Wordpress permissions issue - How to set ownership and permissions for WordPress files properly and securely?

ghostone

8/3/24, 8:21 PM

I am facing some problems with setting up WordPress on my local server. After a successful connection to the local database, Wordpress dropped me Unable to write to the wp-config.php file.. I created wp-config.php manually, but I still could not install any plugin or change any settings. A bit later, I solved it by changing the ownership of all WP files to www-data, but this way of setting ownership is potentionally insecure.

So, the question is: Is there any way to set ownership and permissions for these files properly and securely at the same time?

Here is the result of ls -l after clear installation:

-rw-r-----  1 nobody nogroup   405 lut  6  2020 index.php
-rw-r--r--  1 nobody nogroup 19915 sty  1  2023 license.txt
-rw-r--r--  1 nobody nogroup  7402 mar  5 01:52 readme.html
-rwxr-xr-x  1 nobody nogroup  7205 wrz 17  2022 wp-activate.php
drwxr-xr-x  9 nobody nogroup  4096 maj 20 06:30 wp-admin
-rwxr-xr-x  1 nobody nogroup   351 lut  6  2020 wp-blog-header.php
-rwxr-xr-x  1 nobody nogroup  2338 lis 10  2021 wp-comments-post.php
-rw-------  1 nobody nogroup  3013 lut 23 11:38 wp-config-sample.php
drwxr-xr-x  4 nobody nogroup  4096 maj 20 06:30 wp-content
-rwxr-xr-x  1 nobody nogroup  5536 lis 23  2022 wp-cron.php
drwxr-xr-x 28 nobody nogroup 12288 maj 20 06:30 wp-includes
-rwxr-xr-x  1 nobody nogroup  2502 lis 26  2022 wp-links-opml.php
-rwxr-xr-x  1 nobody nogroup  3792 lut 23 11:38 wp-load.php
-rwxr-xr-x  1 nobody nogroup 49330 lut 23 11:38 wp-login.php
-rwxr-xr-x  1 nobody nogroup  8541 lut  3 14:35 wp-mail.php
-rwxr-xr-x  1 nobody nogroup 24993 mar  1 16:05 wp-settings.php
-rwxr-xr-x  1 nobody nogroup 34350 wrz 17  2022 wp-signup.php
-rwxr-xr-x  1 nobody nogroup  4889 lis 23  2022 wp-trackback.php
-rw-r--r--  1 nobody nogroup  3238 lis 29  2022 xmlrpc.php

1 + 2

ubuntu

permissions

wordpress

apache-2.4

Tim

8/3/24, 8:38 PM

Wordpress documentation is here https://wordpress.org/documentation/article/changing-file-permissions/

ghostone

8/3/24, 9:03 PM

@Tim Thank you very much for sending me a link to the documentation, I did not know about its existence!

Score:0

Server

Tim

8/3/24, 10:00 PM

Wordpress documentation has the official recommendations here.

I wrote a script that I can run on demand to upgrade wordpress, plugins, and themes, and also sets permissions on my various WordPress installs. I'm not an expert and I make no claims on whether it's fit for purpose, but I can say it seems to mostly work for me, other than the side effect below.

The side effect of this script are you can't install WordPress plugins or themes using the web interface of WordPress, you have to use the WordPress cli to install plugins. That means the permissions the script sets aren't quite right, they're too secure, but I don't install plugins often so it's close enough and I haven't bothered spending the time to fix it. Someone else can probably figure it out. I did have a quick look and I put an idea in commented out that might work.

You need to have the wordpress cli installed and working for this script to work. You'll also have to create the folder /var/log/wordpress/ and make sure the user who runs the script has permissions. I run it as root.

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
echo
echo Wordpress Update and Permissions Script Starting
echo "$(date) Wordpress update and backup started"   >> /var/log/wordpress/upgrades 2>&1

# Function to upgrade wordpress
function upgrade_wordpress() {
    # set up folders in the formats needed
    dir=$1
    uploads=$1/wp-content/uploads
    plugins=$1/wp-content/plugins
    themes=$1/wp-content/themes

    echo Upgrading Wordpress core, plugins, themes in ${dir}
    sudo -H -u www-user bash -c "wp core update --path=$dir"
    sudo -H -u www-user bash -c "wp plugin update --all --path=$dir"
    sudo -H -u www-user bash -c "wp theme update --all --path=$dir"

    echo Setting wordpress permissions to 755 files and 644 folders
    find ${dir} -type d -exec chmod 755 {} \;
    find ${dir} -type f -exec chmod 644 {} \;
    chmod 440 ${dir}/wp-config.php

    echo Making uploads folder ${uploads} writable by the web server
    chown -R www-data:www-data ${uploads}

    # This might make the WordPress web interface able to install plugins and themes. It might also break everything or make it insecure. Beware.
    # This part is is completely untested
    # chown -R www-data:www-data ${plugins}
    # chown -R www-data:www-data ${themes}
}

echo Setting /var/www permissions to www-user:www-data
chown -R www-user:www-data /var/www/

# Run Wordpress update for each wordpress install
upgrade_wordpress /var/www/wordpress1
upgrade_wordpress /var/www/wordpress2
upgrade_wordpress /var/www/wordpress3

echo Wordpress Update and Permissions Script finished
echo "$(date) Wordpress update and backup finished"   >> /var/log/wordpress/upgrades 2>&1

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Wordpress permissions issue - How to set ownership and permissions for WordPress files properly and securely?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.