Permissions changed on the server

So my website was working, but suddenly I started getting errors saying no one could upload images. I did some poking around and the common solution is to change the upload folder to 777. That works if the folder is on the lowest level, but it is also an unacceptable security risk. It also doesn't help when the next month rolls around, or any time we get a new user who needs a new upload folder.

A bit more poking, I realise that while all the folders are owned by my ftp user, and that's what wordpress has been operating as most of the time, now it's uploading files owned by dhapache instead. That's why it needed world access to be able to upload photos.

Reading further, it says it's something my hosting company needs to fix, but it seems they are a bit useless - the email I got back made it pretty clear the guy didn't even understand the problem I was describing.

So, does anyone know any way I can change which user wordpress is operating under, without having to get my host to do it. I am on a VPS and I have root access.

I am very close to just switching hosts, but when I tried to export my database, that didn't work either, so moving may be an issue.

  • Philip John


    Okay you don't need 777 - I think you can do with 766 which is less of a risk.

    The other issue concerning the owner/group of the files is something I have direct experience of. Am I correct in assuming that WordPress is creating new year/month upload folders but they do not have the same owner/group as the uploads folder?

    In my case I couldn't find the cause and the hosts (I'm also on a VPS) weren't much help so I ended up creating month folders for all sites in my network manually. As soon as the new year roles around I'll have the problem again!

    I will ask some of the other guys to come in and add any thoughts they have on what might be causing this so we can troubleshoot.


  • Ovidiu

    it depends on how your webserver is running: is it running apache as mod_php, suPhp or FastCGI?

    i.e. if you are running FastCGI i.e. you would not have to make it world writable, writable by user or group should be enough...The needed rights are depending on your configuration of apache, assuming you run apache :slight_smile:

    Find out what solution is running on your vhost!

    mod_Php means all "clients" are running their sites with the same user, i.e. apache2 is running as www-data and that is it... so if this was shared hosting I'd cal it unsafe :slight_smile: since its your own vhost its not a problem and its realy fast

    suPhp: not that fast but secure, each vhost runs under a different user

    fastCGI: fast and secure.

    here is some more info I got from Howtoforge:

    so basicalley the decision is, if a site is low traffic, use suphp. suphp spawns a new cgi process for every page request, but it does not use resources when no pages are requested. On the opposite fastcgi, the php processes are running permanently even if no page is requested, this is faster and fine for a high traffic site but for a small homepage with 100 pageviews per hour you would waste resources.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.