Postscript: You can use HTEXPLOIT to bypass any .htaccess permissions: HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process. http://www.blackhat.com/usa/bh-us-12-briefings.html#Soler On Wed, Aug 8, 2012 at 6:18 PM, Lisa Kachold wrote: > Hi Keith, > > > On Wed, Aug 8, 2012 at 11:50 AM, keith smith wrote: > >> >> Hi, >> >> I need to make a directory writable so WordPress can upload images to the >> directory. I'm thinking I need to change the group ownership of the >> directory to Apache with the user remaining the same. In the past I've >> change the group and ownership to Apache and was blocked from FTP access >> after that. >> >> Any security issues I need to be aware of? Other approaches? >> >> Any advice is much welcomed!! Thank you for your help!! >> >> ------------------------ >> Keith Smith >> > > Known Issue: Wordpress asks for a directory location: you set it up as > 755 and it won't work. > > Wordpress works, of course, from PHP and Apache. So in order to allow for > Apache ftp you would need to make it writable by Apache and other. If > you change the group writable permissions your ftp breaks (so don't do > that!): > > Here's more on it: > http://wordpress.org/support/topic/advanced-problem-image-upload > > http://wordpress.org/support/topic/151290 > > Solution: > > You need to use "chmod 777" for uploads to work. > > Security Issues: > > This is a security risk of course, since there are many spider scrapers > looking for an open permission directory to be able to write, say a fake > Phishing Site page for UPS with an email results script. > > Solution: (from Wordpress documentation): > > Base image directory > > The base image directory must be world writable i.e.: chmod 777 > Base image URL > > The URL to the base image directory, the web browser needs to be able to > see it. > > Note that the directory can be protected via .htaccess on apache; check > your web server documentation for further information on directory > protection. If this directory has to be publicly accessible, remove > scripting capabilities for this directory (i.e. disable PHP, Perl, CGI). We > only want to store images in this directory and its subdirectories. > > On apache you can create the following .htaccess file in your base image > directory: > > > order deny allow > deny from all > > > > > -- > (503) 754-4452 Android > (623) 239-3392 Skype > (623) 688-3392 Google Voice > ** > Safeway.com > Automation Engineer > > > > > > > > > > > > > > > > -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** Safeway.com Automation Engineer