Security needs need to be clearly documented

[novasource]

Since WordPress now has self-updating capabilities, most, possibly all, of WordPress files need to be writable by the Apache process.

​http://codex.wordpress.org/Changing_File_Permissions makes no mention of permissions that allow self-updating. Following that pages's advice literally, the updater process would always fail to update and take people to that goofy "enter your FTP credentials" page.

Some Google searching does not come up with a definitive answer.

For the sake of communicating best practices, please update ​http://codex.wordpress.org/Changing_File_Permissions so that it explains the recommended permissions needed to auto-update WordPress.

[novasource]

I may have found my answer, but the codex is conflicted.

​http://codex.wordpress.org/Updating_WordPress#Automatic_Update says:

Note that your files all need to be owned by the user under which your Apache server executes, or you will receive a dialog box asking for "connection information," and you will find that no matter what you enter, you won't be able to update.

However, ​http://codex.wordpress.org/Changing_File_Permissions#Permission_Scheme_for_WordPress says:

All files should be owned by your user account on your web server, and should be writable by your username. Files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody). ... Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.

Contradictory.

[andrea_r]

Anyone with a wp.org login also has access to update the codex themselves. :) If you're aware of the specifics, it would be great if you could handle that?

The needs-codex tag in trac is for functions that may need further explanation in the codex. Not for codex work that needs to be fine tuned or rewritten. Most of that discussion takes place on the wp-docs list.

[novasource]

@andrea_r: Thanks. My concern here is that security is too important for incomplete and contradictory formal recommendations.

I feel that a clear best practice is needed to guide administrators and product development.

I wish I knew enough of WordPress's product intent/expectations to edit these documents! :-)

[WraithKenny]

novasource, check out ​http://ottopress.com/2011/tutorial-using-the-wp_filesystem/ Although the topic isn't specific to this, the background information addresses what you need to know under the first section.

I took a stab at updating, commenting and clarifying those articles.

[ocean90]

Anyone with a wp.org login also has access to update the codex themselves.