Can’t update WordPress with hardened permissions

  • Hello!

    On our site we follow the recommendations from this article:

    Hardening WordPress

    Which means the folders are like this:

    sudo chown -R our-user.our-user .
    sudo chown -R www-data.www-data wp-content/

    Since several months ago we noticed we can’t update WordPress anymore (we can update plugins). We have to “open up” permissions now:

    sudo chown -R our-user.our-user .

    And after updating the site’s WordPress version, then we need to “close” permissions:

    sudo chown -R www-data.www-data wp-content/

    Is there a way to fix this? Be able to update WordPress while still using hardened permissions?

    Thanks!

    • This topic was modified 1 year, 10 months ago by levycarneiro.
Viewing 4 replies - 1 through 4 (of 4 total)

  • You are using chown wrong. it is chown user:group so shown www-data:www-data (: not .)

    I don’t understand what you mean by closing permissions?
    If you mean you are changing the owner to another user, no you cannot update wordpress with wrong permissions.
    the www-data user would not be able to write to the wordpress folders and thus an update is not possible.

    • This reply was modified 1 year, 10 months ago by !Benni.
    • This reply was modified 1 year, 10 months ago by !Benni.
    Thread Starter levycarneiro

    (@levycarneiro)

    Hello @benniledl ,

    sorry, it’s an error. Command chown above should have a “:”.

    Closing permissions = only “wp-content” folder is writable by Apache user (www-data).

    Opening up permissions = making all folders writable by Apache user (www-data).

    We have been using this recommended setup for years and only recently (past several months) it became an issue, not allowing us to update WordPress anymore (can only update plugins). Because of this issue, now we have to open up permissions via a SSH session > then update WordPress via web > then close down permissions (via SSH). Trying to find a solution for this.

    Perhaps the hardening permissions article is not supported anymore by current WordPress? In which case, it needs to be updated?

    Thanks!

    Hi,
    I am not so sure on this topic.
    I will ask someone who really knows this topic for help.

    I don’t think that hardening WordPress by changing permissions in benefits you.
    Maybe this is good for a really large company where there are individualized attacks on their site, not for a normal site where just the automatic attacks come in. ( Sorry if I just assume your site isn’t that big but to have attackers attack you individually is very rare )

    • This reply was modified 1 year, 10 months ago by !Benni.
    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    How you set permissions is really dependent on the way in which your web server is configured.

    However, if you are changing the owner that is most likely going to interfere with WordPress ability to update itself. It is rare that you would want to change the permissions or ownership away from their natural ones, and never if you want to use the auto update feature.

    Changing ownership to “Harden” WordPress is specifically going to change it in a way that so that WordPress cannot update itself. If you want to use auto-updating, don’t do this “hardening”.

    BTW, nothing is new with regard to this in WordPress. There has been no change in the last several months. There has been no change to his process since it was created in WordPress 3.7, in fact.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Can’t update WordPress with hardened permissions’ is closed to new replies.