WordPress.org

Ready to get started?Download WordPress

Forums

How to allow automatic upgrade of plugins w/o entering password all the time? (15 posts)

  1. tamar
    Member
    Posted 5 years ago #

    This is a super easy question for the right person, but I don't understand where this is.

    On some WordPress installations, I can use the automatic plugin upgrade tool without problems. In others, I get a "connection information" dialog box.

    My question: how do I disable the "connection information" dialog box? It's usually asking me for my FTP password, which I change every so often, so I'm curious to know what I also need to change on the WP backend so that I don't have to manually type it in every single time I upgrade a plugin.

    Thanks!

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    WordPress asks for FTP information when it detects that it cannot create files under the username that owns the WordPress scripts itself.

    Short version: If the web server is running "suPHP", then it can update itself directly, without needing to use FTP.

  3. tamar
    Member
    Posted 5 years ago #

    Otto, thanks.

    Without requiring suPHP, I'm curious to know what, if anything, would allow me to "create the files under the username that owns the WordPress scripts itself."

    On the server, all of the files *are* owned by the user.

    Should I chmod the files to a specific permissions? Is there an easier way?

    I'm recompiling Apache right now to enable suPHP, but I'm just curious about easier alternatives because I host some WordPress blogs on sites where I don't have that kind control and can't enable suPHP.

    Thanks again.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    Without requiring suPHP, I'm curious to know what, if anything, would allow me to "create the files under the username that owns the WordPress scripts itself."

    If you don't use an su method, then the WordPress files must be owned by the same user that the webserver itself is running under.

    Also, recompiling Apache? What? All I ever do to install suPHP is "yum install suphp" or similar. Get a package management system already. :)

  5. tamar
    Member
    Posted 5 years ago #

    haha, you can install it, but you still have to activate the module :P Right? I'm not going to take any risks. Plus, my PHP is outdated so I have a good excuse!

    I guess I could just set the group ownership of the files to "nobody" or "apache" (I'll have to figure out which one is used). I suppose that's what WP wants then, right?

    Thanks Otto :)

  6. If the files and directories are owned by the user, then they are probably not owned by the user that Apache2 runs as.

    It's not that your userid can't write to those directories, it's that Apache2's userid does not have permission to do so.

    Using suPHP would be best, especially on a shared server.

    If you are not on a shared host, meaning other people don't/can't log into your box and YOU can become the super user (root), you can assign ownership to two sub-directories and files and automatic plugin upgrades will work.

    If you share the server, then don't do this. It's a huge window to exploit. Seriously, don't.

    Backup your files before trying this. If the bad thing happens, you'll need to put them back the way they were.

    Identify what the Apache2 user runs as. On Ubuntu it's www-data and I'm going to use that UID and GID for my example.

    As root and on the command line, go to your blog directory (cd /somewhere/you/keep/wordpress) and run these commands:

    find wp-content | sed -e 's/\ /\\\ /g' | xargs chown www-data:www-data
    find wp-admin | sed -e 's/\ /\\\ /g' | xargs chown www-data:www-data

    These 'find' commands locate all the files and directories in wp-content and wp-admin.

    The 'sed' command escapes out an spaces you may have in file names or directories. Most commands don't like getting spaces in their arguments without escaping them or double quoting them.

    The 'xargs' command handles large lists of files so that the last command 'chown' will not choke on the volume.

    The 'chown' command will assign the files and directories to the userid that Apache2 is running at (if you are using that userid).

    WordPress needs the wp-content directory writeable so that the plugins can be downloaded and stored for unziping and moving into the plugins directory.

    I don't have a good reason why wp-admin needs to be writeable, but this won't work otherwise.

  7. tamar
    Member
    Posted 5 years ago #

    Thanks jd. I'm aware of the security risks of making this public, but thanks for reinforcing it :) I'll consider suPHP, I suppose.

    Just one question: in case I do try the risky method, how do I easily identify what the Apache2 user runs as?

    (and what kind of real WordPress person would actually put spaces in filenames and directories? ;) )

  8. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    I guess I could just set the group ownership of the files

    Group isn't good enough. The actual owner needs to match.

    Some people have posted (bad) hacks to work around this. These hacks are not recommended. Deep in the heart of things, there is a reason, although it's a bit involved to explain why this is necessary. The short answer is that when WordPress upgrades something, it wants the resulting files to look the same as the old files did. Same owner, same permissions, etc. To do this, it needs to be running as the person who owns those files. suPHP allows this to happen easily. Without suPHP, it becomes difficult.

    haha, you can install it, but you still have to activate the module :P Right?

    No. Literally, that's all I've ever done to install it. On Fedora (my distro of choice):

    yum install suphp
    .. answer yes to prompts and such ..
    service www restart

    Done. That's it. Good package management is *awesome*, isn't it?

  9. tamar
    Member
    Posted 5 years ago #

    I suppose so :)

    IMO it'd be ideal if a future iteration of WordPress let you input your FTP password somewhere so that it can be stored to the server. The issue really is that I have to type in the password all the time. Why can't it just be saved in the Settings tab or something? I think it'd be a lot easier than having to worry about hacks.

    Just a thought. suPHP it is, I s'pose ;)

  10. Try on the command line

    cd /etc/apache2 (or where your apache2 configs are)
    egrep "User|Group" *

    Look for the lines that have User and Group defined, that will give you the uid and gid to use.

    If that does not work try

    ps -eo comm,uid,gid | grep apache

    Replace apache with http if you need to.

    (and what kind of real WordPress person would actually put spaces in filenames and directories? ;) )

    Some plugins do. Darn you evil spaced out plugins!! DAARRRN YOUUUUU!!!

    :)

  11. tamar
    Member
    Posted 5 years ago #

    THANKS all :)

  12. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    The issue really is that I have to type in the password all the time. Why can't it just be saved in the Settings tab or something?

    Because that would be horribly, horribly insecure and unsafe?

  13. tamar
    Member
    Posted 5 years ago #

    Otto, but does it have to be? Why can't it be stored in the database in a hash or something?

    It's not like it's any safer to store plaintext passwords in wp-config.php, be them for a database or not.

    That was the logic I used to come to this suggestion.

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    You can't store the FTP password as a one-way-hash because WordPress needs to send the actual password to the FTP server in order to login. So a hash would not be particularly useful to have.

    As for wp-config.php, it's only the password to the database, not to the site itself. You can't run executable code with access to the database. Admittedly, it's not 100% a good idea, but it's a necessary evil. The site has to know how to get the data from the DB.

  15. hilikus
    Member
    Posted 5 years ago #

    found a blog post explaining a really simple way of including your ftp login info in wp-config.php.

    This way it never asks for the info again!

    http://tinyurl.com/kkwgkw

Topic Closed

This topic has been closed to new replies.

About this Topic