WordPress How-To: Force Direct Filewrites For Upgrades

Starting with WordPress 2.8, there is an easier way to do this. See the bottom of this post for an explanation of the easier method. You should still read this post in it’s entirety though so that you understand what’s going on.

Also 777 may not be required for files (folders probably still need 777). 666 may work instead and would be slightly more secure.

In order for WordPress to be able to upgrade your plugins and the WordPress core without any modifications, at least one of four situations needs be true:

  1. Your server runs Windows: file permissions are less restrictive under Windows, so PHP can directly write to and replace the existing plugin and core files.
  2. PHP (technically your HTTPD) is the owner of the files: with some hosting companies, such as MediaTemple, Apache/PHP runs as the same user as you. Files uploaded by you and files created by PHP (for example, uploads) are owned by the same user. That means PHP can write to or edit any file on the server.
  3. You have FTP access to your server: WordPress comes built in with a library allowing the server to connect to itself via FTP to replace files. File permissions don’t really matter in this case.
  4. Your version of PHP has been compiled with the SSH module: this is rare and only done on dedicated servers really. It also makes it somewhat of a pain to upgrade PHP.

Unfortunately, none of those situations applied to me and my server. I couldn’t do direct writes as I run Linux and PHP runs as it’s own user, FTP was disabled for security (I manage my server via SSH), and recompiling PHP is a major pain in the ass. So what to do? Enter a little bit of code, care of DD32. This code either goes in a plugin (that’s what I did) or your theme’s functions.php file (but if you switch themes, this “hack” will go away).

Please note that this code should only be used on a well managed, secure dedicated server where you keep all scripts (including WordPress!) up to date. If a hacker manages to gain access to a script on your server, for example via an insecure script, then they can literally delete or modify all of your files. Don’t use this code unless you know what you are doing!

The first thing to do is to tell WordPress to use the “direct write” method, which is used in situations 1 and 2 above. This is done via a filter:

add_filter( 'filesystem_method', create_function( '$a', 'return "direct";' ) );

The usage of create_function() is just a quick way of doing it. You could create a real function if you wished.

The second thing to do is to tell WordPress what permissions to use on any files and folders it creates. The permissions need to be 0777 (or similar) so that you can still modify the files/folders if need be. That is done via two constants:

define( 'FS_CHMOD_DIR', 0777 );
define( 'FS_CHMOD_FILE', 0777 );

Put that code altogether for a plugin and it’ll look something like this:

<?php /*


Plugin Name:  Force Direct Filewrites
Plugin URI:   http://www.viper007bond.com/2009/05/07/wordpress-how-to-force-direct-filewrites-for-upgrades/
Version:      2009.05.01
Description:  Forces the "direct" filesystem method to be used and tells WordPress what permissions to use.
Author:       Viper007Bond
Author URI:   http://www.viper007bond.com/


add_filter( 'filesystem_method', create_function( '$a', 'return "direct";' ) );

define( 'FS_CHMOD_DIR', 0777 );
define( 'FS_CHMOD_FILE', 0777 );


Lastly, you need to adjust the permissions on any existing plugins so that PHP can modify them. You need to chmod your /wp-content/plugins/ folder and everything inside of it to 0777 or similar (767 may work, or even 757). If you wish to be able to one-click upgrade your WordPress install as well, then you will need to make your entire WordPress folder writable as well. Please first read this warning about the dangers of 777 though.

And that’s it! Now when you go to do a plugin upgrade, WordPress will directly replace the files. No having to wait on the slow FTP method.

Update For WordPress 2.8+

Starting with WordPress 2.8, you no longer need a plugin or anything as the filesystem method can be controlled by a constant called FS_METHOD.

In short, all you need to do is to add the following 3 lines somewhere near the top of your wp-config.php file:

define( 'FS_METHOD', 'direct' );
define( 'FS_CHMOD_DIR', 0777 );
define( 'FS_CHMOD_FILE', 0777 );

30 thoughts on “WordPress How-To: Force Direct Filewrites For Upgrades

  1. Regarding #2, you might want to clarify that some hosting companies, such as MediaTemple, run SuExec to run Apache as a Fast/CGI program and therefor Apache runs as the user.

  2. Pingback: How To Fix FTP Connection Error on Localhost WordPress | Website In A Weekend

  3. Pingback: Krylov » Wordpress – ???????? ??? ?????????????? ??????????, ????????? ???????? ? ??? ??????????

  4. Pingback: Blazing Fast WordPress Upgrades Without a Login | Blog Smarter

  5. Pingback: links for 2010-10-23 | Ronaldo Richieri

  6. Pingback: WordPress, DSO and Permissions | Ipstenu on Tech

  7. I added the 3 lines to wp-config like you recommended but I am still unable to update plugins and am getting owner permission error.
    I have WP installed on a managed VPS running Plesk 9 control panel.
    Any recommendation welcome.

  8. Thanks for this post.
    I’m glad that you broke this down enough for me to understand that I’m in the same situation as you were. I just am so hesitant to assign 0777! I have some sites I admin and host on a dedicated VPS and I’m hesitating to offer this option to my clients. Though, the trade off is installing/uninstalling plugins for them.

    Are there no other solutions that are more secure?

    BTW, and this is off-topic but still relevant: what if I choose to manually install/upgrade/uninstall plugins/themes/or even core how would I ensure that in the install or delete process i would enter/remove the right DB tables/entries ?

    • hmm maybe redo the changes after updating plugins and what ever you needed it for..just put in comments and enable again if needed?

  9. last step works, strange had not to change this before, only after i changed my web hosting provider


  10. Woo Hoo! This did the trick for me! I’m a newb with WP but am diving in head first to create a custom plugin and theme for my organization. Local development is necessary and this post fixed my site to be able to update the base themes.


  11. Pingback: Ultimate Setup Guide to Wordpress on Amazon EC2 | Web-EdgeWeb-Edge

  12. Pingback: Ultimate Setup Guide to Wordpress on Amazon EC2 - Edge Group

  13. setting files to 777 is a huge security risk. please don’t do this. this enables anyone to change any file on your server…

Comments are closed.