File permissions for upload folders specifically Wordpress

Discussion in 'Security' started by Michael T, Apr 18, 2013.

  1. Michael T

    Michael T New Member

    Hello,

    It seems this new part of the forum opened just in time for me. :) I recently migrated my Wordpress sites to my KnownHost servers. For some reason I have to change the file permissions mydomain/wp-content/uploads to 777 to get the uploads to work for my sites to add images and such. Before I moved my sites it worked with file permission 755.

    Obviously I do not want this for security reasons. Before the migration my sites did not require this and worked with the 755 file permission. I'm wondering if it has something to do with my server configuration. For the time being I added this to an .htaccess file inside my uploads folder.

    Code:
    # secure uploads directory
    <Files ~ ".*\..*">
        Order Allow,Deny
        Deny from all
    </Files>
    <FilesMatch "\.(jpg|jpeg|jpe|gif|png|tif|tiff)$">
        Order Deny,Allow
        Allow from all
    </FilesMatch>
    Is that secure? With that code I thought it would limit the uploads folder to only allow image files. Also in the uploads folder Wordpress makes directories for images by year and month. Would I need to make an .htaccess file with the same code for each of these folders?

    If there is a change I can make on my server to allow the uploads from my Wordpress site but keep the file permissions to 755 that would be the best option for me.
     
  2. KH-DanielP

    KH-DanielP KH-COO Staff Member

    Michael,

    Thanks for the post.

    These permissions are because by default our VPS's are configured to run php under the DSO settings, while this method is faster it is a little less secure and requires a bit extra tweaking.

    That .htaccess will work perfectly as it will prevent any php script if it does get uploaded from executing.

    If you want we can also swap your server over to use either SuPHP or FastCGI to execute php scripts. This will bring everything back in line with your previous host in regards to permissions and security as both execute the scripts under the username rather than the username of apache.

    Hope this helps.
     
  3. Michael T

    Michael T New Member

    Thanks for the quick reply Daniel. I pretty much understand what you shared aside from which method is the most secure. I get the impression that the .htaccess method is pretty secure but I am uncertain if I would need to put this file in all the sub directories of the upload folder as well.

    If switching to SuPHP or FastCGI is more secure and works with the 755 permissions I would want to go that route. Also I would like to keep in mind which method is faster as far as site processing and minimizing the load on my server. The most secure method is the way I want to go :)

    I'm sorry to have all these questions but it has been about 10 years since I have used a host that allows me to manage all these settings myself.

    Best regards,

    Michael
     
  4. KH-DanielP

    KH-DanielP KH-COO Staff Member

    Michael,

    Of course each is only one part to maintain a secured site, including being careful what plugins are used and making sure to be running the latest version of WP, Themes and Plugins.

    Out of the three the .htaccess would be the least secure, and both SuPHP and FastCGI would rank equal in the additional security they provide.

    They won't prevent a site from being hacked but they help to limit any damage to that may be caused as they execute scripts as the user which generally limits where files can be injected and placed and what can be done with a file once it is executed.

    With regards to performance SuPHP is more CPU intensive and FastCGI is more memory intensive so they each have a trade off in that regard.

    I'm personally a fan of SuPHP for simpler installs that may not need as much configuration tweaking as FastCGI has a ton of variables that can be configured that could effect how a website performs where as SuPHP is more of a plug-n-play type application and I've never really seen any issues from SuPHP vs sometimes having to tweak a FastCGI install.

    If you would like for us to switch you to one of these just simply toss a support ticket and one of the techs will take care of that for you.
     
  5. Michael T

    Michael T New Member

    Thanks it sound like SuPHP is the way I want to go. I've also noticed that the onsite editor, such as editing footer files and such will only let me do so if I set that particular file to 777, edit it and then change it back. While it works it kind of limits some of the functions of Wordpress to change things on the fly. I will submit a ticket.

    Thanks again for your help. Hopefully this post will help some others that use Wordpress and run across the same question.
     
  6. KH-DanielP

    KH-DanielP KH-COO Staff Member

    Michael,

    Not a problem at all.

    Yes your correct about the editor, unless the files are at minimum 766 (although 777 is more common) the editor won't be able to modify them as Apache under DSO executes all it's commands as the user "nobody".

    SuPHP since it will execute the script as your "username" will be able to edit even the 644 files as that only allows the owner to edit/modify them.

    Thanks for posting in the security section, it's our goal over time to build this area into a good resource for our customers to help keep things secured and generate less abuse tickets :)
     
  7. Michael T

    Michael T New Member

    Actually I think it might help several Wordpress users. I have seen a lot of Wordpress users start setting all sorts of folders to 777 and if the wrong person finds that, the owner of the site is going to get creamed. That is one of my only issues with Wordpress CMS because I feel by default some of the folders and files auto install with weak security when it comes to permissions. I usually change as many file permissions as I can to a more secure setting that will still have the site work.

    Ticket submitted and I'm ready to rock my sites with more security and for me peace of mind. :)
     
  8. KH-DanielP

    KH-DanielP KH-COO Staff Member

    Michael,

    Your very correct, I was just helping one of our techs with a similar ticket. But don't forget the most important factor for site security is updates updates updates.
     
  9. Michael T

    Michael T New Member

    I agree. I keep everything updated including plugins. I limit my plugins as much as possible for both security and to reduce the load on my server. I usually do a lot of research before I install a plugin to see what others are saying about security. I get a bit paranoid and I usually inspect the plugin files for anything fishy. After installation I also look at my database files to see what the plugin modified. I know, probably overkill.
     
  10. KH-DanielP

    KH-DanielP KH-COO Staff Member

    One plugin I really like is this one:

    http://wordpress.org/extend/plugins/avh-first-defense-against-spam/

    It uses the http://www.stopforumspam.com database and checks your visitors against it before even allowing the site to load. I know that does add a bit to the load time but this is one thing we see a lot of is comment / link spam by automatic bot networks. Those networks can bring a site to a crawl in a matter of minutes, and by the time the alarm bells go off they are gone.

    That actually sounds like a good topic to write about. I think I shall commence work on that shortly :)
     
  11. Michael T

    Michael T New Member

    I've never seen that one. I'm checking it out now. I've been using the Akismet plugin and it seems to do a pretty good job at just putting spam into the garbage. Looking at AVH it appears that the plugin goes one step further if I am reading it properly and block the spam before they can even push the comment through. I have a site that gets nailed by spam like crazy, I mean like over 50 spam comments a day. Akismet dumps most of them in the spam folder but I switch it to AVH to see how it works.

    Thanks for the suggestion.
     
  12. Tony Hunt

    Tony Hunt New Member

    @Michael AVH is really good, you can also use AntiSpam-Bee, they tie their blacklist in with a pretty nice UK blacklist AND the really cool part is you can block/allow traffic by country code. I have a lot of clients that simply don't do any business or offer services outside their own country and this is ten times easier than an allow-only htaccess file ;)
     
  13. JenniferEklund

    JenniferEklund New Member

    I was having this exact same problem and was able to reference this thread to the support team and we got it fixed really quickly. Thanks for starting this conversation -- I imagine this is a topic that will come up often for a lot of people with Wordpress sites. ~Jen
     
  14. Gimpy

    Gimpy Member

    Thank for this thread. I just uploaded my WP site and I'm sure I'll have the same kinds of problems.

    I rarely use the built-in editor, though, as I prefer to just use FireFTP addon for Firefox and edit that way. Makes backing up the files and backing out of my edits a bit easier. I'll submit a ticket to move to SuPHP, as well.

    Thanks again!
     
  15. Dan

    Dan Moderator

    Morning Gimpy,

    Switching to SuPHP is really pretty easy. In WHM under Service Configuration go to Configure PHP and suEXEC. Once there simply select the PHP 5 handler you want and turn suEXEC on or off (I have mine on) then click to save the new configuration and you should be good to go.

    Hope that helps!
     
  16. Gimpy

    Gimpy Member

    I submitted a support ticket to have this done just before migrating over my WP site but I'll take a look at that and note it for future reference. I'm hoping I won't run into any issues with PHP versions when I migrate over my phpBB board. I think I should be OK.

    Thanks Dan.
     
  17. Tigi

    Tigi New Member

    I'm also running a wordpress and encountered the same problem as mentioned here.
    I tried changing my PHP from DSO to suPHP and ended up with an 'internal error 500'

    So I switched back to DSO and searched further and found a working solution by changing the owner of the particular folders to 'nobody'
    Below the instructions on how to do it.

    1. SSH to your server with Putty (port 2200, ssh auth using a private key, login with username and password for the private key)
    (If you haven't used ssh to your server, login to WHM, go to 'SSH password Authorization Tweak' and select 'disable', go to 'manage roots ssh keys' and generate a new key, download the private key and select it in Putty -> ssh -> auth -> private key file for authentication.)

    2. Navigate to the folder 'uploads' (Root -> home -> username (change to your situation) -> public_html -> wp-content -> cache & uploads)

    Using the commands
    cd ..
    cd home
    cd username
    cd public_html
    cd wp-content

    3. Not necessary step but this gives a list of the content of the folder with current owner name
    ls -la && id

    4. Change the owner of the folder 'uploads' and 'cache' recursively to 99 (aka nobody)
    chown -R 99 uploads/
    chown -R 99 cache/

    5. Check the result
    ls -la && id

    Upload from wordpress will now work as a charm.

    Warning: Keep the permission of the folders to 755 and files 644, never change them to 777 for security reasons.

    Hope this helps others.

    I don't know if this solution is safer then switching to suPHP or .htaccess so comments are welcome.
     
  18. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    I'd recommend switching the suPHP. The reason you were facing "Internal server error 500" is because of file permissions/ownership. When switching to suPHP, all ownership must be updated to user:user and all permissions for files to 644 and folders 755.

    We have a script that can do this for you, you just need to open up a support ticket :)
     
  19. Tigi

    Tigi New Member

    Thank you for the information and prompt reply on my message!
    I've opened a support ticket to make the switch to suPHP.

    suPHP is indeed safer then DSO, the only downside is it consumes more memory.
     
  20. Gimpy

    Gimpy Member

    Just for the record, after migrating to KH, I submitted a ticket requesting that support switch me to suPHP. After ensuring the folder permissions were set properly, Wordpress has worked perfectly.
     

Share This Page