WordPress.org

Ready to get started?Download WordPress

Forums

Unable to create directory (6 posts)

  1. ryanward
    Member
    Posted 6 years ago #

    O.K. I can't figure this out. I'm trying to upload images to my blog and when I use the CMS and browse/upload, I get this:

    Unable to create directory /var/www/vhosts/ryanwardrealestate.com/httpdocs/WordPress/wp-content/uploads/2007/10. Is its parent directory writable by the server?

    Does that make since? I need some help here please!

  2. moshu
    Member
    Posted 6 years ago #

    Yes, it does make sense.

    As it says, the parent directory - which is wp-content/ - is not writable.
    http://codex.wordpress.org/Changing_File_Permissions

    the folder should be 777.

  3. tpleiman
    Member
    Posted 6 years ago #

    It is amazing to me that anyone would recommend setting file permissions on the "world" access section of any internet accessible directory (last 3 bits (******rwx--final "7" of the 777 attribute) to 7, making that directory and all its subdirectories world-readable, writable AND executable! You should never have to do this. The maximum permissions these directories require is 755 if ownership of these directories is set properly.

    What is confusing most people about this is that these directories, when set to the proper 755 must be writable by the owner of the web server process that is running on the installed NIX system. You need to change the owner of these directories to be the owner of that webserver process (usually "chown -R apache:apache wp-content") on most Linux systems.

    However, you can temporarily set your permissions on these directories to 777, create content in them, and then check the ownership of the directories and files that were just created within these directories to determine what user created them--e.g. "ls -l" from within the directory that was just created via the WordPress interface--directories and content within the wp-content directory.

    Once you have identified this, change the permissions on the wp-content back to 755 and do a recursive change for the ownership and permisions on that directory--e.g. "chown -R <webserviceuser>:<webserviceuser> wp-content" and "chmod -R 755 wp-content"

    If you are hosting WordPress on some provider that does not allow you to change this ownership appropriately in this fashion on your own, you should contact them to have perform these proper security steps. If they will not (it's not a matter of "can do"), then be prepared to have your content, themes, et.al. hacked. Because if you leave these directories set to 777, any joe-hacker with a minimum of skills will be able to hack your WordPress site and content. In such a scenario, it would be wise to get yourself a different ISP for hosting your site.

    Thanks!
    Tim Pleiman
    Senior Systems Engineer
    Bravo Systems Technologies
    "Advanced Open Source Solutions for Business"
    Chicago, IL USA

  4. arminbw
    Member
    Posted 6 years ago #

    Just two notes:

    1. if php safe mode is turned on, changing ownership will not help, if you want to use "organize my uploads into month- and year-based folders". See: http://wordpress.org/support/topic/180378

    2. if apache (or www-data) is owning your upload folder, does it really increase security? What about other users writing php code?

    G,
    Armin

  5. aaron1728
    Member
    Posted 5 years ago #

    Hate to quibble, Moshu, but "the folder should be 777" is more accurately stated as "the folder must be 777".

    WP should figure out how not to force any directory or file to be 777 so that some hacker could insert cuckoo's eggs to be exploited later.

  6. tpleiman
    Member
    Posted 5 years ago #

    For both of these most recent replies, the correct answer is to get WordPress working with your content directories and file permissions set to 755. You need to get your permissions set on these directories so that they are not world-writable, making changes to php.ini* and ownership as appropriate. Setting the ownership of the files to belong to another secured owner does provide the security of that owner's process. Unless apache or php is hijacked via some flaw within the apache or php process, your files will be secured.

    You can't prevent hackers from going to the extreme to figure out ways to hack anything, but you and/or your ISP can implement sensible security protocols. Setting permissions on content folders to 777 is senseless.

    WordPress provides instructions to get you up and running with common hosting configurations, and hosting providers are often inadequate in their setups and support. Hence all the repeated bad advice to leave content directories unprotected and open to public change via a UNIX permissions setting of 777.

    *Note: ISPs often have safe mode turned-on globally for their servers for security reasons, but it can and often should be turned off on a per-site basis for script applications that need it. The security reasons for using this and the safe mode directive itself have been completely removed from PHP as of PHP6. Your ISP should be able to work with you to set the best balance of safety and security for their servers and your sites. There are a variety of safe_mode directives that can be manipulated with Virtual Hosts to provide optimum flexibility/safety on a case-by-case basis for their customers' sites/directories. Find an ISP that has a strong working knowledge of Open Source security issues and is willing to work with you to secure your site optimally.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.