I’ve been doing some research on file permissions as of late, as my WordPress installation on my VPS doesn’t have write access.
From what I’ve heard it’s very dangerous to make the apache user the owner of your WordPress files, as apache can then do whatever it wants.
The WordPress Codex says:
“All of your WordPress files must be either owner writable by, or group writable by the user under which your Apache server executes.”
http://codex.wordpress.org/Updating_WordPress
That’s great, but I’ve also heard talk of running your WordPress install as the FTP user:
If WordPress is running as the FTP account, that account needs to have write access, i.e., be the owner of the files, or belong to a group that has write access.
http://codex.wordpress.org/Changing_File_Permissions
Any ideas on the best way to set this up? Is it not a bad idea to have the WordPress files owned by the apache user? I feel like it is…
Your files should be owned by your account. Period. They should not be owned by the “apache” user. This is insecure.
The files may need to be readable by the apache user. The recommended permissions are 755 for folders and 644 for files. With the exception of the wp-config.php file, which should be set to the lowest permissions that work. This would be 640, usually.
The wp-content folder and the uploads folder may need more permissive permissions for media uploads to work.
If the webserver is running as a different user, then WordPress will detect this, and when you try to do an upgrade, it will ask for your FTP information. Then it will do the update via FTP. By getting your information, it can log in as you and thus upload your files.
If you don’t have FTP enabled on your server, you can configure WordPress to use SSH methods instead. This is a bit more complex and not common.
If the webserver is running as a different user, but using a “setuid” method, then it will automatically run the PHP files under your user account instead, and then it will be able to update directly. This is because a setuid method will change the process run as the userid of the files. This is more common on shared hosting, because it is more secure in such cases.
Some setuid methods that are used are “mod_suphp” or “FastCGI with suexec”.
Regardless, you need to own your files, not the webserver.
what does it matter who wordpress is owned by as long as they have chown and chmod – probably best to have admin name be something other than apache, root, admin etc…
for example,
chown username -R /var/www/website/
chmod 775 -R /var/www/website/wordpress/wp-content