Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Need help with WordPress permissions on server
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Need help with WordPress permissions on server

I have lots of WordPress installations on one of my servers. Before they was split on three different VPSs, but now all is at one server.
My issue is when it comes new security updates, 4 of my installations do update automatically, the rest don't. Thats apply to main wordpress versions, and plugins and themes.

Beside themes I want everything to auto update, or that I can just press update in the control panel (for plugins/themes).

The real issue here is file/folder permissions. My folder has 755, and my files has 664. And then the update don't work. When I set the file/folder permission to 775 it works. And after the update, the permissions is automatically set back to 755 and 664.

How can I fix this issue? I want all major and minor updates to WordPress to automatically be installed. Not just the 4 installations that get it today.
And I want to press update on plugins and themes and get them updated.

Can a script solve the last issue. A script that I can run (bash) before I start updating?
How will that script look like? I can only change file/folder permissions on files and folders that's need updating, or the settings will be 775 on all folders and files. That's a security risk?

And how to solve the first issue, that WordPress always is updated on all sites?

Kenneth Myhre
WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

Comments

  • I think you have to change the ownership of the files. Maybe someone can tell more on this.

    Thanked by 1myhken
  • seriesnseriesn Member, Provider

    What plugins are being used on that installation and is it a basic lamp stack or using control panels?

    Each and every one of your wordpress install configured the same way?

    Thanked by 1myhken
  • @WHT @seriesn

    I think you have to change the ownership of the files. Maybe someone can tell more on this.

    The ownership is the user of the site, so that's correct.

    What plugins are being used on that installation and is it a basic lamp stack or using control panels?

    Just Akismet and Jetpack. And I use Virtualmin on CentOS 6.8 64bit

    Each and every one of your wordpress install configured the same way?

    Yes

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • jarjar Provider

    myhken said: The ownership is the user of the site, so that's correct.

    Is it the user that PHP is executing the code as?

  • All files related to WordPress must be owned by the same user who also owns the PHP process (in the case of PHP-FPM) or the Apache process (if you're using mod_php).

    If you aren't using any control panel try one of the following:

    On PHP-FPM:

    chown -R www-data:www-data /path/to/document/root
    

    On Apache (Debian variants):

    chown -R apache:apache /path/to/document/root
    

    Apache on CentOS:

    chown -R httpd:httpd /path/to/document/root
    

    It is enough for files to have 644 and directories to have 755 permissions.

    If you're using a web hosting control panel the user could be different. You can use the posix_geteuid() function to find out the user ID of the current process.

    Thanked by 1myhken
  • seriesnseriesn Member, Provider

    Should it not be? Last time I used webmin(ages ago) it used to assign right perms. Then again things could always go wrong.

    @jarland said:

    myhken said: The ownership is the user of the site, so that's correct.

    Is it the user that PHP is executing the code as?

    Thanked by 1myhken
  • jarjar Provider

    seriesn said: Should it not be?

    My time dealing with customers has taught me that a statement like this:

    myhken said: The ownership is the user of the site

    Could be taken to mean that "This is Bobby's site, so the user 'bobby' definitely owns the files." Meanwhile, it's not a suPHP environment and mod_php is executing the code as www-data.

    Thanked by 2myhken seriesn
  • @Jarland @jesin

    Let say that I have a user called Test that have a WordPress installation. Then under the file/folder rights it say test:test 0755 or test:test 0664
    And so on with all users on the server. So changing it to httpd:httpd will not help or?

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • jarjar Provider
    edited September 2016

    myhken said: Let say that I have a user called Test that have a WordPress installation. Then under the file/folder rights it say test:test 0755 or test:test 0664 And so on with all users on the server. So changing it to httpd:httpd will not help or?

    Well unless you have something like a suPHP setup, the web server isn't executing the code as "test" but instead as "httpd" (assuming that's the correct user). If that's the case, httpd can't write to test's files by default. So you're having to change permissions to allow another user to write test's files. The correct short path would be to set the files to be owned by httpd then.

    Though you could do some stuff with groups I guess. There's no security gain there though IMO.

    Thanked by 1myhken
  • Going to setup a test domain and wordpress installation, and then see if I can change the settings to httpd:httpd. But that have to wait to tomorrow. Tnx for all inputs, and I will be back tomorrow asking more stupid questions ;)

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • myhken said: Let say that I have a user called Test that have a WordPress installation. Then under the file/folder rights it say test:test 0755 or test:test 0664 And so on with all users on the server. So changing it to httpd:httpd will not help or?

    Create an empty file inside the document root of the problematic WordPress with the following code:

    <?php echo exec('whoami'); ?>
    

    Access this file over the web browser. It'll display a username and all WordPress files should be owned by this user for updates to work.

    Thanked by 2jar myhken
  • @jesin

    Got apache, so then I have to change the settings to apache:apache then?

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • @jesin
    Yes, that worked. Changed user and group to apache on one site, and I could upgrade it without any issue. Sure auto update work later on also.
    And the site works fine with apache:apache

    So then I know what I will do tomorrow.... change all users and groups to apache.

    Thank you. And to all other helping me out.

    Thanked by 1jesin

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • myhken said: @jesin Yes, that worked. Changed user and group to apache on one site, and I could upgrade it without any issue. Sure auto update work later on also. And the site works fine with apache:apache

    So then I know what I will do tomorrow.... change all users and groups to apache.

    Great! Now put exec and similar functions in the disable_functions directive unless it is needed for something else :)

    Thanked by 1Falzo
  • instead of giving all files to apache hence making it possible to manipulate files cross-site in the worst case, it may be a better approach to switch to suphp, fastcgi/suexec, mpm_itk or likewise and keep the owners of the pages separated.

    as @jesin suggested keep a look at your php config and disable functions which may be considered a security risk. also have a look at directives like open_basedir which may add some isolation between your sites.

    Thanked by 2jar BeardyUnixGuy

    most recommended Provider: First-Root KVM Power-Edition /w SSD
    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • myhkenmyhken Member
    edited September 2016

    What is the worst case scenario with using apache:apache on all sites @Falzo ? Sorry...you already told me...

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • Can I just change to suphp with the setup I have now? Will it work with Virtualmin, and my sites?

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • ManofServerManofServer Member
    edited September 2016

    I have a few Wordpress blogs for Linux ISO files, make sure you 755 all the domain folders and sub-folders (wp-content, wp-admin, etc.).

    Thanked by 1myhken
  • done

    Thanked by 1ManofServer

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • chown -R user.apache

    Should do what you want in most cases like this, if not then the above applies.

    Thanked by 1myhken
  • @ATHK said:
    chown -R user.apache

    Should do what you want in most cases like this, if not then the above applies.

    That did not work for updates of the sites. Working with apache:apache only.

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • @myhken said:

    @ATHK said:
    chown -R user.apache

    Should do what you want in most cases like this, if not then the above applies.

    That did not work for updates of the sites. Working with apache:apache only.

    Damn sorry for wasting your time! Stupid apache ;)

    Thanked by 1myhken
  • Don't worry. I open for all suggestions. But I think I have found the right path now. The only concern I have now it's security.
    I have of course blocked access to wp-admin. Just my IP's that has access. Also have changed SSH port, and use AllowUsers [email protected] IPs.

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • Changing ssh port won't do a thing a simple scanner can find and detect it.

    It may limit noise in the file though.

  • sle44102sle44102 Member
    edited September 2016

    Double check your settings in Virutalmin > Server Configuration > Website Options
    and be sure that PHP script execution mode is either FCGid or CGI Wrapper not apache mod_php.

    be sure to be logged in as the account you are trying to fix.

    I know i had that happen in the past on joomla sites where i fat fingered it and caused issues.

    Thanked by 1myhken
  • @ATHK said:
    Changing ssh port won't do a thing a simple scanner can find and detect it.

    It may limit noise in the file though.

    I know, but they can't login when they find it, if they don't have the correct IP, and then they have to use my computer.

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • @sle44102 said:
    Double check your settings in Virutalmin > Server Configuration > Website Options
    and be sure that PHP script execution mode is either FCGid or CGI Wrapper not apache mod_php.

    be sure to be logged in as the account you are trying to fix.

    I know i had that happen in the past on joomla sites where i fat fingered it and caused issues.

    All sites uses FCGid, so then all is OK?

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • @myhken: worst case scenarios are hard to grep, as there are a lot of possible configurations you could have set up :-)

    as for post above: if you have multiple websites running and all belong to apache, then if a single website got broken into the attacker may be able to gain access to the other sites too. just because he is able to run his scripts as apache user and possibly access all other files that belong that apache user on that server.

    limiting php access per vhost via a strict open_basedir rule may be one step to do against this, as there are other possibilities.

    if everything is already running via fcgi now you probably want to have a look into either suexec or mod_ruid2.

    if you like or need to run php as a apache module rather then via cgi wrapper I'd suggest mpm_itk which seems to deliver good performance while running childs with their respective owner.

    virtualmin might out of the box just use the default behaviour the system has been setup with, that may cause the differences in behaviour to your servers you used before.

    Thanked by 2myhken BeardyUnixGuy

    most recommended Provider: First-Root KVM Power-Edition /w SSD
    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • @andygrider said:
    this is strange ı think , I dont change mods of the my files and everytime they are updated automatic .May be you should upload wordpress files manually .

    As I told in the first post, on some domains from one VPS it all worked fine. But on the rest, it did not work. But after advice in this thread, I have got it to work now.
    I'm not interested in updating lots of site manually. Before I had a script, uploaded the files to a folder, and updated all the sites on the VPS there it did not work with the script. Worked fine that also, but the best thing is autoupdate.

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • Just on a sidenote:
    I am always impressed how helpful and knowledgable most of @Falzo's posts here on LET are. We should really introduce something like a "Gold Member" or so tag for people as helpful as him. There is a good handful of members that I would have on my list and @Falzo is definitely one of them!

    For those who care:
    You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com

  • +1

    Thanked by 1Falzo

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • @Amitz said:

    thanks for the kind words, much appreciated!

    I think I became kind of addicted to that filthy, drama-driven place named LET ;-)

    after finding a lot of useful information between the dirt that's thrown around here I do find it appropriate to try and give something back, if I feel I know about or just ran into similar trouble before...

    most recommended Provider: First-Root KVM Power-Edition /w SSD
    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • Falzo said: after finding a lot of useful information between the dirt that's thrown around here I do find it appropriate to try and give something back, if I feel I know about or just ran into similar trouble before...

    Very much appreciated in return! :-)

    For those who care:
    You can now find me at https://talk.lowendspirit.com or https://www.hostballs.com

  • I got a new issue with the new settings....I can not upload files via FTP. Or I can with root user, but not any of the site users, and I don't know the password for Apache, so can't use that. It is not the password to the user.

    How can I solve this, need to upload files.

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • You can't have your cake and eat it too: permissions/ownership that allow web-based WP updates also allow exploited scripts to wreak havoc.

    Assuming your account user is "myuser", PHP runs as "apache" and your WP site is located at "/home/myuser/public_html".

    # First, reset permissions to 755 for folders and 644 for files:
    
    [[email protected]] chmod 755 $(find /home/myuser/public_html -type d)
    [[email protected]] chmod 644 $(find /home/myuser/public_html -type f)
    
    # Secure the site, allowing apache to write only to the 'uploads' folder.
    # This will prevent damage by any exploited php scripts (which run as apache).
    # This will also BLOCK the wp update processes (which run as apache).
    
    [[email protected]] chown -R myuser:myuser /home/myuser/public_html
    [[email protected]] chown -R apache:apache /home/myuser/public_html/wp-content/uploads
    
    *** Configure you webserver to disallow execution of PHP scripts in /home/myuser/public_html/wp-content/uploads
    
    
    # WP UPDATE PROCESS
    
    # Change ownership to allow wp update processes:
    
    [[email protected]] chown -R apache:apache /home/myuser/public_html
    
    # Do the updates. Immediately after, change ownership back to myuser for security:
    
    [[email protected]] chown -R myuser:myuser /home/myuser/public_html
    [[email protected]] chown -R apache:apache /home/myuser/public_html/wp-content/uploads
    
    Thanked by 1myhken
  • So you are telling me that I have created a huge security risk on my server?

    Thanked by 1tux

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • myhken said: So you are telling me that I have created a huge security risk on my server?

    Any file that is owned by "apache" can be overwritten by an exploited script running as "apache".

    Any folder that is owned by "apache" can be written to by an exploited script running as "apache".

    Thanked by 2myhken tux
  • So going back to user:user and then have a folder there I can upload the new WordPress and then use a script like I did before to update all sites is better then?

    Kenneth Myhre
    WindowsTemplate.com - free Windows templates for OVH/Hetzner/Kimsufi/Online.net

    Powered by Hetzner.com, backed up by OVH, Kimsufi and VULTR.com

  • It's better in terms of security -- as long as the script leaves the WP directory tree owned entirely by "user", with the exception of the "uploads" folder.

    Whether it's better in terms of ease of updates is another story. "Secure" and "easy" seldom go hand-in-hand.

    You may want to delve into http://wp-cli.org/

    Thanked by 1myhken
Sign In or Register to comment.