Score:2

Server

How should I modify file permissions to accomodate Wordpress

Chiwda

8/30/24, 6:19 AM

I have been successfully using the method described here: Maintained by a Single User and it has been working well for me. This is my script for all my websites:

sudo chown -R WebAdmin /var/www/example.com/
sudo chgrp -R www-data /var/www/example.com/
sudo chmod -R 750 /var/www/example.com/
sudo chmod g+s /var/www/example.com/
sudo chown www-data:www-data /var/www/example.com/Uploads/
sudo chmod -R 755 /var/www/example.com/Uploads/

I maintain all the sites on that server and WebAdmin is the general user I use for FTP and also SSH.

However, I recently moved a few Wordpress sites from a hosting company to my server and the above doesn't work. Updating Wordpress or its themes/plugins gave me the error:

To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.

There are several "fixes" such as this one which are more like workarounds and are probably insecure. So I used the safest (AFAIK) method and made the www-data the owner of the WordPress sites, while keeping non-WordPress sites as before. In other words, I simply ran

sudo chown -R www-data /var/www/wp_example.com/

on the WordPress sites. This of course worked, but it becomes a pain as far as maintaining the website manually goes, because I have to login as root to do that. I would also not be able to assign the website(s) to someone else to maintain in the future. Note that some of my sites are hybrid (partly WordPress and part custom pages).

So I am wondering if there is a better solution that is more elegant and more general i.e. it will work for both WordPress and non-WordPress sites.

One possibility is that I add the user WebAdmin to the www-data group. Or perhaps www-data to the WebAdmin user group? Which makes more sense and which is more secure?

146

1 + 0

linux

wordpress

file-permissions

apache2

Score:4

Server

Esa Jokinen

8/30/24, 8:36 AM

If both the user WebAdmin directly and user www-data through group www-data needs to write to these directories, the 750 is not enough. What fixes your current design would be:

sudo chmod -R 770 /var/www/example.com/

Security considerations

However, in general this means every PHP site is running on the same user and after this modification every site could read & write the files of any other site. This means that a compromise on any of the sites compromises them all.

Using a separate user and PHP-FPM pool for every site would divide the sites into isolated compartments, mitigating this risk. You could administrate the site with the same user that is running it:

/var/www$ ls -l
drwxr-x--- 2 example-com www-data 4096 Aug 30 7:00 example.com
drwxr-x--- 2 example-net www-data 4096 Aug 30 7:00 example.net
drwxr-x--- 2 example-org www-data 4096 Aug 30 7:00 example.org

If you absolutely need the user WebAdmin to manage them all, you would add the user to group www-data and give the write permissions to the group, but I would not recommend that.

/var/www$ ls -l
drwxrwx--- 2 example-com www-data 4096 Aug 30 7:00 example.com
drwxrwx--- 2 example-net www-data 4096 Aug 30 7:00 example.net
drwxrwx--- 2 example-org www-data 4096 Aug 30 7:00 example.org

PHP-FPM pools

As I mentioned the PHP FPM pools, here's a short example configuration. There are several tutorials explaining these steps in detail.

Install PHP-FPM.

/etc/php/8.2/fpm/pool.d/example-com.conf:

[example-com]
user = example-com
group = example-com

listen = /run/php/example-com.sock
chdir = /var/www/example.com

listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

php_admin_value[disable_functions] = exec,passthru,shell_exec
php_admin_flag[allow_url_fopen] = off
php_admin_value[cgi.fix_pathinfo] = 1

security.limit_extensions =

The last line is decreasing the security to allow WordPress to handle SEO URLs, the others are for increasing security. The pm paramaters should be adjusted to your needs.

Enable Apache modules mpm_event, proxy & proxy_fcgi.

Add the handler to the Apache2 <VirtualHost> block for the site:

<FilesMatch "\.php$">
    SetHandler "proxy:unix:/run/php/example-com.sock|fcgi://localhost"
</FilesMatch>
<Proxy "fcgi://localhost/">
</Proxy>

Reload or restart Apache2 & PHP-FPM services.

+ 2

Chiwda

8/30/24, 10:05 AM

Changing permissions to 770 did not help with the Wordpress problem. I get the same error.

Esa Jokinen

8/30/24, 10:16 AM

It was a bit hacky anyway. While it gives `www-data` the permission to write to these directories, it might not be compatible with the method WordPress uses to check for the permissions. The real answer lies under the security considerations.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How should I modify file permissions to accomodate Wordpress

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.