Last week, I have set up a WordPress website for my team, everything went quite smooth until I decided to change our website background image. An error message was displayed: “The uploaded file could not be moved to wp-content/uploads/”. I tried to find the answers to that error through several websites. Almost all the answers that I encountered suggest me to chmod my wp-content folder with the command:
sudo chmod -R 777 wp-content.
This is dangerous.
1. Why is it dangerous
Whenever you apply permission setting 777 to a folder or a file, it means that everyone can read, execute and write that content (file or folder). For example, a random user could do whatever he wants with that folder/file. There are 3 groups of permissions: Owner, Group and Other. By setting permission setting to 777, it means, all the three groups: Owner/Group/Other can read/write/execute that file/folder. You don’t want that, right? So how to solve the aforementioned problem while preserving our content’s security and privacy.
2. How to fix the error and preserve the security of your website
In my case, I use Apache as HTTP server, so when our WordPress website makes a request to read/write/execute any folder/file such as background image, change theme’s style (CSS file) etc., the request is created on behalf of Apache user group. Therefore, if Apache user group doesn’t have the corresponding permission, the request will not be accepted. Normally, when you download WordPress source code, its owner will be the user-name you are logging in to. To make Apache work, you should change the owner group of your website (website root’s folder) to Apache’s. Besides, to find out the group execute the bellow command:
ps aux | egrep ‘(apache|httpd)’
_www 7312 0.0 0.1 2566428 17864 ?? S Tue10AM 0:19.56 /usr/sbin/httpd -D FOREGROUND
_www 7311 0.0 0.1 2565404 13244 ?? S Tue10AM 0:22.39 /usr/sbin/httpd -D FOREGROUND
_www 7309 0.0 0.1 2566700 16420 ?? S Tue10AM 0:21.09 /usr/sbin/httpd -D FOREGROUND
_www 7307 0.0 0.0 2566684 6384 ?? S Tue10AM 0:18.85 /usr/sbin/httpd -D FOREGROUND
_www 7306 0.0 0.1 2565676 13268 ?? S Tue10AM 0:19.59 /usr/sbin/httpd -D FOREGROUND
root 93 0.0 0.0 2482064 2516 ?? Ss Sun05PM 0:05.49 /usr/sbin/httpd -D FOREGROUND
the account named _www is Apache service’s account, you now should change the owner of your website’s root folder to _www
- Assump that your website is located at: /var/www/public_html/your_web_site
- Execute the command: sudo chown -R _www /var/www/public_html/your_web_site
Try again (uploading a picture or modifying the CSS file) and enjoy the results.
*In case you have changed (chmod) permission of any folder/file of your website to 777, you definitely should update it, only the owner group should have full permissions (read/write/access) to that folder/file, the other 2 groups (Group/Other) should have only read or read/execute: A recommended setting is: 755 (7: Owner can read, write and execute; 5: Group can read execute) meaning that only the Owner has the write permission.
If you are not familiar with File Permissions, just follow the bellow command:
sudo chmod -R 755 /var/www/public_html/your_web_site