Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#17277 closed enhancement (invalid)

Security needs need to be clearly documented

Reported by: novasource's profile novasource Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: WordPress.org Site Keywords:
Focuses: Cc:

Description

Since WordPress now has self-updating capabilities, most, possibly all, of WordPress files need to be writable by the Apache process.

http://codex.wordpress.org/Changing_File_Permissions makes no mention of permissions that allow self-updating. Following that pages's advice literally, the updater process would always fail to update and take people to that goofy "enter your FTP credentials" page.

Some Google searching does not come up with a definitive answer.

For the sake of communicating best practices, please update http://codex.wordpress.org/Changing_File_Permissions so that it explains the recommended permissions needed to auto-update WordPress.

Change History (7)

#1 @kawauso
13 years ago

  • Component changed from Upgrade/Install to WordPress.org site
  • Keywords needs-codex added
  • Type changed from defect (bug) to enhancement
  • Version 3.1 deleted

#2 @novasource
13 years ago

I may have found my answer, but the codex is conflicted.

http://codex.wordpress.org/Updating_WordPress#Automatic_Update says:

Note that your files all need to be owned by the user under which your Apache server executes, or you will receive a dialog box asking for "connection information," and you will find that no matter what you enter, you won't be able to update.

However, http://codex.wordpress.org/Changing_File_Permissions#Permission_Scheme_for_WordPress says:

All files should be owned by your user account on your web server, and should be writable by your username. Files should never be owned by the webserver process itself (sometimes this is www, or apache, or nobody). ... Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.

Contradictory.

#3 @andrea_r
13 years ago

Anyone with a wp.org login also has access to update the codex themselves. :) If you're aware of the specifics, it would be great if you could handle that?

The needs-codex tag in trac is for functions that may need further explanation in the codex. Not for codex work that needs to be fine tuned or rewritten. Most of that discussion takes place on the wp-docs list.

#4 @novasource
13 years ago

@andrea_r: Thanks. My concern here is that security is too important for incomplete and contradictory formal recommendations.

I feel that a clear best practice is needed to guide administrators and product development.

I wish I knew enough of WordPress's product intent/expectations to edit these documents! :-)

#5 @kawauso
13 years ago

  • Keywords needs-codex removed

#6 @WraithKenny
13 years ago

novasource, check out http://ottopress.com/2011/tutorial-using-the-wp_filesystem/ Although the topic isn't specific to this, the background information addresses what you need to know under the first section.

I took a stab at updating, commenting and clarifying those articles.

#7 @ocean90
13 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Anyone with a wp.org login also has access to update the codex themselves.

Note: See TracTickets for help on using tickets.