Hi @narratorben, thanks for your query.
Web servers such as Apache, Nginx, etc will require www-data to be an owner on the wflogs directory so that Wordfence can update the firewall files when required to do so. It sounds to me like the Unix default 600 permission is being set because Wordfence needs access and can only do so as owner.
I set this up permissions correctly for the wflogs folder in a way that both my web server and FTP user can access
When you say this, do you mean you have created a group to take ownership of the wflogs folder that includes both your FTP user(s) and www-data?
If you are using groups when setting owners/permissions for the FTP users, adding www-data to that group so that Wordfence is still able to gain read/write access to that folder should be a solution here.
Thanks,
Peter.
Hi Peter,
Thanks for the reply, I think that I was setting it up the wrong way around, I was setting permissions of 660 with the FTP user as the owner and www-data as the group but Wordfence was then taking ownership and setting 600 effectively locking out the FTP user.
I’ve now set www-data as the owner with the FTP user as the group and 660 permissions so I’ll see how that goes.
Appreciate the help.
Hi @narratorben, thanks for the follow-up and hopefully that change should work for you.
I’ll be happy to assist further if we need to give it any more attention.
Thanks,
Peter.
Hi Peter,
Unfortunately it still doesn’t work, I’ve tried the permissions both ways around so either:
rw-rw— ftpuser:www-data
or
rw-rw— www-data:ftpuser
permissions on the folder are the same but 0770 rather than 0660
Neither works, I always either get wordfence complaining that it can’t write the files (even though the permission setup means it can) that happens with the second one, or I get it changing the permissions to 600 with the first option which locks out my FTP user and leads to the same error.
I think it is because with my setup when logged in to WordPress PHP has the permissions of FTP user and when logged out it has www-data so WF is getting confused.. Ideally I just need it to stop changing the permissions as I have already set them to something that works, is this possible?
Hi @narratorben, thanks again for providing some great detail. We’ve been looking a little further into this and there’s a couple of potential solutions that we hope work for you.
Provided you’re satisfied the permissions are safe, we have a constant that will allow Wordfence to set the permissions differently for you in wp-config.php:
define('WFWAF_LOG_FILE_MODE', 0770);
This should be set after the opening comment, but before the if statement. More details are included here, at the end of the Web Application Firewall section: https://www.wordfence.com/help/advanced/constants/
Alternatively, you could try the WAF’s MySQLi storage engine, to avoid needing to write to the wflogs folder at all: https://www.wordfence.com/help/firewall/mysqli-storage-engine/
Thanks again,
Peter.
Thanks Peter,
The file mode constant sounds like exactly what I need.
Thanks for the swift and knowledgeable help, very much appreciated.
Hi @narratorben. Glad to hear it, and thank-you for the kind words – happy to be of assistance!
Peter.
