#64371 closed defect (bug) (invalid)
wp-admin pages constantly ping wp-config.php for write access
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 6.9 |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
Hi,
Now that I tried to debug something on my Fedora Server 43 VPS, I realized my SELinux audit log is full of entries like this:
type=AVC msg=audit(1765054057.476:7731): avc: denied { write } for pid=37938 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054065.332:7734): avc: denied { write } for pid=37988 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054069.003:7735): avc: denied { write } for pid=38003 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054753.316:8266): avc: denied { write } for pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054785.233:8423): avc: denied { write } for pid=41178 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054791.764:8456): avc: denied { write } for pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054798.338:8487): avc: denied { write } for pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054801.672:8488): avc: denied { write } for pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054824.267:8581): avc: denied { write } for pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054825.791:8582): avc: denied { write } for pid=41178 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765054878.257:8685): avc: denied { write } for pid=43568 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
In human language it means that PHP tries to write to wp-config.php, but is (rightfully) denied from doing so, because normally that shouldn't happen at all. The relevant SELinux defaults:
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/www/html(/.*)?/uploads(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html(/.*)?/wp-content(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html(/.*)?/wp_backups(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
In English, SELinux by default assumes that everything under /var/www is read-only, except for the files under "uploads", or "wp-content", or "wp-backups". This, again, seems reasonable.
Then I realized this happens on the vast majority of admin pages, e.g. Dashboard, Posts, Media, Pages, and so on. Every single time you open them.
I couldn't for the life of me figure out what it is WP is trying to write there, so I figured, I might as well let it:
cp wp-config.php wp-config.php.orig chcon unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-config.php
Then indeed the denied messages are gone. The file timestamp isn't updated though:
[root@noobient noobient.com]# date -r wp-config.php Sat Mar 6 04:22:57 AM UTC 2021
Hm, that's weird, but let's see what the fuss is about:
[root@noobient noobient.com]# diff -u wp-config.php.orig wp-config.php [root@noobient noobient.com]#
Yup. WP wants to constantly write NOTHING into wp-config.php, just for the sake of it.
Alright, let's see if WP maybe settled down:
[root@noobient noobient.com]# restorecon -rv . Relabeled /var/www/html/noobient.com/wp-config.php from unconfined_u:object_r:httpd_sys_rw_content_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
Unfortunately the errors are back in full force:
[root@noobient noobient.com]# tail -f -n0 /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1765056003.108:8727): avc: denied { write } for pid=43948 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765056005.196:8728): avc: denied { write } for pid=43948 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
type=AVC msg=audit(1765056008.060:8729): avc: denied { write } for pid=43948 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
TLDR WordPress
- constantly tries to write a file it shouldn't
- it doesn't even want to write anything, just checks if it's possible at all, then silently continues regardless of it failing or not
Can you please stop doing that? I don't want to either allow WP to write this file, or my log being constantly full of this useless error, if possible.
Thanks a lot!
- WordPress 6.9
- Fedora Server 43
Server architecture Linux 6.17.9-300.fc43.x86_64 x86_64 Web server nginx/1.28.0 PHP version 8.4.15 (Supports 64bit values) PHP SAPI fpm-fcgi PHP max input variables 1000 PHP time limit 30 PHP memory limit 128M PHP memory limit (only for admin screens) 256M Max input time 60 Upload max filesize 32M PHP post max size 32M cURL version 8.15.0 OpenSSL/3.5.4 Is SUHOSIN installed? No Is the Imagick library available? Yes Are pretty permalinks supported? Yes robots.txt Your site is using the dynamic robots.txt file which is generated by WordPress. Current time 2025-12-06T21:23:52+00:00 Current UTC time Saturday, 06-Dec-25 21:23:52 UTC Current Server time 2025-12-06T23:23:50+02:00
Change History (4)
#1
in reply to:
↑ description
@
2 months ago
#2
@
2 months ago
Note that doing that may be dangerous because it's possible that people may be able to view the file wp-config.php.orig using the web server.
Thanks, yeah, I removed the .orig file shortly after. Perfectly valid warning!
Are you sure it is not some plugin that is doing this?
I'll check, will try to disable the plugins one by one, it might very well be one of them. Will report back soon.
#3
@
2 months ago
- Resolution set to invalid
- Status changed from new to closed
You were right, it was the WP 2FA plugin doing this. Apparently at some point they decided they want to move their encryption key from the DB to wp-config.php, so I had to manually perform this migration. Once done, the denied messages went away.
Thanks a lot for the help and sorry for bugging you about something that's totally out of your scope.
Replying to bviktor:
Are you sure it is not some plugin that is doing this?
Note that doing that may be dangerous because it's possible that people may be able to view the file
wp-config.php.origusing the web server.