How can I upload media without setting directory permissions to 777?

I am having a problem with a new WordPress installation that I have not experienced before. I cannot upload media (or make a backup using BackWPup for instance) unless I chmod the parent directory for the new files to 777 (which I believe is insecure). As I understand it this means that WordPress is not running as Owner or Group user as it should be. The FTP account that I used to install is the 'Owner' account and the host company say that it has full permissions. Is there something I should be doing to somehow make WordPress run as the Owner?

  • faydra_deon

    Hello, houfton:

    Something quick to try, which sometimes works for me, is going to Settings > Permalinks and just clicking "Save Changes," even if I don't change anything.

    Another thing that's quick is deleting the wp-config.php file, going back to your domain and re-entering the database name, password, etc. It'll tell you that WordPress is already installed and you'll be back where you started, and it will have righted whatever glitch was there.

    You're right. 777 leaves you wide open to hackers, and it is extremely insecure.

    Faydra...

  • Alexander

    Hey there,

    Deleting the wp-config.php file won't do anything to correct your file permissions. It's useful if you need to change your database password though.

    Instead of 777, you'll want to use 755, or even 750 (more secure) You can find more about the permissions needed for WordPress here: http://codex.wordpress.org/Hardening_WordPress

    If this doesn't work, you might need to change the file ownership for these wordpress files.

    Best regards,

  • houfton

    Thank you Faydra
    The first thing did not work I am afraid.
    So I tried deleting and re-creating the wp-config.php but it ironically said "Sorry, but I can’t write the wp-config.php file." So I followed the instructions and manually created it and got the "You appear to have already installed WordPress" message like you predicted. But still no luck with uploading media to a 775 directory.
    The codex says this:

    "Any file that needs write access from WordPress should be owned or group-owned by the user account used by the WordPress (which may be different than the server account). For example, you may have a user account that lets you FTP files back and forth to your server, but your server itself may run using a separate user, in a separate usergroup, such as dhapache or nobody. If WordPress is running as the FTP account, that account needs to have write access, i.e., be the owner of the files, or belong to a group that has write access."

    But I am not exactly sure what that means.

  • houfton

    Alexander
    If I uploaded the WordPress files using the main FTP account (as seen listed in Get Info as 'Owner') does that not mean that I / the WordPress installation own the files? If not, how would I change ownership?
    I suspect that the server is set up somehow so that I am not actually the owner - perhaps the 'dhapache' or 'nobody' mentioned in the codex above are - but I do not know what to do about it.

  • Alexander

    Hi @houfton,

    I'm sorry for the delay here. You might be the owner, but if the web process does not have access to those files, it can change how permissions need to be setup. If you need 777 for everything to work, it sounds like the web process is neither the owner or part of the group the file owner belongs to.

    I would advise getting in touch with your webhost, or whoever has full admin rights to the server so they can repair this.

    If you do have root access, I could take a look for you if you want to send me SSH credentials. You can do this via our contact form: https://premium.wpmudev.org/contact/
    - Choose "I have a different question"
    - Include my name in the subject "Alexander Rohmann"
    - Include a link back to this thread
    - Include any relevant login information

    Best regards,

  • Alexander

    Hi @houfton,

    Glad I could help. Let me know if you have any other questions. To elaborate on my previous explaination in case it helps:

    The "web process" would be apache. (or maybe nginx) It runs as a specific user. This user is often called "www-data" but can vary depending on the server environment.

    Each user is also part of a group. If a server doesn't really need multiple users, sometimes the username will also be the group name.

    So you might have username:group look like this -> www-data:www-data

    If "owner" truly owns the files, and www-data is not a part of the owners group, you can run into all kinds of permission issues.

    Best regards,

  • houfton

    Alexander,

    Thank you. As it happens the client has just rung and the problem seems to have been sorted by the host.

    Looking at Get Info in my FTP client (Fetch) the files and directories within wp-content/uploads now have Owner: www-data, Group: www-data like you describe, and I am able to upload Media and make backups.

    Other directories still have the original Owner / Group which is strange but, as long as it is working, I am happy.

    Thanks again.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.