Recent WordPress Update Breaks Custom Upload Folders

We like to run our WordPress installs in a sub-folder to keep the directory structure clean.

Suddenly our clients were no longer able to upload new images as they were getting an error:

Unable to create directory ../images/2019/11. Is its parent directory writable by the server?

As it turned out, it was caused by the WordPress releases from October 14, 2019:

• 5.2.4
• 5.1.3
• 5.0.7
• 4.9.12 – this is what we use, as we like to stay free of all the Gutenberg additions
• 4.8.11
• and other versions down to 3.7.31

WordPress developers put in a security fix which no longer lets you reference the uploads folder with ../: Filesystem API: Prevent directory travelersals when creating new folders.

The reason is that you could potentially (yes, on a highly insecure server with bad permissions) affect files outside of the web root directory and hack the server.

Fixing that issue is important, but it shouldn’t be done in a way that breaks the media uploads. This security fix just managed to break something that was working fine for 12 years.

Read on:

• Details about our setup
• How to fix the issue

Details about our setup

So this is how our typical web root looks like – nice and simple, no wp-... folders and files all over the place:

To do that we simply install WordPress into a site directory, then put in the index.php file which loads site/wp-blog-header.php and configure Settings -> General accordingly:

Then finally we configure the upload paths in Settings -> Media:

However due to that WordPres security update we can no longer use ../ in the “Store uploads in this folder” setting (upload_path wp_option).

How to fix the issue

There are two ways:

1) You can fill in the full uploads path, so you end up with:

• on cPanel server: /home/your-account/public_html/images
• on ServerPilot server: //srv/users/your-user/apps/your-website/public/images/

However figuring out that path is not trivial and if you move your website to some other web hosting account you will have to adjust it again.

That’s why we recommending the second option:

2) Installing our BusinessPress plugin instead.

BusinessPress is the plugin which helps us run our clients websites without too much hassle. It makes sure the clients can still manage their full site options, but won’t let them apply plugin or WordPress updates, as we do that with iControlWP.

That way we avoid having to fix the client websites on weekends. Without BusinessPress it’s just too easy to hit the update button and suddenly your WordPress 4.9 is on 5.3 with Gutenberg all over the place.

BusinessPress also contains a number of important tweaks, including:

• Enable Google style results – Gives you similar layout and keyword highlight.
• Enable Link Manager – Legacy feature of WordPress, hidden since version 3.5.
• Enhance wp-admin Dropdowns – Makes long, unwieldy select boxes much more user-friendly, including search functionality.
• Login redirection – After you log in you will be redirected back to the page where you clicked wp-login.php link
• Set Featured Images Automatically – First image in the post becomes the featured image on save.
• …and this important core WordPress bugfix

To fix this upload path issue we first check if your WordPress is running in a sub-folder. If it does, we check if your upload path is relative. If it is relative, we check if it’s going to say in the web root. Only then we let it pass.

There is no need to use any of the advanced features of BusinessPress, just enabling the plugin will activate the fix.

So our fix doesn’t revert the security improvement by WordPress which started this whole issue.

I wish we could catch this issue ahead of time (before November started) as we could have pushed the fix into core WordPress (which is a time consuming task too).

Martin Viceník

Martin graduated as an engineer in Computer Science from Slovak Technical University in Bratislava. He grew up in Liptovský Mikuláš in northern Slovakia next to the beautiful Tatra mountains. He is the developer behind our FV Player.