I have found in my experiences with Wordpress installations that sometimes they work like a dream, yet at other times, or on other web hosts they seem to work fine until you try to upload an image to the Media library or try to update a plugin automatically without FTP. I decided to try to solve this issue once and for all.
The web host I was using was NearlyFreeSpeech, they are a web host that charge you based on what you use as opposed to a monthly fee which can drive down costs dramatically, I suggest you check them out.
NearlyFreeSpeech have a great blog post that outlines how their permissions and security work on their server. You can find the article here.
The main points to note from the article are:
- The files you upload are owned by a user called ‘me’ and a group called ‘me’. The user that the webserver runs under belongs in a group called ‘web’.
- Your FTP user is the ‘me’ user, all files and folders are set to read, write and execute for the user, which makes sense because you want to be able to manage your files via FTP.
- The webserver user or its ‘web’ group don’t own your files so it has to fall back on the permissions for other/everyone as to whether it can read/write/execute. We can’t set these permissions to write for security reasons.
- By changing the group owner of your files to ‘web’ the webserver’s user will follow the group permissions, which can have the write permission.
- Nearlyfreespeech uses safe_mode in php and with that you are restricted to the directories you can manipulate because of open_basedir. We will have to prevent Wordpress using the /tmp directory which is outside of the /public folder on NearlyFreeSpeech.Steps to install Wordpress on NearlyFreeSpeech:
- Upload your Wordpress files via SFTP
- Create your Wordpress database
- SSH into your server using a program like Putty for windows
- Navigate to your /public folder in Putty and run this command to change the group owner on all files to ‘web’:
chgrp -R web *
You can run ls -l to check the group owner on your files.
- You may need to go up a directory and change the group owner on the public folder itself :
chgrp web public
This way Wordpress can create files inside the public folder.
- In your FTP software create a folder called ‘tmp’ inside your public folder
- Add this code to your wp-config.xml file:This will tell Wordpress to use the new tmp folder.
if ( !defined('WP_TEMP_DIR') )
define('WP_TEMP_DIR', dirname(__FILE__) . '/tmp/');
- Add this code to your wp-config.xml file:This will override Wordpress’ permission checks on the server and force Wordpress to use ‘direct’ for updates (automatic without FTP)
define ('FS_METHOD', 'direct');
- Check your file permissions, the user and group should have write access, other/everyone should not (Definately no 777 permissions allowed!)
- Run your Wordpress Install script
The only thing to note is that newly added files are not automatically added to the web group, so its possible you will need to set the group owner again for your files, but this is now just a single command.