How does wordpress handle file permissions when automatic updates are enabled?

TLDR: That paragraph is incorrect.

So How Does WordPress Handle Permissions For Auto-Update?

WordPress runs as the user that PHP runs as, which on most servers is some form of www user. It uses that user to perform the update.

If that user cannot write to those files, it falls back to other WP_Filesystem providers. This is why some people see a request for FTP details when updating. If FTP details are entered and they are valid, WordPress will use FTP.

If it cannot make direct filesystem changes, and it cannot use FTP to do it, then auto-updates cannot happen.

Can WordPress Run File Operations as The Owner of the file?

For me that sounds very crazy. If the files are owned by root, does wordpress gain root access to the server?

No. It can’t.

PHP processes can’t escalate themselves to the root user, that’s not how things work. It’s not how processes and users work either.

PHP cannot change the user it is running as either. That requires server configuration changes to do.

Is The Paragraph on .org Correct?

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

That paragraph is wrong.

What I think has happened, is that somebody who is not a native english speaker has written that paragraph, or that they themselves have misunderstood how updates work. Whatever the reason, this paragraph is incorrect, wrong, false.

However, if you want to really harden WordPress, make the files executable and readable by the web user, but not writable, and disable the built in auto-updater.

Then tools such as git, composer, or WP CLI can be used to update WordPress and its plugins/themes either manually or on a cron job using a different user.

E.g. on my host I can SSH into the server and make changes as my SSH user has access to those files. This way any malware that runs cannot modify PHP files. This has the downside that WordPress is unable to update itself from the web interface. I then run WP CLI commands to update WP and .org plugins, and a combination of git pull and composer commands for the rest. I could even refactor things to use composer for the entire site.

You’ll see some high end hosts do something similar by managing WordPress themselves, and providing you with a git repo that’s equivalent to wp-content so that plugins and themes are version controlled. This has the benefit that any changes are immediately obvious and can be undone instantly.

Related Posts:

  1. How Do I Configure Automatic Updates in WordPress 3.7?
  2. Will A WordPress automatic update harm my website?
  3. What is a “forced plugin update”, how can I avoid it and use it for my plugins
  4. Automatic updates are not working
  5. Is it possible to prevent website from breaking with auto update?
  6. Enable automatic minor core updates when root of site is a git repository
  7. WordPress Health Tool reporting version control as a critical issue
  8. Unable to get WordPress auto update working on Ubuntu 12.04
  9. WordPress 3.0.1 Auto Update Problem
  10. Disable Plugin Updates but Allow WP Auto Security Updates
  11. Missing Update Link to 3.02/3.03 on Dashboard
  12. Change email for update notification
  13. How to schedule Automatic WordPress Plugin and Core updates for night times
  14. Auto Plugin & Core Updates Not Working For Custom Theme
  15. WordPress updates and Git
  16. How to debug background/auto update?
  17. How can I fix my server so core/plugins/theme update don’t silently fail?
  18. WordPress 3.1 not autoupdating
  19. WordPress core auto update fails for UpdraftPlus WordPress Backup Plugin
  20. Automatic updates only in a predefined maintenance window
  21. Auto updating a single plugin
  22. Could auto-update delete core WordPress files and cause a white screen of death?
  23. Changing random post publish time for repost
  24. WordPress sites got auto upgraded [duplicate]
  25. How to turn off automatic updates of the WordPress core
  26. WordPress update fails with a “permission denied” error?
  27. How to trigger automatic plugin updates in WordPress 5.5
  28. Adding a banner to the install dialogue of a custom plugin
  29. Auto generate custom post title
  30. WordPress 3.3 auto update not working
  31. How to know current auto-update status of the WordPress core?
  32. Auto update error messages
  33. Allow auto-updates on a non-managed WordPress site?
  34. Will WordPress Auto Update work on a site with Basic Authentication enabled?
  35. WordPress site auto updates for no reason
  36. Are automatic background plugin updates for non-WP.org plugins possible?
  37. Auto Update fail time my external folder deleted
  38. Stop WordPress from auto updating
  39. How Do I Configure Automatic Updates in WordPress 3.7?
  40. Enable automatic plugin update for certain plugins [duplicate]
  41. Auto generate meta data value in post
  42. How to upgrade WordPress automatically?
  43. WordPress Automated Posts Creation
  44. How exactly do automatic updates work?
  45. How to update WordPress installed on IIS?
  46. Prevent/Disable Automatic Update Check
  47. WordPress updates defined vs add_filter?
  48. Disable WP core updates but send email notification
  49. Update WordPress automatically on its own
  50. How long does it take for theme / plugin automatic updates to initiate?
  51. Making plugin unique to not conflict with plugins with the same name
  52. “You have the latest version of WordPress. Future security updates will be applied automatically.”
  53. Have WP Theme update from Git Repository
  54. How to update/auto-update my private plugin? [duplicate]
  55. I want to run different WordPress websites under the same database
  56. Why are the automatic updates to WordPress behind the version my site is on?
  57. Tablepress won’t update the table data [closed]
  58. How to schedule autopost publishing at each 60 minutes?
  59. WordPress DATABASE Update Manually?
  60. Can I update themes without enabling maintenance mode?
  61. Can a manually uploaded plugin be made to track updates from the WordPress.org plugin directory?
  62. Updating Existed RocketTheme Theme on WordPress
  63. SELinux security vs WordPress updates
  64. Private Plugin Updates – Localhost
  65. WordPress 3.8.1 update error
  66. What file(s) in core control automatic background updates?
  67. Problem with automatic role change through cron job
  68. Group ownership permissions don’t allow web server to update WordPress content
  69. Theme Javascript.php Overwritten Nightly [closed]
  70. Upgrading problem
  71. Why does WordPress 4.1 have an auto-update entry in wp_options?
  72. Updating WP 3.9.5 without destroying my website
  73. Why my plugins are updating automatically?
  74. Can you refresh ONLY the wordpress adminbar and not the whole page?
  75. Where does WordPress get the theme name from to check for updates?
  76. How to execute plugin and theme updates from a web hook / endpoint?
  77. Wordpres core-update theme renames theme folder name
  78. How to allow WordPress updates to only one specific administrator?
  79. What request is WordPress sending on theme update?
  80. WordPress 4.4.2 Update not working
  81. EC2 WordPress install asks for connection info when auto-updating
  82. automated import from blogger
  83. Change modified date to current date when title updated automatically
  84. WordPress cannot auto update and cannot find .maintenance file
  85. is it right choose to connect database in template page directly in WordPress site?
  86. Update a previous version of plugin when the new plugin is built from the scratch
  87. Update (a function) post’s featured image as soon as $image_url changes
  88. Plugins download & install fine, wordpress update fails
  89. Where to add my code to auto attach images to existing products
  90. error_log() not working in add_filter auto update callback
  91. WordPress Auto Updates
  92. Custom theme and plugin updating
  93. To merge customized codes upon wordpress update
  94. Cannot Update wp DB – Get 500 Error
  95. Cannot update plugin
  96. Hook automatic_updates_complete to autoupdate plugin
  97. How to update changes to multiple sites at the same time
  98. Update js file on wordpress page after making changes
  99. Can’t seem to disable Java Automatic Update
  100. Plugin_Upgrader not working if function is called from remote server