Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need help with WordPress permissions on server - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need help with WordPress permissions on server

2»

Comments

  • +1

    Thanked by 1Falzo
  • @Amitz said:

    thanks for the kind words, much appreciated!

    I think I became kind of addicted to that filthy, drama-driven place named LET ;-)

    after finding a lot of useful information between the dirt that's thrown around here I do find it appropriate to try and give something back, if I feel I know about or just ran into similar trouble before...

  • Falzo said: after finding a lot of useful information between the dirt that's thrown around here I do find it appropriate to try and give something back, if I feel I know about or just ran into similar trouble before...

    Very much appreciated in return! :-)

  • I got a new issue with the new settings....I can not upload files via FTP. Or I can with root user, but not any of the site users, and I don't know the password for Apache, so can't use that. It is not the password to the user.

    How can I solve this, need to upload files.

  • You can't have your cake and eat it too: permissions/ownership that allow web-based WP updates also allow exploited scripts to wreak havoc.

    Assuming your account user is "myuser", PHP runs as "apache" and your WP site is located at "/home/myuser/public_html".

    # First, reset permissions to 755 for folders and 644 for files:
    
    [root@vps] chmod 755 $(find /home/myuser/public_html -type d)
    [root@vps] chmod 644 $(find /home/myuser/public_html -type f)
    
    # Secure the site, allowing apache to write only to the 'uploads' folder.
    # This will prevent damage by any exploited php scripts (which run as apache).
    # This will also BLOCK the wp update processes (which run as apache).
    
    [root@vps] chown -R myuser:myuser /home/myuser/public_html
    [root@vps] chown -R apache:apache /home/myuser/public_html/wp-content/uploads
    
    *** Configure you webserver to disallow execution of PHP scripts in /home/myuser/public_html/wp-content/uploads
    
    
    # WP UPDATE PROCESS
    
    # Change ownership to allow wp update processes:
    
    [root@vps] chown -R apache:apache /home/myuser/public_html
    
    # Do the updates. Immediately after, change ownership back to myuser for security:
    
    [root@vps] chown -R myuser:myuser /home/myuser/public_html
    [root@vps] chown -R apache:apache /home/myuser/public_html/wp-content/uploads
    
    Thanked by 1myhken
  • So you are telling me that I have created a huge security risk on my server?

    Thanked by 1tux
  • myhken said: So you are telling me that I have created a huge security risk on my server?

    Any file that is owned by "apache" can be overwritten by an exploited script running as "apache".

    Any folder that is owned by "apache" can be written to by an exploited script running as "apache".

    Thanked by 2myhken tux
  • So going back to user:user and then have a folder there I can upload the new WordPress and then use a script like I did before to update all sites is better then?

  • It's better in terms of security -- as long as the script leaves the WP directory tree owned entirely by "user", with the exception of the "uploads" folder.

    Whether it's better in terms of ease of updates is another story. "Secure" and "easy" seldom go hand-in-hand.

    You may want to delve into http://wp-cli.org/

    Thanked by 1myhken
Sign In or Register to comment.