Why does Apache show an index of wp-content/uploads?

Portal Home > Knowledgebase > Articles Database > Why does Apache show an index of wp-content/uploads?

Posted by 6716, 11-27-2013, 12:55 PM
VPS, Centos 6.4, Apache 2.2.15. In getting WordPress up and running, setting the wp-content/uploads directory permissions to 777 was the only way I could find that allowed me to upload image files. When I point the browser to the directory, it comes up as an Apache result showing the directory contents and links to the contents. Is it because the directory is set to 777? I understand that having the directory at 777 is a "security risk" but what is the actual risk in this certain case? Could an attacker without access to the WP dashboard upload an executable file? Is there a way to stop apache from showing this result while keeping the permissions at 777? Might there be another way to get the WP file upload to work without going to 777? Thanks for your thoughts.
Posted by SajanP, 11-27-2013, 01:08 PM
So you have two questions here. 1. Why is Apache showing a directory listing of all the files. 2. How to properly setup permissions. (In other words, don't use 777). For the listings, this is actually a feature of Apache. If there is no "Index" file, such as index.html, index.php, or whatever you have set as acceptable index files, Apache will just list all the files in the directory. You can configure this on and off, just take a look at the documentation. http://wiki.apache.org/httpd/DirectoryListings Or if you want to post your Apache configuration files, we can help you out as well. Second, regarding 777. When you upload something from the Wordpress dashboard, Wordpress needs to be able to write that uploaded file into the uploads directory. Now, your linux box doesn't really care who/what Wordpress is. Because Wordpres is a PHP application, you need to make sure that whatever user is running the PHP process has access to write. In your case, I'm assuming you're using Apache with mod_php, meaning PHP is run by the same user as Apache. (Not the BEST idea, but no biggie). Go check your Wordpress files and folders and see who owns them. If it's not the same user as Apache is running under, Apache won't be able to write your uploaded files. This is why you had to set it to 777. 777 allows ANY user on your system to write and execute. If you only want your Apache user to write/execute the files, make sure Apache owns them. Then you can set more sane permissions on your files and directories. Like 755 on directories and 644 on files.
Posted by 6716, 11-27-2013, 01:34 PM
Thank you! When I point to the directory wp-content, one directory up from wp-content/uploads .... all I get is a blank page. But then I noticed that there is an index.php file in that directory:
Posted by Buycpanel-Kevin, 11-29-2013, 02:00 PM
setting things to 777 is a security risk because there are no limits to what an attacker could do if he has access to the server. (for example through ssh) But if the attacker doesn't have access then the permissions don't really matter. So moral of the story: Make strong passwords on your ssh and you'll be fine

Add to Favourites Print this Article