Why does WordPress require a ftp server to be running on the webserver to transfer plugins?

3 Views

I had asked a related question on Super User:

A use case of a system “receiving” files over FTP would be, for example, the way WordPress plugins are installed via 1-click where WordPress initiates a file transfer to the local Linux box from the remote WordPress plugin repository using ftp(s)

Read More

More specifically this screen:

WP asking for ftp info during plugin install

My initial understanding that WordPress would transfer the files from the WordPress plugin repository, like how a FTP client would do. But further discussions on chat have left me confused as to why would WordPress require the FTP details of the web server?

What am I missing here?

Post Views: 3

Related posts

Leave a Reply

3 comments

  1. When you do something that requires WordPress write to the filesystem, it does a check to see if it has permissions to do so by writing a temp file. If this check fails it will ask for FTP details in order to write the files to your server.

    EDIT

    look in wp-admin/includes/file.php, line 843, for the get_filesystem_method function that does this check.

  2. The wp-admin/includes/file.php **get_filesystem_method()** uses an erroneous test to determine if it can write a file. At line 853:

    if ( getmyuid() == @fileowner($temp_file_name) )

    The use of getmyuid() is wrong for unix – instead that should be posix_getuid(). The problem is the getmyuid() will return the owner of the script file not the user that is running the script. On unix, that means if the file was installed by root and the webserver is running as user www-data then test will fail even thought the file is written during the test.

    So to fix, change the line with getmyuid() to:

    if ( posix_getuid() == @fileowner($temp_file_name) )

  3. Milo’s answer is correct. I just wanted to add some details about how the check is done (because get_filesystem_method() has changed a bit since 2011).

    Firstly, you can completely override this check by defining FS_METHOD in your wp-config.php to be 'direct', 'ssh2', 'ftpext' or 'ftpsockets'.

    If this constant isn’t set, then WP tries to determine what method to use. It does this by trying to create a temporary file called wp-content/temp-write-test-1434788954 (that number at the end is just the current timestamp). If this file can’t be created, it uses the ssh2, ftpext or ftpsockets method (i.e. the annoying ones that require authentication credentials).

    If the file can be created, WP carries on to compare the owner of that file with the owner of wp-admin/includes/file.php. If these are the same, then all is good and the direct method can be used.

    TL;DR: The web server user must be allowed to write to wp-content/ and be the owner of wp-admin/includes/file.php.