WordPress.org

Ready to get started?Download WordPress

Forums

Automatic Plugin/Wordpress Upgrade without FTP Creditials (3 posts)

  1. shaneshack
    Member
    Posted 4 years ago #

    *** This will be especially useful if you are using apache2 (httpd) and pure-ftpd for your web and ftp servers. This also assumes you have access to your server's apache and pure-ftpd conf files. ***

    If you want your WordPress to update your plugins or it's core files for version updates without prompting for FTP credentials check the following:

    First, verify what uid/gid your server is assigning your FTP account (the username/password combo you use to FTP your files). For instance, many pure-ftpd server installations create an uid called "ftpuser" and a gid called "ftpgroup". Also, in typical pure-ftpd installations, both of those groups will have a numeric assignment of 2001. What happens when you upload your files is they are uploaded with file and folder permissions assigned to uid "ftpuser" and gid "ftpgroup". Some FTP clients will identify the owner of the folder by the numerical value - in this case 2001.

    The following command lists all uid's for your server:
    cat /etc/passwd

    The following command lists all gid's for your server:
    cat /etc/group

    Once you have verified your ftp uid/gid, check your apache config file (maybe /etc/httpd/conf/httpd.conf or /etc/apache2/conf/httpd.conf) and note the User and Group values. I have seen some apache installations put this info in its own file called uid.conf. By default, apache assigns both of these values to "apache".

    What I've discovered is that when the User and Group values in httpd.conf matches the uid/gid which the ftp server is assigning to your files and folders, WordPress will no longer prompt you for FTP credentials when downloading upgrades for plugins and core files.

    The other interesting thing I've discovered is that once you make the change in your httpd.conf file to match the User/Group and uid/gid values, WordPress no longer uses FTP at all (to my knowledge) to download updates. All FTP login's are noted in the message log (/var/log/messages) when I log in with my FTP client AND when I was entering FTP credentials to download WordPress updates. Since making this change, when I download WordPress updates, there are no log entries for FTP activity. I only assume that WordPress begins using wget (or something like it) to download when these changes are made.

    I have no idea if this will work for many of you or not, but it has worked for me, after a lot of time trying to figure this out. None of the suggestions other people were making were working for me.

    As a side note, this also enabled me to remove the 777 permissions I had assigned to my upload folders due to upload permission problems.

  2. thinkinginvain
    Member
    Posted 3 years ago #

    HI,

    I came across this post you have written and this one: http://robspencer.net/auto-update-wordpress-without-ftp/

    I am looking for a solution like this but am concerned how it might affect the security of the server and how it may affect other functioning's of wordpress?

  3. shaneshack
    Member
    Posted 3 years ago #

    So far I've experienced zero issues with WordPress' functionality. I maintain several WordPress sites and use them extensively, and have modified a few of them extensively without issue.

    As to the security issues, I have been unable to derive any unexpected risks from this configuration; although no config is risk free. Through the use of complex passwords, non-default names for uid's and gid's, I feel like the config is pretty secure; especially since with this config there is no need for any 777 folders in my directories. I have anonymous FTP disabled, so you must log in as an authorized user. Browsing outside of your FTP directory is locked down/prohibited.

    I'm open to being proven wrong on this, but until some one can show me the error of my logic, this is a very convenient configuration. As far as I can tell, this is a relatively safe configuration.

Topic Closed

This topic has been closed to new replies.

About this Topic