Commonly,

• To allow your users, subscribers, etc.  to upload medias (images, videos, documents, sounds) and insert them in their posts/pages for share,
• Or, to let some plugins work properly

you need to set permissions for some folders (ex. “UPLOADS” folder commonly in your “wp-content” folder), to a 777 permission, which means that you allow yourself and the whole world to read, write and execute anything in these folders and usually its subfolders. This opens a vulnerability hole to some malicious users to inject and execute scripts in this directory and gain access of the back office resources of your website which can be very dangerous.

Browsing the web looking for the best solution to fix this problem relatively to folders with 777 permissions, I found that the best referential is the page of codex in wordpress platform that you can be found here.

To make it easy and quick for some users, you can find out here our recommendations:

• If the folder is meant to serve documents or Medias only and no scripts are needed there you can simply denies all scripts access in that folder/sub folders using the following script that needs to be added or written in you access file in that folder commonly .htaccess which is a file that allows to write some specific access rules for a given folder and its sub directories. The Steps are :

• If no access file is present in that folder, create one and call it “.htaccess”. If you are a windows user you can’t create a file without name so you have to create a file called “htaccess.txt” for example, upload it and then rename it to “.htaccess”. If any access file is present in that folder, BACKUP it first before any changes.
• Download and edit the access file (usually .htaccess).
• Add the following piece of script in it that will deny access to any file type other then which is written below:
order deny,allow
deny from all
• Upload the modified file

If the folder is a plugin folder for example and scripts needs to be executed from there, execution requests usually comes only from the server that is hosting these plugins and it’s considered a local request. Remote requests can be for example direct accesses to the file via internet browser, software or through another website. To deny access to file though remote requests or connections, we strongly recommend you to put the permission rights to “755″ right after that the action, that needed a “777″ permission, is done. If your plugin still needs the permission to work properly then we invite you to tweak your .htaccess file accordingly to what applies in the cases described here.

We invite you here below to post your comments, ask your questions or give your advice or experience.

(No Ratings Yet)

 Loading ...

One Response to “How to secure your folders with 777 permissions in Wordpress (Ex. Uploads folder)”