Make WordPress Core

Opened 11 days ago

Last modified 4 days ago

#49403 new defect (bug)

WordPress prompts for FTP credentials to perform updates

Reported by: shadowlmd Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.3.2
Component: Filesystem API Keywords:
Focuses: Cc:


For some reason WordPress believes it does not have write permissions when in fact it does.

My configuration: Lighttpd running as www-data with PHP as fcgi.

Directory permissions are set to 770:user:www-data. During first time installation WordPress successfully creates wp-config.php, so there are no issues with permissions.

I have to add define(‘FS_METHOD’,’direct’); to wp-config.php to workaround this bug. But I cannot do this for all people I am providing hosting to. I keep getting asked why WP cannot update itself even when permissions are set to 777. It is also leaves people with non-updating WP installations and puts my server under risk of being turned into malware bot.

So, can you guys please fix the way WP detects if it has write access?

Change History (5)

#1 @SergeyBiryukov
11 days ago

  • Component changed from General to Filesystem API

This ticket was mentioned in Slack in #core by noisysocks. View the logs.

9 days ago

#3 @noisysocks
9 days ago

  • Keywords reporter-feedback added
  • Severity changed from major to normal

Hey @shadowlmd! get_filesystem_method detects which method to use by attempting to write a file and checking its owner. If you run PHP code that's similar to the PHP code that creates a file in get_filesystem_method, does it work? What is the owner of the file that is created?


#4 @shadowlmd
5 days ago

@noisysocks, where exactly does it try to create a file? Web server (and therefore any php script) is allowed to write in WP installation directory. File ownership will be www-data:www-data on created files. Example is wp-config.php created during first time set up:

user@home:~/www/wpsite.online$ ls -l wp-config.php
-rw-rw-rw- 1 www-data www-data 3270 Feb 8 13:12 wp-config.php

Anyway, I see where the problem comes from. Here's the code:

                        $wp_file_owner   = false;
                                $temp_file_owner = false;
                                if ( function_exists( 'fileowner' ) ) {
                                        $wp_file_owner   = @fileowner( __FILE__ );
                                        $temp_file_owner = @fileowner( $temp_file_name );
                                if ( $wp_file_owner !== false && $wp_file_owner === $temp_file_owner ) {
                                        // WordPress is creating files as the same owner as the WordPress files,
                                        // this means it's safe to modify & create new files via PHP.
                                        $method                                  = 'direct';
                                        $GLOBALS['_wp_filesystem_direct_method'] = 'file_owner';
                                } elseif ( $allow_relaxed_file_ownership ) {
                                        // The $context directory is writable, and $allow_relaxed_file_ownership is set, this means we can modify files
                                        // safely in this directory. This mode doesn't create new files, only alter existing ones.
                                        $method                                  = 'direct';
                                        $GLOBALS['_wp_filesystem_direct_method'] = 'relaxed_ownership';

Test $wp_file_owner === $temp_file_owner will obviously fail because created file will be owned by www-data and FILE will be owned by user. This is a common configuration and definitely not a reason to fallback to FTP.

Last edited 5 days ago by shadowlmd (previous) (diff)

#5 @shadowlmd
4 days ago

  • Keywords reporter-feedback removed
Note: See TracTickets for help on using tickets.