Wordpress group/user issue

[Godrockzzz]

I moved my wordpress site from cpanel shared environment to KH Cpanel environment. The previous server was suPHP so i could use several php.ini files.

Problem is Wordpress cant write to the folders unless its set to 777 and i dont want to do that. I tried and tried to set the folders to the wordpress user but its still wont write to the folders. Is there something i'm missing?

I really dont want to put in another support ticket if this is something easily fixed.

 

[Dan]

Hello Godrockzzz,

You can set your VPS to suPHP as well. In WHM go to Service Configuration and then Apache Configuration. In there select PHP and suExec configuration and then you can select suPHP as your PHP handler if that is what you want.

On the file permissions I have 0 experience with Wordpress but 777 is certainly not a good thing. cPanel installs will typically own files and folders to the account username and for most installs a chmod of 644 is sufficient and from what I have seen is the default.

 

[Godrockzzz]

I rebuilt apache since suPHP wasn't an option...works like a charm now!

 

[KH-Paul]

777 isn't that scary and isn't any different from 7xx (for directories) or 6xx (for files) with SuPHP enabled as long as only your own accounts are hosted on the system. The story would be different in case if system is used for shared hosting.
If system is used for own accounts only it would make great sense to run PHP as Apache module instead of SuPHP for at least the following reasons:
- SuPHP will slow down your sites;
- Systems with SuPHP enabled will show higher CPU and disk I/O utilization compared to mod_php;
- None of php caching extensions like eAccelerator, xcache, etc will work with SuPHP.

If performance is important and only trusted accounts are hosted on the system - go with PHP running as Apache module.

 

[Godrockzzz]

So if i go back to php as a module.... 777 wont be a security issues? I will be the only account on the system.

I definitely want performance, lower CPU but also security.

 

[KH-Paul]

777 is the access mode which allows to read, write and execute for file/directory owner, group owner and any other system user. Having such permissions isn't a security problem as long as you're running secure scripts on your sites as in order to be able to write some file to the system remote party has to find an insecure script on your site which would allow them to upload / execute their own code on your system.

Think about this way - when enabling PHP to be running through SuPHP if there is an insecure script on your site the person who will exploit it will be able to create/execute files in any directory inside your account's home directory as all your files/directories are owned by the account's system user and are readable / writable / executable by the account's username.

In other words - when you have a VPS (or dedicated) and you're the only user on that system switching from mod_php to SuPHP won't only make your PHP based sites run slower but will also decrease your level of security.

 

[Godrockzzz]

In that case is PHP Security the best option to run when doing easyapache?

 

[KH-Paul]

"PHP Security" is a bit misleading there, it doesn't really have anything to do with actual security (remember - the most insecure things are weak passwords and outdated/buggy software) but enables few options by default such as mcrypt, mhash, etc. PHP modules should be enabled based on the requirements of software you run on your websites. The more modules you enable the higher memory footprint will be.

 

[jeja7676]

So, what is the solution? How can we resolve permissions problem and yet avoid installing suphp ?

 

[Calico]

I know this is an old thread but I'm trying to figure out the best way to set things up.

History: I got a VPS on Sunday... I'm hosting my clients, a site from a previous client who is now managing things inhouse, and possible a few other sites for some friends. In short I know the people using the server personally...

I followed the KnownHost Knowledge base instructions on PHP Security (Turn on safe_mode, Disable Dangerous PHP Functions, Turn off Register Globals, Run PHP through PHPsuexec) but now am not sure that was the best thing to do... for one it was apparently written in 2006...

There are currently 3 WordPress sites, some php to send contact forms to an email, and some pages using php includes to pull in header, sidebar and footer pages.

I'm quite overwelmed with all of this as it came about very suddenly when I asked the previous host if he could upgrade to php5 and was told he was going to shut down his business...

777 is the access mode which allows to read, write and execute for file/directory owner, group owner and any other system user. Having such permissions isn't a security problem as long as you're running secure scripts on your sites as in order to be able to write some file to the system remote party has to find an insecure script on your site which would allow them to upload / execute their own code on your system.

Think about this way - when enabling PHP to be running through SuPHP if there is an insecure script on your site the person who will exploit it will be able to create/execute files in any directory inside your account's home directory as all your files/directories are owned by the account's system user and are readable / writable / executable by the account's username.

In other words - when you have a VPS (or dedicated) and you're the only user on that system switching from mod_php to SuPHP won't only make your PHP based sites run slower but will also decrease your level of security.

 

[Dan]

Hi Calico,

I've already mentioned my personal preference even though it is counter to what Paul has said. I guess the only answer is that there is no perfect answer.

I did find a decent comparison writeup done by someone that they linked on WHT though and it might provide you with enough insight to be able to decide for yourself. I recommend reading the post as well as some counterpoints are also given.

I like suPHP because you do not have to screw around with permissions and because if someone's script runs wild you can see the actual user and kill it.

The WP installer should inform you if there are problems that you need to address before it even installs. The WP wiki also has information on permissions too.

 

[Calico]

Thank you Dan,

I had found that article on WHT earlier but don't think I had found that particular comparison link.. I've read so much I'm not sure I even remember anymore.

Let's see if I have this right...

DSO
+faster as it runs as an apache module
+/- scripts run as apache user
+ if you have a limited number of sites because only files with ownership/permissions noboby and nobody or everyone write can get corrupted because the php can only write to those file/folders
- if you have lots of users because a hacker can get to nobody in all areas

suPHP
+ easier to set up WordPress
+ can only execute files run by that user
- uses higher CPU
+ malicious scripts are confined to one account
- malicious scripts can affect EVERYTHING in that account

I think what is getting me is (from WHT site) "suPHP has the disadvantage that the php script will have all the same permissions as that user, to delete or modify any files owned by that user. In a DSO setup, all the php files are run by 'nobody' so only world writable files can be edited by your php scripts."

The VPS came with DSO as the default handler... I had found the PHP security in knowledge base atfter loading 3 WordPress accounts. did the things in the PHP security and then went back in and changed the "nobody" to users and changed the permissions down as they didn't need to be at the level I had them for DSO...

I know the server I had my stuff on before had php4 and was using DSO - because of how I had to set my permissions... not quiet sure what the best answer is at this point...

 

[Calico]

Since I've used DSO in the past I tried to go back... apparently it isn't as straight forward as DSO->suPHP. WordPress didn't like it at all even when I changed permissions and owners for the wp-content/uploads folders using ssh... not in the mood to have to reinstall all 3 so switched it back to suPHP for now... it is working there..

This has not been a fun week...

 

[kingtas]

For either DSO or suPHP (or any other handler), files should be 644 and folder 755 - period.

 

[vuong184]

Please help me chmod folder wp-content/uploads or wp-content, i can't user plugins WP Super cache and upload images when add new post.
I have chmod to 777 but can't upload.
I'm a newbie user VPS, Please help me
Thank!

 

[photalian]

I'm having the same issues. I might make a support ticket to see if they can offer me some advice, or to modify/chmod the right commands to tell apache that wordpress has the proper permissions. My old cheeseball shared web host worked fine, running with 755 on folders and 644 on files. It's got to be a configuration issue. I can't seem to find a proper answer online, no matter how hard I look.

 

[ANA]

photalian and vuong184, maybe this answer is coming a little too late but I've found this problem can be due to mod security rules, not permissions.

This link might be helpful:
wordpress.org/support/topic/mod_security-for-wordpress