i can upload images on wordpress only when i give access to the whole document root

Posted May 10, 2017 6.5k views
WordPressLAMP StackLinux CommandsUbuntu 16.04

i can’t upload images in wordpress after updating theme
i can upload images on wordpress only when i give access to the whole document root.
sudo chown -R www-data /var/www/html
with the older theme it works fine. i already had this issue and i fix by

sudo chmod g+w /var/www/html/wp-content
sudo chmod -R g+w /var/www/html/wp-content/themes
sudo chmod -R g+w /var/www/html/wp-content/plugins
sudo chmod -R g+w /var/www/html/wp-content/uploads

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
4 answers

Hi @abderbij

You’re chmod'ing with group rights, but you haven’t set the group with chown.

Run this to set user and group recursively on the web directory:

sudo chown -R www-data:www-data /var/www/html
  • @abderbij
    By the way, you might want to reset the chmod too:

    sudo find /var/www/html -type d -exec chmod 755 {} \;
    sudo find /var/www/html -type f -exec chmod 644 {} \;
  • works fine , but isnt risky? i think should be sudo chown -R root /var/www/html

    • @abderbij

      If you’re looking for hardening, then yes, it’s suggested to run the entire WordPress folder with different user than used by PHP/Apache.

      But then you need to set wp-content/uploads/ to be owned by the PHP/Apache user - but same goes for several other directories under wp-content/, since otherwise you won’t be able to update plugins/themes.

    • @abderbij
      Ohh by the way, if you don’t run the WordPress system with a user that can update the WordPress core, then you won’t be able to update WordPress unless doing it manually - and you won’t automatically be upgraded with the security updates, which does much more for security than what you’re trying to do.

yes exactly , please let me know how to make uploads dir owned by apache .
thanks for your time!

  • @abderbij
    This makes the uploads folder owned by the default user/group of Apache/PHP.

    sudo chown -R www-data:www-data /var/www/html/wp-content/uploads

    I would highly recommend not disabling the automatic updates - they’re important.
    There are many other places to add more security and that are much more vulnerable - i.e. protecting against brute-force logins.

i was updating wp just like what is mentioned here :

When an update becomes available, log back into your server as your sudo user. Temporarily give the web server process access to the whole document root:

sudo chown -R www-data /var/www/html
Now, go back the WordPress administration panel and apply the update.

When you are finished, lock the permissions down again for security:

sudo chown -R sammy /var/www/html
This should only be necessary when applying upgrades to WordPress itself.

by Justin Ellingwood
WordPress is the most popular CMS (content management system) on the internet. It allows you to easily set up flexible blogs and websites on top of a MySQL backend with PHP processing. WordPress has seen incredible adoption and is a great choice for getting a website up and...


Generally, when setting up directory structure, everything other than the public directory should be owned by root – the rest by the user and group that needs read/write access.

For example, if you’re using /var/www/html, then both /var and /var/www should be owned by root and /var/www/html should be owned by www-data (in your case).

Normally I shy away from using /var and stick with /home and create individual directories for each user and site.

For example:


In the above, /home should already be owned by root (by default) and /home/sammy should as well. Beyond that, /home/sammy/htdocs and down is owned by sammy – all files and directories.

All files are chmod 644 and all directories are at max chmod 755 with some limited to 750.

You can, of course, further lock down permissions, though you have to be careful.

This is one reason why I use NGINX and PHP-FPM over Apache and mod_php. Instead of Apache and a single user (in most default configurations), NGINX runs as one user (normally nginx) and separate pool files are setup for each PHP-FPM instance, thus preventing a single user from needing to own all files and directories.

All users are basic users with only the permissions they need (which is normally SFTP access at most) and nothing more. They can’t login to shell (via SSH) – only SFTP. The root user owns the base directories and the user:group that PHP-FPM is running as owns the rest (the public-facing directories).

  • still same problem :’(, btw im the only who has sftp and ssh acces and just for 1 wordpress website

  • its works fine now!
    but there is no risk ?
    i mean i have only one website and im the only who have access to sftp and ssh

    • @abderbij

      Permissions for files and directories are just one of many things when it comes to security.

      There’s really no risk in the user and group owning the core directories – that’s a standard setup for many servers as it prevents the need for higher level permissions such as chmod 777 (world read, write, execute), which is a security issue.

      The root user should always own the home directory, whether it’s /var or /home. It should also own the base user directory, whether it’s /var/www or /home/user. Beyond that, it all depends on what kind of access you need to grant.

      For a public facing website, running with the setup I mentioned above is pretty much what the majority of sites run with unless there’s a true need to further restrict.