/tmp and /wp-content/uploads/ShortpixelBackups

  • Resolved hackrepair

    (@hackrepair)


    4 months, 3 weeks ago

    An ongoing gripe about location of files saved in ShortPixel Image Optimizer
    Maybe someone else has already reported this and it’s on your roadmap…


    Over the years I’ve run into this fairly irritating issue with the ShortPixel Image Optimizer plugin, in that it sometimes tries to save it’s .jpg and .webp files into the server /tmp directory
    instead of into /wp-content/uploads/ShortpixelBackups

    Are you aware of this, or do you have a plan to mitigate it in the future?

    IMHO, it does not seem appropriate to me that your plugin would allow the saving of files anywhere but “its own” set directory, like in your case:
    public_html/wp-content/uploads/ShortpixelBackups

    Thoughts?

    ___
    The fix.
    In order to resolve files being saved into the server root directory, I’ve had to manually set for some clients byediting the wp-config-php, like:
    define( ‘WP_TEMP_DIR’, ‘/home/usename/public_html/wp-content/tmp/’ );

    <rant>
    Seriously, a client should not have to research, know that, or implement that. It’s neither fair nor cool; when there should be safeguards in the plugin’s code to limit where files “can be” saved.
    Likewise, it seems to me that this is a security issue, and that a plugin should have a wrapper in place to limit where files can be saved (specifically, not outside the client’s public directory).
    </rant>

    • This topic was modified 4 months, 3 weeks ago by hackrepair.
    • This topic was modified 4 months, 3 weeks ago by hackrepair.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Adrian

    (@adrianrus)

    4 months, 3 weeks ago

    Hi @hackrepair ,

    Thank you for your message! I’m sorry to hear about this issue 🙁

    No worries, I totally understand your frustration about this!

    These images are indeed created by our plugin but they are used temporarily while we move around the original files to the backup location. Normally, these files should be removed immediately after the optimization is done, and since they are left there, I think there is some kind of permissions limitation that doesn’t let our plugin remove them.

    Also, since the /tmp folder is used to store temporary files, it should be automatically purged by your hosting provider as this is how the /tmp folder works in most cases.

    To be more specific those files were never meant to stay there forever, normally they should be there for a few seconds/minutes until we move the original files to the backup location and that’s it!

    Could you please ask your hosting provider why the /tmp folder doesn’t get purged periodically?

    Looking forward to your reply!

    Thread Starter hackrepair

    (@hackrepair)

    4 months, 3 weeks ago

    You’re correct that the system can clear /tmp, but it’s not a guarantee that the space is safe mid-job. On many cPanel servers, /tmp is cleaned by tools like tmpwatch or on reboot.

    It’s also common for shared-hosting providers to allocate a relatively small partition for /tmp.

    So if a client is trying to process, say, 100 GB of images and /tmp is only 10 GB, well, you’ve got a potential disaster at play: big file job + small working area = risk of “disk full” or failed operations when /tmp is full.

    From a hosting and plugin best-practice standpoint, it’s better if a plugin keeps all its temporary files inside the client’s account (for example, under wp-content/temp).

    This way, the client has visibility and control—rather than relying on the server’s root /tmp, which most clients do not have access to in an emergency (like, for instance, when the ShortPixel Image Optimizer plugin fills up /tmp).

    • This reply was modified 4 months, 3 weeks ago by hackrepair.
    Plugin Support Adrian

    (@adrianrus)

    4 months, 3 weeks ago

    Hi again, @hackrepair ,

    Most hosting providers purge the /tmp folder automatically when it reaches a certain usage percentage so it never really gets to 100% to cause issues, this is also why most PHP scripts also save the temporary files there.

    We’ve been having this system in place for years now and never had any users reporting their /tmp getting full because of our plugin, but I totally understand your point about the client side location for the temporary files.

    I’ve noted your feedback so I can discuss it with my colleagues to see if there’s anything we can improve in this area in the future!

    All the best,

    • This reply was modified 4 months, 3 weeks ago by Adrian. Reason: typo
    Plugin Author Pedro

    (@petredobrescu)

    3 months, 1 week ago

    Hello @hackrepair,

    This has been addressed in version 6.4.1 of our plugin, recently released. Please note that it does not clean previous temporary files, but from now on it should not leave traces anymore (unless permissions or other issues prevent the deletion of temporary files).

    Thanks for reporting this!

    Thread Starter hackrepair

    (@hackrepair)

    3 months, 1 week ago

    Most excellent!

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.