10 {{ upvoteCount | shortNum }}
10 {{ upvoteCount | shortNum }}

What should be the correct permission for folder

by giantwarrior
8 replies
Hi There,

I would like to know what should be the exact permissions for a upload folder in a wordpress blog. I want to allow my users to upload images, audio, etc. files. But also I want to prevent misuse of it from hackers.

Any input in to solve this problem will be very helpful.

Thanks in advance for any help.
#blog #correct #folder #permission #wordpress
  • Profile picture of the author dvduval
    Most likely 700 or 777 should be okay. Keep in mind that even with 777, there still has to be an exploit in the script or server to execute malicious code. What file extensions you allow is important here. If, for example, you allowed someone to upload a javascript file, they could then run it, and exploit your server (potentially).
    Signature
    It is okay to contact me! I have been developing software since 1999, creating many popular products like phpLD.
    {{ DiscussionBoard.errors[1566594].message }}
  • Profile picture of the author HomeBizNizz
    Turn off execute, but on only read/write: 666
    Yes, the number of the beast.
    {{ DiscussionBoard.errors[1566831].message }}
    • Profile picture of the author NowIstheTime
      Originally Posted by giantwarrior View Post

      Hi There,

      I would like to know what should be the exact permissions for a upload folder in a wordpress blog. I want to allow my users to upload images, audio, etc. files. But also I want to prevent misuse of it from hackers.
      Originally Posted by dvduval View Post

      Most likely 700 or 777 should be okay. Keep in mind that even with 777, there still has to be an exploit in the script or server to execute malicious code. What file extensions you allow is important here. If, for example, you allowed someone to upload a javascript file, they could then run it, and exploit your server (potentially).
      I believe that the only way to upload something to the uploads directory would be if someone logged into wordpress. So you may want to disable users from registering on your blog.

      Also, duval's suggestion to only allow certain file types is very good. and it can be done via a few directives in .htaccess.

      1. Create a file called .htaccess in your uploads directory (and with 644 permissions ).

      2. Enter the following code to limit uploads to only a few select file extensions. You can add or remove extensions from the list below by separating each with a "|". Just be sure to follow the exact format below, as .htaccess is very picky about syntax.

      Code:
      Order Allow,Deny
Deny from all
<Files ~ ".(jpeg|jpg|png|gif|gz)$">
Allow from all
</Files>
      Also, if you happen to have a cpanel based host, you will 'likely' ONLY need 755 permissions on the uploads directory, as they 'take care of it' for you
      {{ DiscussionBoard.errors[1591444].message }}
  • Profile picture of the author smoke.sessions
    Hackers are always going to find new ways to hack servers, if they know what they're doing. Maybe 755 for the permissions will do good for what you need, instead of 777, which is a bit risky.
    Signature

    PM me if you need a custom WP plugin or a website built!

    {{ DiscussionBoard.errors[1592859].message }}
  • Profile picture of the author phptechie
    Never use 777 permissions for files / folders into your server.
    As its loop-hole for the hacker to read / write/execute the file as anonymous user.

    You can just give read & write permission for normal users & for the web (apache/wordpress) users you can give read/write/execute permissions.

    Particularly if you wish to give execute permission , make sure about the extension of the file & your server where the wordpress is hosted.

    If your script is hosted in windows , then 777 mode is definitely not recommended , as anonymous hackers can always execute executable / install files .

    Hope this helps
    Signature

    With regards,
    Sundar
    https://www.phptechie.com
    https://www.wpdeveloper.com

    {{ DiscussionBoard.errors[1592972].message }}
    • Profile picture of the author chaos69
      Why not take the advice from the wordpress docs?

      Hardening WordPress WordPress Codex
      Signature
      Best Ways To Make Money Online

      Eight bytes walk into a bar. The bartender asks, “Can I get you anything?”
      “Yeah,” reply the bytes. “Make us a double.”
      {{ DiscussionBoard.errors[1593004].message }}
      • Profile picture of the author NowIstheTime
        Originally Posted by chaos69 View Post

        Why not take the advice from the wordpress docs?

        Hardening WordPress WordPress Codex
        I've been through this link you've given Luke, and it is excellent for most wordpress hardening tips, but is strangely MUM on the topic of the OP.. other than a passing:

        "It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images."

        So the OP's doubt is... the uploads directory supposedly needs 777 permision, but how do I balance the security tradeoff.

        My answer from the above post is :
        1. If you are on a Cpanel based host, such as hostgator, hostmonster, etc. you can MOST LIKELY leave the permissions at 755, as these hosts do some "voodoo" (really its a technical term ) behind the scenes to 'fake' 777 permissions.

        2. Even if not, you should have a .htaccess file that only allows images, etc. to be uploaded.

        Perhaps this link will provide a bit more info on why you might want to keep 755 permissions :
        Setup and secure your Wordpress upload directory | Gerry Ilagan

        But again, thanks for the link as it still contains useful info on securing the wp-admin directories etc.
        {{ DiscussionBoard.errors[1593086].message }}
        • Profile picture of the author chaos69
          Originally Posted by NowIstheTime View Post

          "It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images."
          Indeed; however, to be fair it does suggest what should be set and has external links elsewhere which covers it in more depth. E.G

          WordPress Security Whitepaper

          It's all very well suggesting what I think they should be, but what if this causes a problem further down the line with a plugin/theme/etc, which certainly has happened in the past.

          I do agree however they should perhaps expand on that section though.


          Perhaps this link will provide a bit more info on why you might want to keep 755 permissions :
          Setup and secure your Wordpress upload directory | Gerry Ilagan
          This, however, covers it all pretty much. Nice link.
          Signature
          Best Ways To Make Money Online

          Eight bytes walk into a bar. The bartender asks, “Can I get you anything?”
          “Yeah,” reply the bytes. “Make us a double.”
          {{ DiscussionBoard.errors[1593155].message }}

Trending Topics