WordPress.org

Forums

Are Directories with Permissions 777 Unsafe? (5 posts)

  1. scottmackenzie
    Member
    Posted 3 years ago #

    Hi there.

    I received an email from my hosting provider saying that the wp-content/uploads directory and subs are set to 777 and indicating that this is a security issue. It recommended changing the permissions to 755.

    I note that the subdirectories WP creates automatically when it uploads media for me are also set to 777.

    Is this a security issue? What are the ramifications of this?

    Some background, only if you’re interested!: I made a little blog last year for travelling. While we were away it was hacked such that when we looked at it one morning it had all sorts of crap across it. I fixed it (maybe?) by changing the theme, deleting the users, deleting the old theme files... I was posting to it from the WP app on an iPad over 3G networks in the places we visited. Travelling again soon and hope it won’t happen again. I don’t know if this is related to my question.

    Thanks for your time.
    Scott

  2. esmi
    Forum Moderator
    Posted 3 years ago #

    Is this a security issue? What are the ramifications of this?

    That tends to be host/server specific. Certainly it should be avoided if at all possible. Try changing the permissions on the wp-content directory to 766. If you still have problems, try 767, 775 or 777. Once your uploads are working, change the permissions on wp-content back to 755 again and check that everything still works OK.

    I fixed it (maybe?)

    Maybe is right. See:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/

    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  3. scottmackenzie
    Member
    Posted 3 years ago #

    Thanks for such a quick reply.

    I ask the following question in an attempt to understand the issues—If this is unsafe why is this the default behaviour of WordPress?

    I have changed uploads to 755 but it contains the actual content folders numbered by year which contains folders numbered by month which contain the images uploaded. I seem to still be able to post after also changing these folders to 755. Will I still be able to post come the first of next month when it tries to create a new folder for the month?

    Scott

  4. 755 should be just fine for next month's posts -- it means that the owner of the folder (which may be the webserver itself, depending on how your host sets things up) can write to the folder, but others cannot.

  5. esmi
    Forum Moderator
    Posted 3 years ago #

    If this is unsafe why is this the default behaviour of WordPress?

    WordPress doesn't have "default behaviour" when it comes to file & folder permissions. That depends upon your hosts.

Topic Closed

This topic has been closed to new replies.

About this Topic