is my first WordPress installation. Great so far — except — I need to customize the images, colors, and so on and I want to redirect the public to another domain before until I can finish building and clean up the contruction debris.

I don’t want to be troubleshooting CSS while the site is live.

I installed WordPREss to root, uploaded an HTML redirect called index.htm, and made that doc the default doc. That allows me to write posts and do a few other things while redirecting the public away. But I can only view the home page of the WordPRess blog, and I can’t even upload images.

I need to make major changes to the graphic and css aspects of the theme (I know CSS and HTML, so I can do this), but I need a way to work in peace out of the public eye and test methododically as I go.

Also, it’s not fair to my client to have a half-finished “under construction” site plainly in view.

Do I need to uninstall and reinstall to a subdirectory, such as /blog?

Thanks.

PHP version 4.3.11
Apache version 1.3.33 (Unix)
phpsuexec is running somewhere

Problem:
.htaccess is not generated, written to or even seen.

What I have done:
Fresh 1.5.2 code, set .htaccess to 666 generated default permalinks. WP reports NO error, but .htaccess is not modified.
Removed the .htaccess – exactly the same thing – no error reported.
Set permissions on the .htaccess to 644, try to update and again get a success message.

Repeated all that with the latest code.

I have copied a .htaccess from the previous host and then things work – but if I add a Page, that 404’s because the .htaccess is not written to.

So without the .htaccess, it’s back to un-pretty links, but why is WP not reporting errors when it should be ?

From their support:
“runs PHP as CGI. This is a security feature called phpsuexec. You will need to check with the script maker for any support involving running their script with phpsuexec and to see if this issue (not generating a correct .htaccess file) is common on servers running phpsuexec or what other issue or feature can be causing your issue. Mod_rewrite is active on all servers “
They helpfully indicate that I might find some help for this problem in these forums

I’ve done all I know and it’s definitely this phpsuexec that is throwing the spanner in the works – what can I do / try next ?