Running WordPress as FTP user?

Your files should be owned by your account. Period. They should not be owned by the “apache” user. This is insecure.

The files may need to be readable by the apache user. The recommended permissions are 755 for folders and 644 for files. With the exception of the wp-config.php file, which should be set to the lowest permissions that work. This would be 640, usually.

The wp-content folder and the uploads folder may need more permissive permissions for media uploads to work.

If the webserver is running as a different user, then WordPress will detect this, and when you try to do an upgrade, it will ask for your FTP information. Then it will do the update via FTP. By getting your information, it can log in as you and thus upload your files.

If you don’t have FTP enabled on your server, you can configure WordPress to use SSH methods instead. This is a bit more complex and not common.

If the webserver is running as a different user, but using a “setuid” method, then it will automatically run the PHP files under your user account instead, and then it will be able to update directly. This is because a setuid method will change the process run as the userid of the files. This is more common on shared hosting, because it is more secure in such cases.

Some setuid methods that are used are “mod_suphp” or “FastCGI with suexec”.

Regardless, you need to own your files, not the webserver.

Related Posts:

  1. WordPress files owner changed silently
  2. MySQL error 1449: The user specified as a definer does not exist
  3. Destination directory for file streaming does not exist or is not writable
  4. How to to secure WordPress file and folder permissions
  5. WP in Docker – cannot install plugin or upgrade WP
  6. when FS_METHOD = ‘direct’ is chosen?
  7. Create custom permissions for user type
  8. WordPress REST API – Permission Callbacks
  9. Can’t upload images due to permissions error
  10. add_menu_page permissions – what am I doing wrong?
  11. Recommended File Permissions
  12. Network Admin “You do not have sufficient permissions to access this page.”
  13. What’s the difference between the permissions “edit_published_posts” and “edit_posts”
  14. Wrong permissions when uploading a file through WordPress | IIS
  15. ftp_nlist() and ftp_pwd() warnings
  16. WordPress in IIS 7.5 – “cannot create directory”
  17. What permissions should i have set up for the Database User after i have WordPress set up?
  18. Why is group ownership with rwx permissions not enough?
  19. How can I limit WordPress editor roles to a specific category?
  20. can i run wp as root permissions
  21. Prevent or Disable creating new users or changing roles of existing users to Administrator
  22. Standard permissions for wordpress; Plugin installation asks for FTP credentials
  23. Safe to set permissions to 757 temporarily to update via wp-cli?
  24. Does WordPress have fine-grained view permissions?
  25. WordPress debug.log is not updating
  26. WordPress file permissions for editing on local Ubuntu development machine
  27. Securing a multi-user permission structure
  28. can’t change footer
  29. permissions access error
  30. Permissions Issue with WordPress
  31. What user/group does WordPress belong to in terms of file permissions?
  32. Enable plugin installs without FTP with user from same group as Nginx/PHP-fpm
  33. Iframe a WordPress template
  34. How to configure apache to create files with correct group owner [closed]
  35. Moved my WordPress site and now it can’t read the theme
  36. WordPress folder ownership issues
  37. WordPress unable to create folders even though correct NTFS-rights are set
  38. WordPress php mysql errors – errcode: 13 permission denied
  39. Safari not “giving Permission to Open This Page” when trying to load pdf from wordpress site [closed]
  40. Invalid changeset UUID WordPress
  41. Group ownership permissions don’t allow web server to update WordPress content
  42. Should Apache own /var/www/domain.com directory in WordPress?
  43. WordPress Permissions on my Local with Docker
  44. Grant user rights to access certain tabs of a plugin
  45. Permissions in a Local Dev Environment (OS X)
  46. How to to secure WordPress file and folder permissions
  47. Upgrading problem
  48. wp-content Folder Permissions (777 OK?)
  49. Permission of 775 not enough
  50. failed to open stream: Permission denied for WordPress plugin
  51. How to prevent plugins from being uninstalled
  52. Implement Javascript Code in the footer if user is logged in
  53. Reseting file permissions
  54. What is the “user account” for WordPress’ file permissions?
  55. Auto-update failing with “hardened” permissions
  56. Restrict access to trash, only admin
  57. How to hide wordpress error message?
  58. What is this error message?
  59. Which wordpress should be obligatory writeable?
  60. How to grant user access the page [closed]
  61. WordPress 4.4.2 Update not working
  62. Auto-Upgrade to 4.2.2 fails because theme functions.php is included instead of wp-includes/functions.php
  63. How to prevent people from seeing certain articles in menus?
  64. Auto-Update Fails
  65. WordPress installation on digitalocean eating the server storage
  66. Can’t Change the default theme on WordPress by BitnamI running on AWS
  67. How to make file not open to public but javascript file under WordPress folder can load it
  68. Opening a file of the theme from outside
  69. Allow Editor access to a certain plugin
  70. Visitors “do not have permission to view this content” on home page only
  71. Permissions Script Not Working
  72. WordPress does not have the permission to update (IspConfig)
  73. Blank White page issue in WordPress
  74. Permissions working but not working
  75. Mamp Pro File Permissions
  76. MAMP File Permissions
  77. Create a custom “you dont have permission” message
  78. How to lock all published posts so only admin can unlock delete and update permission
  79. Why do some of my directories need to be writeable that shouldn’t be?
  80. How to put WordPress website behind the credential for visitors?
  81. Downloaded WP but Nginx home page still showing
  82. Pages displays as Restricted to Admin
  83. Public and Private keys incorrect for user
  84. Why can I upload files but need FTP login for plugins
  85. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  86. sufficient permissions to access this page
  87. wordpress using WP MVC: You do not have sufficient permissions to access this page
  88. Folder Permissions + Security Concerns
  89. Strange error “You do not have sufficient permissions to access this page”
  90. Is it possible to allow a user to only edit categories of posts and nothing else?
  91. Restrict access to specific content
  92. WordPress – Public side and Private side
  93. the_tags only showing when logged in?
  94. Configuring WordPress permissions for easy updates
  95. Plugins Page – “Page disabled by the administrator”
  96. How to give access to programmer/developer to make changes, but prevent undesirable changes? [closed]
  97. How do I share a Git repository with multiple users on a machine?
  98. Amazon Cloudfront with S3. Access Denied
  99. Postgresql: what does GRANT ALL PRIVILEGES ON DATABASE do?
  100. WP Permission still set to Not Writable after I change the permission for the whole folder and files