Share

Question

i can’t upload images in wordpress after updating theme
i can upload images on wordpress only when i give access to the whole document root.
sudo chown -R www-data /var/www/html
with the older theme it works fine. i already had this issue and i fix by

sudo chmod g+w /var/www/html/wp-content
sudo chmod -R g+w /var/www/html/wp-content/themes
sudo chmod -R g+w /var/www/html/wp-content/plugins
sudo chmod -R g+w /var/www/html/wp-content/uploads

Answer 1

hansen May 10, 2017

Hi @abderbij

You’re chmod'ing with group rights, but you haven’t set the group with chown.

Run this to set user and group recursively on the web directory:

sudo chown -R www-data:www-data /var/www/html

Reply Report

hansen May 10, 2017

@abderbij
By the way, you might want to reset the chmod too:

sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;

Reply Report

abderbij May 10, 2017

works fine , but isnt risky? i think should be sudo chown -R root /var/www/html
Reply Report
- hansen May 10, 2017
  
  @abderbij
  
  If you’re looking for hardening, then yes, it’s suggested to run the entire WordPress folder with different user than used by PHP/Apache.
  https://codex.wordpress.org/Hardening_WordPress
  
  But then you need to set wp-content/uploads/ to be owned by the PHP/Apache user - but same goes for several other directories under wp-content/, since otherwise you won’t be able to update plugins/themes.
  
  Reply Report
- hansen May 10, 2017
  
  @abderbij
  Ohh by the way, if you don’t run the WordPress system with a user that can update the WordPress core, then you won’t be able to update WordPress unless doing it manually - and you won’t automatically be upgraded with the security updates, which does much more for security than what you’re trying to do.
  
  Reply Report

Answer 2

hansen May 10, 2017

@abderbij
By the way, you might want to reset the chmod too:

sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;

Reply Report

abderbij May 10, 2017

works fine , but isnt risky? i think should be sudo chown -R root /var/www/html
Reply Report
- hansen May 10, 2017
  
  @abderbij
  
  If you’re looking for hardening, then yes, it’s suggested to run the entire WordPress folder with different user than used by PHP/Apache.
  https://codex.wordpress.org/Hardening_WordPress
  
  But then you need to set wp-content/uploads/ to be owned by the PHP/Apache user - but same goes for several other directories under wp-content/, since otherwise you won’t be able to update plugins/themes.
  
  Reply Report
- hansen May 10, 2017
  
  @abderbij
  Ohh by the way, if you don’t run the WordPress system with a user that can update the WordPress core, then you won’t be able to update WordPress unless doing it manually - and you won’t automatically be upgraded with the security updates, which does much more for security than what you’re trying to do.
  
  Reply Report

Answer 3

abderbij May 10, 2017

yes exactly , please let me know how to make uploads dir owned by apache .
thanks for your time!

Reply Report

hansen May 10, 2017
@abderbij
This makes the uploads folder owned by the default user/group of Apache/PHP.

sudo chown -R www-data:www-data /var/www/html/wp-content/uploads

I would highly recommend not disabling the automatic updates - they’re important.
There are many other places to add more security and that are much more vulnerable - i.e. protecting against brute-force logins.
Reply Report
- abderbij May 10, 2017
  
  thank you very much!
  
  Reply Report

Answer 4

hansen May 10, 2017
@abderbij
This makes the uploads folder owned by the default user/group of Apache/PHP.

sudo chown -R www-data:www-data /var/www/html/wp-content/uploads

I would highly recommend not disabling the automatic updates - they’re important.
There are many other places to add more security and that are much more vulnerable - i.e. protecting against brute-force logins.
Reply Report
- abderbij May 10, 2017
  
  thank you very much!
  
  Reply Report

Answer 5

abderbij May 10, 2017

i was updating wp just like what is mentioned here : https://www.digitalocean.com/community/tutorials/how-to-install-wordpress-with-lamp-on-ubuntu-16-04

When an update becomes available, log back into your server as your sudo user. Temporarily give the web server process access to the whole document root:

sudo chown -R www-data /var/www/html
Now, go back the WordPress administration panel and apply the update.

When you are finished, lock the permissions down again for security:

sudo chown -R sammy /var/www/html
This should only be necessary when applying upgrades to WordPress itself.

How To Install WordPress with LAMP on Ubuntu 16.04

by Justin Ellingwood

WordPress is the most popular CMS (content management system) on the internet. It allows you to easily set up flexible blogs and websites on top of a MySQL backend with PHP processing. WordPress has seen incredible adoption and is a great choice for getting a website up and...

Reply Report

Answer 6

jtittle1 May 10, 2017

@abderbij

Generally, when setting up directory structure, everything other than the public directory should be owned by root – the rest by the user and group that needs read/write access.

For example, if you’re using /var/www/html, then both /var and /var/www should be owned by root and /var/www/html should be owned by www-data (in your case).

Normally I shy away from using /var and stick with /home and create individual directories for each user and site.

For example:

/home/sammy/htdocs/public

In the above, /home should already be owned by root (by default) and /home/sammy should as well. Beyond that, /home/sammy/htdocs and down is owned by sammy – all files and directories.

All files are chmod 644 and all directories are at max chmod 755 with some limited to 750.

You can, of course, further lock down permissions, though you have to be careful.

This is one reason why I use NGINX and PHP-FPM over Apache and mod_php. Instead of Apache and a single user (in most default configurations), NGINX runs as one user (normally nginx) and separate pool files are setup for each PHP-FPM instance, thus preventing a single user from needing to own all files and directories.

All users are basic users with only the permissions they need (which is normally SFTP access at most) and nothing more. They can’t login to shell (via SSH) – only SFTP. The root user owns the base directories and the user:group that PHP-FPM is running as owns the rest (the public-facing directories).

Reply Report

abderbij May 10, 2017

still same problem :’(, btw im the only who has sftp and ssh acces and just for 1 wordpress website
Reply Report
abderbij May 10, 2017

its works fine now!
but there is no risk ?
i mean i have only one website and im the only who have access to sftp and ssh
Reply Report
- jtittle1 May 11, 2017
  
  @abderbij
  
  Permissions for files and directories are just one of many things when it comes to security.
  
  There’s really no risk in the user and group owning the core directories – that’s a standard setup for many servers as it prevents the need for higher level permissions such as chmod 777 (world read, write, execute), which is a security issue.
  
  The root user should always own the home directory, whether it’s /var or /home. It should also own the base user directory, whether it’s /var/www or /home/user. Beyond that, it all depends on what kind of access you need to grant.
  
  For a public facing website, running with the setup I mentioned above is pretty much what the majority of sites run with unless there’s a true need to further restrict.
  
  Reply Report
  
  abderbij May 11, 2017
  
  thank you very! much,this is exactly what i want to know.
  
  Reply Report

Answer 7

abderbij May 10, 2017

still same problem :’(, btw im the only who has sftp and ssh acces and just for 1 wordpress website
Reply Report
abderbij May 10, 2017

its works fine now!
but there is no risk ?
i mean i have only one website and im the only who have access to sftp and ssh
Reply Report
- jtittle1 May 11, 2017
  
  @abderbij
  
  Permissions for files and directories are just one of many things when it comes to security.
  
  There’s really no risk in the user and group owning the core directories – that’s a standard setup for many servers as it prevents the need for higher level permissions such as chmod 777 (world read, write, execute), which is a security issue.
  
  The root user should always own the home directory, whether it’s /var or /home. It should also own the base user directory, whether it’s /var/www or /home/user. Beyond that, it all depends on what kind of access you need to grant.
  
  For a public facing website, running with the setup I mentioned above is pretty much what the majority of sites run with unless there’s a true need to further restrict.
  
  Reply Report
  
  abderbij May 11, 2017
  
  thank you very! much,this is exactly what i want to know.
  
  Reply Report

Question

i can upload images on wordpress only when i give access to the whole document root

Leave a comment

Looking for something else?

Share

Share your Question

Question

i can upload images on wordpress only when i give access to the whole document root

Leave a comment

Related

question

404 when using pretty permalinks on new WordPress site on LEMP/nginx

question

Lost access to my wordpress site

question

Signed URLs for private objects in Spaces

question

How to connect to a remote Microsoft SQL server

Looking for something else?

Almost there!