Install WordPress with custom directory layout without breakting media upload


New security patches introduced to the WordPress core on October, 14th break media upload on my WordPress installations.

That’s due to my uncommon directory structure:

  • wp-config.php (custom)
  • index.php (custom)
  • wp (vanilla WordPress Core)
    • wp-content (unused)
    • wp-cron.php
    • wp-blog-header.php
    • wp-includes
    • wp-admin
    • …more…
  • wp-content (my custom, used wp-content directory)
    • plugins
    • themes
  • uploads (my custom, used uploads-directory)

So I set WP_SITEURL to my “wp”-directory, WP_CONTENT_DIR and WP_CONTENT_URL to my “wp-content”-directory and WP_PLUGIN_DIR and WP_PLUGIN_URL to my “wp-content/plugins”-directory.

Because WordPress contructs the path of the uploads-Directory relative to the WordPress core I needed to set UPLOADS to ‘../uploads’. So the resulting path of upload_dir() is “/wp/../uploads/” – that worked so far.

In October, 14th with 5.2.4 there was a change to how wp_mkdir_p() (in wp-includes/functions.php) sanitizes and checks the path of new directories it creates. Here’s the SVN log:

r46274 | whyisjake | 2019-10-14 15:31:04 +0000 (Mo, 14. Okt 2019) | 8 Zeilen

Filesystem API: Prevent directory travelersals when creating new folders.

Reject file paths that contain sub-directory paths.

Props iandunn, xknown, sstoqnov, whyisjake.

Built from

There’s a newly added block of code that goes like this:

// Do not allow path traversals.
if ( false !== strpos( $target, '../' ) || false !== strpos( $target, '..' . DIRECTORY_SEPARATOR ) ) {
    return false;

So all my WordPress installations are unable to create a new directory “2019/11” in their uploads directory. However, if i manually create the folder, upload works, it’s just the creation of new subfolders that stopped working.

My question: What’s the best way to configure WordPress in a way that allows me to keep my filesystem structure. One possibility is to modify the apply_filters( ‘upload_dir’, $uploads ) to remove the unnecessary “wp/../” from the path, but that requires a plugin and i’d like to get WordPress working on my servers without having to install a plugin in each (because there are much of them).

, Matthias P. Wurfl 4 years 2019-11-06T10:37:18-05:00 0 Answers 68 views 0

Leave an answer