The Correct Permissions for WordPress on IIS

  • Hi all,

    We’ve been running WordPress on IIS for many of our clients for around a year now. While Web Platform Installer for IIS installs WordPress for you very successfully and runs perfectly fine the one thing I found it does not do is set permissions correctly for folders, including the wp-content/uploads folder. I have to go in change permissions for wp-content so that IUSR has write permissions. The same is true for if I want to perform a WordPress update from within WordPress – you have to apply write permissions for IUSR.

    But, write permissions for IUSR on your entire WordPress directory is not such a great idea, as I once found out. This is problematic as I am unable to do WordPress updates automatically – I have to manually update it. And with 30+ sites, it’s boring.

    I have tried finding documentation on the correct way to setup permissions for WordPress using Windows Server / IIS but I have not found a definitive guide.

    So I ask the community – how should permissions be setup for WordPress on Windows / IIS which does not compromise security?

    Please do not answer with “don’t use Windows”, as tempting as it may be ??

    Thank you in advance,

    Regards,

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter AmmyKami83

    (@ammykami83)

    For anyone interested, these settings worked for me and I believe from a security point of view they should be fine.

    First, ensure that in IIS that the Application pool that your site is running under, that the identity it is running under is ApplicationPoolIdentity.

    Then, the folder permissions should be as follows:

    CREATOR OWNER – special permissions
    IUSR – Read & Execute, List Folder contents, Read
    SYSTEM – Full Control
    Administrators – Full Control
    Users – Full Control
    IIS APPPOOL\<the name of your application pool> – full control

    The permissions above worked for me and allowed full upload and editing of images and automatic updates.

    I heard that granting NETWORK SERVICE and IUSR Full Control is bad news for your security, and I’ve seen this first hand.

    If anyone agreed or disagrees, please comment because I’d love to know!

    Thread Starter AmmyKami83

    (@ammykami83)

    Updating this post.

    After reading about IIS_IUSRS and actual requirements, I reviewed what is actually required and slimmed permissions down to:

    CREATOR OWNER – special permissions
    SYSTEM – Full Control
    Administrators – Full Control
    Users – Read and Execute, List Folder Contents, Read
    IIS_IUSRS – Full Control

    IIS_IUSRS is a group, where IIS adds ApplicationPoolIdentities into. First, ensure your websites ApplicationPool is running under AppicationPoolIdentity. Then, add that ApplicationPoolIdentity to the group. Then give that group full control.

    Yes, my concern too was that “then, all the application pools have permissions to all websites roots”. I shall see what happens.

    Hey @ammykami83, just wanted to say thanks!! This totally solved my problem. ?? Kudos.

    I was testing this today and failing to update properly but was able to resolve the problem.

    Back end:
    Server 2012 R2
    VMware ESXi 5.5
    Guest VM running IIS 8.5.9600 with MySQL local DB
    Host running actual WP site behind reverse IIS proxy (not important for this exercise but noted nonetheless)

    I attempted to update plugins and core site files but failed. IIS_USRS were given full control.
    I examined the permissions of the .maintenance file while the update was in progress and the owner was IUSR.

    I reverted back to my snapshot after the failed upgrade. IIS_USRS had default permissions again. This time I added IUSR to the root of the site with full permissions and the upgrades took successfully.

    I am going to tweak the permissions and remove “take ownership” from the IUSR account moving forward.

    It seems like IUSR needs full (or near full) NTFS perms for updates and upgrades. This was all on the back end IIS server with the WP site, not the proxy server.

    IF the IUSR account has been deleted, any idea how to get it back?

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘The Correct Permissions for WordPress on IIS’ is closed to new replies.