Wordpress, File Ownership and Permissions
In any event, what I've tried to do is to set up a site using CentOS, PHP (with APC and Suhosin), nginx, mysql and Wordpress. I've tried to follow the linode tutorials as closely as possible along the way, including the security stuff like creating a new user and disabling root and cobbling together some iptables rules.
As for users, what I did was to create a new user "smith". Tried to add him to the "sudo" group per the tutorial, but wasn't able to do because I think the tutorial was for Debian or Ubuntu. Anyway, when I looked up the groups there didn't seem to be a "sudo" group so I used visudo and added smith to the "root" group. I'm not quite sure that was right but assumed that it was what I needed to do.
So I logged out and back in as smith and went on my merry way, sudoing to and fro to setup the various bits and pieces. I now have Wordpress seemingly up and running, but it doesn't seem quite right. For one, when I SFTP in as smith, I couldn't upload or delete any plugins or themes. I also can't enable SSH2 in Wordpress to update, delete or install plugins - error connecting or some such thing.
So now I'm thinking I may have done something along the way that has messed up either file permissions or ownership. I've tried googling but opinions seem to be all over the map on this - some say do X, while others say, no, doing X will introduce a big fat security hole. Can anyone perhaps point me to a guide (or even give some guidance) as to whether file permissions and ownership should be changed? I'd very much appreciate it. Following are the permissions currently. The base install of Wordpress is at /srv/www/my.site.com/public_html/.
drwxr-xr-x 5 nginx nginx 4096 Aug 14 06:22 public_html
Then within public_html, everything is
-rw-r--r-- 1 root root
Except for directors, including wp-content, which are all like this:
> drwxr-xr-x 9 root root 4096 Aug 14 00:33 wp-admin
This is also the same with everything in the wp-content directory. The plugins and themes directory have the same ownership and permission as above - everything owned by root:root, 755 on all directories, 644 on all files. Same thing when I go one level deeper into plugins.
Perhaps needless to say, but the permissions of course don't let me FTP any new plugins up or delete existing ones. However I find this odd given I've stayed as close as I can to the tutorials.
Can anyone provide some guidance here? I'm not quite sure if some things should be set to be owned by smith, or if smith should be added to another group, or if some things should be owned by nginx or what.
Any thoughts on this would be most appreciated.
Thanks!
5 Replies
chown -R smith:smith public_html
Typically files are owned the user whose home directory the files are being hosted from, and that user should be quarantined to writing within its respective home directory until higher permissions are granted.
1. Gave all rights to the main group. In my case group is "nginx"
2. Created one ftpuser and made it part of a group "nginx".
3. Change the ownership of site folder to ftpuser. Also, gave read/write/execute access to ftp user.
4. Set folder permissions to 755 and file permissions to 644.
5. Gave 755 permission to /wp-content.
6. Gave 754 permission to /wp-content/uploads
These steps solved the problem.
One question: If you have rwx to ftpuser, would that not prevent you from updating contents and plugins within the WP admin interface given the permissions you've set?
I am new to Linux and Linode and am working through this problem with my wordpress set up right now. Can you link to the documentation/tutorials which explain how to do each of those steps?
I've looked for how to setup ftpuser but have only found warnings against using ftp.
Thanks!