Okay, this bit me again today, and I didn’t remember the solution from previous research so I had to research it again. That to me means I need to write it up in a blog post. :)
I’m running WordPress for this blog. It is hosted on a Windows 2012 R2 server (using IIS, not Apache) with the latest versions of PHP and MySQL installed.
I uploaded a post earlier that had a PNG file screenshot included. The PNG file uploaded fine and showed up fine in the Media management screen of WordPress but it wouldn’t display in the actual post. The issue winds up being a permissions problem.
When a file is uploaded through WordPress it is actually uploaded through PHP (since WordPress is written in PHP). The way that PHP handles this is to upload the file first to a working temp directory and then move the file over to the appropriate location under the WordPress web root.
The temporary location that PHP uses is defined within the PHP.ini file under your PHP installation folder. By default it is commented out so that PHP will use whatever is defined as the system default. A good security practice would probably be to create a working folder location for PHP to use for temporary files and adjust the permissions on this folder as needed.
By default though it uses the system temp folder which would be found located at \Windows\temp\. This folder’s permissions show the IIS Users group with “special permissions”. If you edit those permissions and add the Read permissions, the problem will resolve itself.
Now when a PNG (or any type of file) is uploaded it will hit this folder first, obtain the appropriate permissions for the anonymous IUSR to view the file, and get moved over to its correct home location under WordPress.
Note that if you don’t have control over all the code on the server and/or it is a shared server hosting for multiple sites/users then I’d recommend using a special folder just for PHP temp use rather than opening up Read access to that general/generic Windows temporary location.