I don’t have FTP!

This is one of those features that is so easy to use that I relaxed the security of my installation to take advantage of. If you are really concerned about the security you can harden your install and keep updating/installing manually.

Is this your own webserver, meaning you have root access, or a shared host?

For plugin download and auto upgrade to work, the directories need to be writeable by the webserver userid (unless you have suPHP installed, I need to look more at that option myself).

Either make the directories own by your webserver userid, or make the directories world writeable.

Both are not really good security practice… world writeable gets my vote for being “more evil”.

You could consider ftp listening on the localhost only.

You could, but I don’t think it would help. None of my servers have a ftp server listening (or even installed) and the plugin install/upgrade works fine for me. It’s an addictive feature and I update Viper’s Video Quicktags frequently 🙂

I have not looked at the code but I am pretty sure that WordPress uses php curl or similar functionality to do a HTTP GET. It does need permission to write to the wp-content/plugins directory at a minimum for it to work.

Ed4becky,

I don’t run FTP servers on my hosts. Here is how I make it work for me.

I’ve just put up a fresh test 2.7 install using SVN. Using the ZIP file would have been identical, I just like SVN.

The webserver does not have any write permissions to any wordpress files or directories. The files and directories are all owned by root and my webserver is running as user www-data.

When I try to install a plugin via Plugin -> Add New (I’m aiming for Viper’s Video Quicktags, a favorite of mine) I get the Connection Information page for installing a plugin. It’s asking for FTP info.

That’s expected since my WordPress 2.7 does not have the ability to write to the directories it needs to. It’s asking for FTP info hoping that the FTP credentials will be able to write the files it needs to.

I don’t run a FTP server on my host. I dislike FTP. What I do is this:

I now run these commands in my wordpress directory:

find wp-content | sed -e 's/\ /\\\ /g' | xargs chown www-data:www-data
find wp-admin | xargs chown www-data:www-data

The first line gives my webserver ownership of all the files and directories in wp-content. That will let the webserver write anything it needs to in wp-content. I add the sed portion because some of my directories and files have spaces in the names.

The second line does the same thing for wp-admin. I don’t have a good reason why WordPress needs that to be writeable or own those files but it wont work otherwise.

Now I try the exact same operation for installing plugins. This time I pick WP-SuperCache. Plugins -> Add New, search for WP-SuperCache, look at it, and click on the orange Install Now button.

Poof, it works. I activate the plugin and I’m all set.

The automatic upgrade works the same way except you need to have the webserver process own all the wordpress/ files and directories.

There are configurations using suPHP but I’ve not tried it so I can’t speak to that.

Also I doubt that I’ll use automatic upgrade for 2.7 to go to the next version. I find SVN too easy for me to use.

Let me know if this helps.

Ed,

It’s a permission issue. What is the user that your webserver runs as? I use www-data because I use Ubuntu 8.04 LTS. That’s the user it runs as for me. You set the owner to be “ed” and not “www-data”.

If you are (rightly) concerned about security, then just keep manually installing plugins the old fashioned way.

If you want to be able to click and install plugins the do what I instructed above.

If you have root access and if your webserver is Ubuntu 8.04 LTS and runs as www-data then go to your wordpress root and try the two commands I put above. If it’s running as some other user id then substitute that id for www-data.

That will set the ownership to the webserver and you should be able to download and install plugins.