Starting with WordPress 2.8, there is an easier way to do this. See the bottom of this post for an explanation of the easier method. You should still read this post in it’s entirety though so that you understand what’s going on.
Also 777 may not be required for files (folders probably still need 777). 666 may work instead and would be slightly more secure.
In order for WordPress to be able to upgrade your plugins and the WordPress core without any modifications, at least one of four situations needs be true:
- Your server runs Windows: file permissions are less restrictive under Windows, so PHP can directly write to and replace the existing plugin and core files.
- PHP (technically your HTTPD) is the owner of the files: with some hosting companies, such as MediaTemple, Apache/PHP runs as the same user as you. Files uploaded by you and files created by PHP (for example, uploads) are owned by the same user. That means PHP can write to or edit any file on the server.
- You have FTP access to your server: WordPress comes built in with a library allowing the server to connect to itself via FTP to replace files. File permissions don’t really matter in this case.
- Your version of PHP has been compiled with the SSH module: this is rare and only done on dedicated servers really. It also makes it somewhat of a pain to upgrade PHP.
Unfortunately, none of those situations applied to me and my server. I couldn’t do direct writes as I run Linux and PHP runs as it’s own user, FTP was disabled for security (I manage my server via SSH), and recompiling PHP is a major pain in the ass. So what to do? Enter a little bit of code, care of DD32. This code either goes in a plugin (that’s what I did) or your theme’s functions.php file (but if you switch themes, this “hack” will go away).
Please note that this code should only be used on a well managed, secure dedicated server where you keep all scripts (including WordPress!) up to date. If a hacker manages to gain access to a script on your server, for example via an insecure script, then they can literally delete or modify all of your files. Don’t use this code unless you know what you are doing!
The first thing to do is to tell WordPress to use the “direct write” method, which is used in situations 1 and 2 above. This is done via a filter:
add_filter( 'filesystem_method', create_function( '$a', 'return "direct";' ) );
The usage of create_function() is just a quick way of doing it. You could create a real function if you wished.
The second thing to do is to tell WordPress what permissions to use on any files and folders it creates. The permissions need to be 0777 (or similar) so that you can still modify the files/folders if need be. That is done via two constants:
define( 'FS_CHMOD_DIR', 0777 ); define( 'FS_CHMOD_FILE', 0777 );
Put that code altogether for a plugin and it’ll look something like this:
<?php /* ************************************************************************** Plugin Name: Force Direct Filewrites Plugin URI: http://www.viper007bond.com/2009/05/07/wordpress-how-to-force-direct-filewrites-for-upgrades/ Version: 2009.05.01 Description: Forces the "direct" filesystem method to be used and tells WordPress what permissions to use. Author: Viper007Bond Author URI: http://www.viper007bond.com/ **************************************************************************/ add_filter( 'filesystem_method', create_function( '$a', 'return "direct";' ) ); define( 'FS_CHMOD_DIR', 0777 ); define( 'FS_CHMOD_FILE', 0777 ); ?>
Lastly, you need to adjust the permissions on any existing plugins so that PHP can modify them. You need to chmod your /wp-content/plugins/ folder and everything inside of it to 0777 or similar (767 may work, or even 757). If you wish to be able to one-click upgrade your WordPress install as well, then you will need to make your entire WordPress folder writable as well. Please first read this warning about the dangers of 777 though.
And that’s it! Now when you go to do a plugin upgrade, WordPress will directly replace the files. No having to wait on the slow FTP method.
Update For WordPress 2.8+
Starting with WordPress 2.8, you no longer need a plugin or anything as the filesystem method can be controlled by a constant called FS_METHOD.
In short, all you need to do is to add the following 3 lines somewhere near the top of your wp-config.php file:
define( 'FS_METHOD', 'direct' ); define( 'FS_CHMOD_DIR', 0777 ); define( 'FS_CHMOD_FILE', 0777 );
Wow thankyo for the information.
Regarding #2, you might want to clarify that some hosting companies, such as MediaTemple, run SuExec to run Apache as a Fast/CGI program and therefor Apache runs as the user.
Sooooooooooooooooooo useful! Thanks very much.
Cool!!!
I can install plugin and update plugin.
Pingback: How To Fix FTP Connection Error on Localhost WordPress | Website In A Weekend
Pingback: Krylov » Wordpress – ???????? ??? ?????????????? ??????????, ????????? ???????? ? ??? ??????????
now I just have to find a define when the file writes to the server it doesn’t write it as the apache owner, and writes it as the user owner
Any thoughts?
AFAIK PHP (Apache) is only able to write as itself.
Found it:
http://httpd.apache.org/docs/2.0/mod/perchild.html#assignuserid
Ah, so it requires a module to do it.
Read the message at the top though. That module isn’t functional.
So glad I use IIS7 right now.
Used the .config file solution and I’m in business. Thank you for a great post.
I have used the method suggested for WP 2.8+. It works. Just one question though!
ANY SECURITY RISKS??
Thanks.
Yes as your files are writable by the server. If a hacker gains access to your server, then they can modify/delete/etc. any file they want.
The FTP option is the best solution, it’s just slow.
Pingback: Blazing Fast WordPress Upgrades Without a Login | Blog Smarter
Pingback: links for 2010-10-23 | Ronaldo Richieri
Thank you!! I was going to mess with the WP code, but you save me!!
Thanks a million, this really helped me out when I was about to give up on this.
Pingback: WordPress, DSO and Permissions | Ipstenu on Tech
I added the 3 lines to wp-config like you recommended but I am still unable to update plugins and am getting owner permission error.
I have WP installed on a managed VPS running Plesk 9 control panel.
Any recommendation welcome.
Thanks for this post.
I’m glad that you broke this down enough for me to understand that I’m in the same situation as you were. I just am so hesitant to assign 0777! I have some sites I admin and host on a dedicated VPS and I’m hesitating to offer this option to my clients. Though, the trade off is installing/uninstalling plugins for them.
Are there no other solutions that are more secure?
BTW, and this is off-topic but still relevant: what if I choose to manually install/upgrade/uninstall plugins/themes/or even core how would I ensure that in the install or delete process i would enter/remove the right DB tables/entries ?
hmm maybe redo the changes after updating plugins and what ever you needed it for..just put in comments and enable again if needed?
last step works, strange had not to change this before, only after i changed my web hosting provider
thanks
Woo Hoo! This did the trick for me! I’m a newb with WP but am diving in head first to create a custom plugin and theme for my organization. Local development is necessary and this post fixed my site to be able to update the base themes.
Thanks!
waooo thank you for sooo informative information
thanks alot
waooo thank you for sooo informative article it works now.
thanks alot
Pingback: Ultimate Setup Guide to Wordpress on Amazon EC2 | Web-EdgeWeb-Edge
Depending on the permission set on the server perhaps
define(‘FS_METHOD’,’direct’);
define(‘FS_CHMOD_DIR’, ( 0755 & ~ umask() ) );
define(‘FS_CHMOD_FILE’, ( 0644 & ~ umask() ) );
would be better?
as recommended by http://codex.wordpress.org/Editing_wp-config.php
Pingback: Ultimate Setup Guide to Wordpress on Amazon EC2 - Edge Group
setting files to 777 is a huge security risk. please don’t do this. this enables anyone to change any file on your server…