Upgrading WordPress 4.0 asks for FTP password

I had to also change the owner of the root web directory.

chown apache:apache .   # or chown apache:apache /var/www/html

Edit by Otto: Chloe, as you asked for more information than I could reasonably put into a comment, I’m appending this on to your answer. I hope that is okay. If not, feel free to revert it, or let me know and I will do so.

The reason that I commented about this being a security issue has to do with file ownership and restricting permissions and limiting access.

Unix like systems contain the concept of “owners” and “permissions”. Files are owned by some user account, and have permissions that control whether they are read, write, or executable by other accounts. This is inherently a security feature, to prevent other accounts from being able to write to your files, or perhaps to allow them to do so.

Running programs also have “owners”. Those programs inherit the permission capabilities of their owner. If you run a program, it can do anything you can do, but will be prevented from doing anything that you can not, because it is “owned” by your user account.

When it comes to web servers, you’re essentially allowing the outside world to run a program on your computer. Because of this, ownership is important, and so most web servers run as a “www” user, or in the common case of the Apache web server, as the “apache” user.

If somebody is able to hack their way in through some program running on your website, then they will gain control over that program, but will still be limited by the capabilities of that program. If they hack a process run by “apache”, then their user will be “apache” and they will only have access as the “apache” user account.

Thus, having your files owned by “apache” is a security issue, because you’re essentially saying that anybody in the world is the owner of these files. Anybody who happens to get in through that door can see them, edit them, modify them.

On the other hand, if the user account that owned the files was “user” and “apache” just happened to have permission to read the files, but not write to them, then the web server could still get its job done. It could read the files, run the PHP scripts, do all the stuff it is supposed to do… but not modify the files.

This is why WordPress asks for FTP credentials. When it is self-updating, it notices that the WP files are owned by “user” but WordPress is actually running as “apache”. Thus, it can’t properly update without changing the owner. The “apache” user cannot write files owned by “user”. It doesn’t have this permission. More to the point, WordPress needs to create new files and delete old ones as well. So if it does that while running as “apache”, then the new files will be owned by “apache”, when they should be owned by “user”. It intentionally stops the update at that point because it cannot create files with the correct ownership.

Asking for FTP gives it a second approach. It can connect back to its own server via FTP, and using those credentials, it can write files as the correct user… For that one time only. After it disconnects, the credentials are forgotten. Safe all around.

In other words, when you put in FTP information, you are giving WordPress security credentials to be able to change the files that one time. By making the files owned by “apache” instead, you are giving WordPress the ability to change the files all the time, without any additional credentials. You have bypassed the security feature here, where as before, WordPress could not change the files without your login information, now it can. That’s a problem.

Now, maybe you don’t run the FTP service normally. Maybe you only use SSH. That’s okay too. In that case, look into adding the PHP SSH2 extension to your server’s PHP configuration. If WordPress finds that, instead of just FTP, you will also have the option for SFTP, which uses the SSH connection to authenticate and copy the files instead. Same principles apply, it’s trying to write files with the correct ownership for them to prevent security issues.

Security isn’t a binary thing, it has layers. If somebody gets unauthorized access, having things configured correctly can help to limit the amount of possible damage they can do. File and process ownership is a pretty low level bit of security in unix-type systems, but it’s still an important one.

Related Posts:

  1. Why users disable the WordPress update?
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. How can I stop WordPress from prompting me to enter FTP information when doing updates?
  4. Can I upgrade a plugin to a specific version?
  5. Why “Contact Form 7” doesn’t update PHPmailer library?
  6. A Way to Auto update plugins using cron?
  7. Updating WordPress – the best approach (updating wp core, plugins and db)
  8. Hook (upgrader_process_complete) running moment
  9. Can I upgrade plugins via FTP?
  10. How can we deal with unmaintained plugins with vulnerabilities?
  11. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  12. Malware installation during plugin update?
  13. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  14. Plugin upgrade failing during unzip
  15. How can I disable new plugin and theme install, but allow updates?
  16. Updates for a private plugin?
  17. Disable update notification for individual plugins
  18. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  19. Are WordPress Plugins essential?
  20. What are the common security flaws I need to look for? [closed]
  21. How to create custom message on plugin update
  22. How to customize a plugin whilst maintaining ability to upgrade
  23. Managing WP Core & Plugin Updates for Clients
  24. How to stop wordpress from changing default .htaccess permissions to 444
  25. Secure WordPress paid plugin
  26. How to make media upload private? [duplicate]
  27. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  28. What does a security risk in a plugin look like?
  29. WordPress Capabilities: edit_user vs edit_users
  30. How can a plugin run a script after being updated in MultiSite?
  31. How to update plugin without overwrite custom code
  32. WordPress plugin DB upgrade
  33. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  34. Will WordPress username displayed somewhere in the site?
  35. Is revealing just the AUTH_KEY a security issue?
  36. I can’t upload a new wordpress theme from a zipped file
  37. All Updated Plugins Disappeared
  38. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  39. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  40. How to import 55k images (uploaded via FTP) into WordPress Media libary? [closed]
  41. How to create a plugin that notifies for updates?
  42. Are there hooks for WordPress updates?
  43. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  44. What is the correct way to update both WP/plugins/themes without breaking the site?
  45. Pushing out updates to multiple installs?
  46. WSOD after upgrading to 3.1
  47. Check for security updates
  48. Two problems on my WordPress installation [closed]
  49. Linux Permissions and Ownership for WordPress
  50. Enabling WP_USE_EXT_MYSQL to support old plugin
  51. Updating plugins asks for FTP information, why? (this is a new one)
  52. Procedural Question on Plugin Installation
  53. Does WP delete deprecated plugin/theme files on plugin/theme upgrade?
  54. Install and Update plugins on a VPS WordPress installation
  55. WordPress update and plugin install not working
  56. I should enable automatic updates?
  57. How to update mu-plugin
  58. UpdraftPlus installed malware – scared to download or update plugins now! [closed]
  59. Child Themes and Updating Parent Theme
  60. Maintaining plugin addons while upgrading
  61. Website show Google Ads when we have no Google Ads linked to our website
  62. disabling ftp on wordpress
  63. Get site url and updates data, then use them
  64. Why does this code snippet create a critical error on my site? [closed]
  65. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  66. How do I change where a plugin pulls updates from?
  67. wordpress upgrade from 4.2.1 to 4.7.3 500 error
  68. Cannot add edit themes and add plugins after multisite update
  69. Regarding plugin security
  70. How do I determine if the user who registered is not spam?
  71. Remove updates text on plugin or themes list page
  72. What would make the plugin update process to complete but don’t report as such?
  73. How to prepare (compress/zip) a plugin to enable updating instead of adding new instance?
  74. Validating ajax search
  75. WordPress asks to update a plugin already updated
  76. WordPress disable direct access of files in WordPress installation path
  77. Asking help regarding potential malware
  78. Custom Plugin Update
  79. Block plugin update possibilities (but not by hiding notifications)
  80. Update a previous version of plugin when the new plugin is built from the scratch
  81. why is sportspress asking for FTP credentials on a local installation?
  82. WP core and plugin updates fail AWS
  83. Website content not displayed anymore after updates
  84. Custom plugin which downloads updates from custom endpoint, extracts new version zip into a new name
  85. Unmatch plugin from updates?
  86. WordPress FTP/media directory permissions problem?
  87. Surviving WordPress and plugin updates
  88. Being hacked. Is there a list of WordPress security holes I can check against?
  89. MobilePress plugin and WordPress 4.1 update
  90. Unwanted Links and Spam WordPress Pages and Posts
  91. No feedback when installing plugins or updating
  92. File permissions for wp-minify plugin
  93. What is the recommended way to be notified of security updates to my plugins? [closed]
  94. How to include a custom thumbnail with my WordPress plugin?
  95. Plugin update warning
  96. How to rename files during upload to a random string?
  97. How to Replicate Elementor Licensing Model
  98. Manually update notification of plugins needing updating
  99. On WordPress.org Plugin repository, Last Updated Date doesn’t match with Plugin Version Update Date
  100. What’s the best way to update my WordPress theme to Elementor?