I do not have ftp install on my server. This is intentional, but it means the plugin download/auto upgrade etc… won’t work. But I can upload images? Not sure about the inconsistency.
Any plans for support of something other than ftp, something more secure like scp for example?
This is one of those features that is so easy to use that I relaxed the security of my installation to take advantage of. If you are really concerned about the security you can harden your install and keep updating/installing manually.
Is this your own webserver, meaning you have root access, or a shared host?
For plugin download and auto upgrade to work, the directories need to be writeable by the webserver userid (unless you have suPHP installed, I need to look more at that option myself).
Either make the directories own by your webserver userid, or make the directories world writeable.
Both are not really good security practice… world writeable gets my vote for being “more evil”.
You could consider ftp listening on the localhost only.
You could, but I don’t think it would help. None of my servers have a ftp server listening (or even installed) and the plugin install/upgrade works fine for me. It’s an addictive feature and I update Viper’s Video Quicktags frequently 🙂
I have not looked at the code but I am pretty sure that WordPress uses php curl or similar functionality to do a HTTP GET. It does need permission to write to the wp-content/plugins directory at a minimum for it to work.
I don’t understand how you are working without ftp running. When I try to download a plugin from worpdress, the install plugin screen asks me for login info, and requires I select ftp or ftps.
I do have root access, but prefer to give permissions to the webserver id for write permissions. The error occurs connecting to the server.
I don’t run FTP servers on my hosts. Here is how I make it work for me.
I’ve just put up a fresh test 2.7 install using SVN. Using the ZIP file would have been identical, I just like SVN.
The webserver does not have any write permissions to any wordpress files or directories. The files and directories are all owned by root and my webserver is running as user www-data.
When I try to install a plugin via Plugin -> Add New (I’m aiming for Viper’s Video Quicktags, a favorite of mine) I get the Connection Information page for installing a plugin. It’s asking for FTP info.
That’s expected since my WordPress 2.7 does not have the ability to write to the directories it needs to. It’s asking for FTP info hoping that the FTP credentials will be able to write the files it needs to.
I don’t run a FTP server on my host. I dislike FTP. What I do is this:
I now run these commands in my wordpress directory:
find wp-content | sed -e 's/\ /\\\ /g' | xargs chown www-data:www-data find wp-admin | xargs chown www-data:www-data
The first line gives my webserver ownership of all the files and directories in wp-content. That will let the webserver write anything it needs to in wp-content. I add the sed portion because some of my directories and files have spaces in the names.
The second line does the same thing for wp-admin. I don’t have a good reason why WordPress needs that to be writeable or own those files but it wont work otherwise.
Now I try the exact same operation for installing plugins. This time I pick WP-SuperCache. Plugins -> Add New, search for WP-SuperCache, look at it, and click on the orange Install Now button.
Poof, it works. I activate the plugin and I’m all set.
The automatic upgrade works the same way except you need to have the webserver process own all the wordpress/ files and directories.
There are configurations using suPHP but I’ve not tried it so I can’t speak to that.
Also I doubt that I’ll use automatic upgrade for 2.7 to go to the next version. I find SVN too easy for me to use.
Let me know if this helps.
I tried an no go, still get the ftp page.
I chown to ed:www-data and chmod 775 for everything in the wordpress directory just to be sure, but it always takes me to the ftp screen.
It’s a permission issue. What is the user that your webserver runs as? I use www-data because I use Ubuntu 8.04 LTS. That’s the user it runs as for me. You set the owner to be “ed” and not “www-data”.
If you are (rightly) concerned about security, then just keep manually installing plugins the old fashioned way.
If you want to be able to click and install plugins the do what I instructed above.
If you have root access and if your webserver is Ubuntu 8.04 LTS and runs as www-data then go to your wordpress root and try the two commands I put above. If it’s running as some other user id then substitute that id for www-data.
That will set the ownership to the webserver and you should be able to download and install plugins.
You were right. I changed ownership to www-data and it worked fine.
I thought that by assign it to the www-data group and giving the group same permissions as owner, it would work the same. apparantly not, though I am not sure why.
Thanx for the help.
jdembowski, but all you’re doing is allowing apache write access to (a subset, granted) of the www-data folders, which is exactly what should be avoided? (other than perhaps the upload folder, if you’re allow image etc uploads. (I block access to non-image file types via mod_rewrite).
Why is setting up ftp/secure ftp listening on the localhost only not a better option, as it fundamentally allows you to process these changes as a different/elevated user?
It’s “write access for the apache2 www-data user to a subset of folders” but I get what you mean.
If ftp on localhost works for you, go for it. I dislike FTP, localhost or otherwise, so I don’t do that. Using the automated plugin download feature does move the slider away from “more secure” to “more convenient”. But that’s a choice to be made if you understand the ramifications; I do and I think Ed does too.
Keep in mind that many WordPress installations already have write permission within wp-content. While a totally locked down WordPress installation would enforce read-only access and that would be more secure, you would lose some ease of use. There would be no inline uploads anymore and some plugins would not work such as WP-SuperCache.
If you really want to be “more secure” then lose the plugin download feature/automatic upgrade feature. A user would have to maintain his plugins the old fashion way: ssh to the server, download and extract the plugins.
That’s what we all have done in the past. I just decided to make it a little easier for me is all.
- The topic ‘I don’t have FTP!’ is closed to new replies.