Support » Installing WordPress » How to set permissions and ownership after unzip

  • I logged in with root in root group. My web process (Apache 2.4) runs as www-data in www-data group.

    After unzip the .zip package to /var/www/html/. All files are 644 with root:root ownership. All directories are 755 with also root:root.

    After reading tons of articles and posts, finally I decide to set the ownership of all WordPress things to www-data:www-data before configuration and install. Otherwise, WordPress may not be able to write wp-config.php.

    Site is successfully created and I am able to install Plugins. Then, to harden permissions, I use chown root:root -R *. Files are 644 and directories are 755.

    Then, it becomes unable to install or delete plugins. A Connection Information dialog shows up (I am using SSH not FTP. So I install php-ssh2 to enable its SSH2 option. It seems to logged in but shows ‘Unable to locate WordPress content directory (wp-content).’ when install or delete plugins).

    Someone suggests on SO that chown www-data:www-data ./wp-content (with no -R option) is also needed, I am not sure and try that with no help.

    I am wondering if there is a way that I can secure my website as well as allowing me to install new plugins. Please help me.

    P.S

    I am familiar with Linux permissions and ownership for directories and files and the corresponding commands.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Luke

    (@ultrablogger)

    Are you using cPanel? If you are, all you need to do is click the file once and then click “permissions” at the top. There you can edit file permissions.

    Dion

    (@diondesigns)

    Your biggest issue is that you’re running PHP as the same user as the webserver. That’s a security nightmare which you recognized, but unfortunately, you “hardened” your WordPress installation into being unusable.

    Please restore the ownership of all WordPress files to either www-data, or preferably to a non-root user that has either FTP or SSH access. Then go back and give /wp-content/uploads and all its subdirectories 0777 permissions. Otherwise, in addition to the problems you already experienced, you will never be able to update WordPress.

    The best solution is to set up PHP to run as a different (non-root) user than the webserver (using PHP-FPM or other FastCGI handler), then set the WP filesystem ownership to that user, with 0644/0755 permissions.

    @diondesigns Hi, thank you for pointing out the difference between PHP user and Webserver user. I will check that out and return back here. Thank you!

    @diondesigns BTW, should I change wp-content/upgrade to 0777 as well? I found it was created during installation.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.