WordPress: Unable To Create Directory Error

This article describes how to securely fix the wordpress “Unable To Create Directory Error”

This is a general permissions error and may be uncovered in a variety of situations; the most common of these is when trying to upload images:

“Unable to create directory /wp-content/uploads//. Is its parent directory writable by the server?”

There are many various articles about this error and horrifically, a lot of them advise fixes which are glaring security holes and can / will lead to compromise of the web server.

They look something like this: “Change permission of directories to 757 or 777” – doing this allows anyone on the internet to upload write files to your directory!!!

Here is the secure solution:

  1. Check to see which user & group the apache web server runs under. This information is held in the /etc/apache2/envvars file and you can view it as follows:

    Wordpress: Unable To Create Directory Error Fix
    Apache RUN Vars
  2. Create the directory in question if necessary – note: it may already exist:

    Wordpress Unable to Create Directory Error
    Create uploads Directory
  3. Change the group ownership of the directory to the group apache runs under – in this case  you can see that the group is “www-data”:

    Wordpress Unable to Create Directory Error
    Change group permissions
  4. Assign write permission to the group for that directory:

    Wordpress Unable To Create Directory Error
    Change Group Permissions

Job done!

Linux: Cut Down on the Information Leaked by Apache2 Webserver

It’s a given that information leakage in the form of server / mod versions can seriously aid an attacker in compromising your server and / or web application. By cutting down the amount of information that your server freely surrenders you can make the attacker’s job that much harder – these very quick tips will do just that!


In your /etc/apache2/conf.d/security file, look for “ServerTokens” and set the parameter to “Prod” – this will identify the server software only, no versions, or extensions.

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod


ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2


In the same vein, we want to remove any information shown by the php install which is done by setting the “expose_php” directive to “Off”.

Locate this in the /etc/php5/apache2/php.ini file and set accordingly:

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off