Clarification of permissions for /wp-content folder

  • I’ve recently transferred my blog from running from a personal computer to a paid host, and for the first time am running from a *nix server.

    I’m reviewing all my permissions, trying to make it as secure as possible without losing any core functionality. I can assure you, I’ve searched for weeks, far and wide before asking for help on this.

    My key question is, many people seem to believe that it is okay to have the permissions of 777 on the /wp-content folder. Looking at all of these forum posts, there is a lot of people that use 777 because they’re told it’s what you have to do to be able to upload files, but then there are an equal number of people saying that you should only use 755 for folders at the most, and definitely avoid using 777.

    This unofficial article suggests to avoid 777 on any folder with a ten foot pole, whereas the codex states that 777 is required on /wp-content to be able to upload files. It also suggests to use 777 on /wp-content here.

    However, a moderator wrote a post a couple years ago stating that 755 should be the highest folder permission used! The guy (Podz) goes on to explain that:

    755 can be done by hosts (my directories are all 755) that take security seriously

    but doesn’t explain how it can be done. My host seems to not be able to do it for 755, even though I’ve verified with the host that ownership is me.

    If 777 is a security risk, then why does the Codex state that it is a prerequisite for using WP to upload?

    It would be great if someone like Podz who knows about how to get uploads to work for 755 on a host could explain what is required, then many forum posts need not be created (and would be solved). Otherwise, I will have to make my uploads folder 777 which is clearly introduces security concerns.

    The only other solution I found in the forum posts is the “Open_Basedir” solution, but I don’t what relevance that has in the scheme of things. In the meantime I will check, but what I really want to know is if 777 on /wp-content is really a security threat or not.

    Thanks in advance,
    Tom

Viewing 3 replies - 1 through 3 (of 3 total)

  • If 777 is a security risk, then why does the Codex state that it is a prerequisite for using WP to upload?

    Because it is a security risk. On hosts that run phpsuexec, however, its not necessary for those permissions. Whoever wrote that article (the codex is all user added content) missed that small detail.

    ..but what I really want to know is if 777 on /wp-content is really a security threat or not.

    Of course it is. any world-writable directories are a security risk, and doubly so, in a shared hosting environment.

    Thread Starter flammobammo

    (@flammobammo)

    Okay thankyou whooami, I will see about getting phpsuexec enabled on my host.

    From what you say, it seems that it is necessary then to run phpsuexec if you don’t want to compromise security of your site, and that there is no alternative to not having it enabled other than opening up your system for people to enjoy! I’ll be sure to report progress tomorrow!

    Thanks again,
    Tom

    Hi,
    And what did you achieve?
    I’m also having prolbems with uploading files and permissions.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Clarification of permissions for /wp-content folder’ is closed to new replies.