I have been doing my best to figure out the Amazon EC2 Apache setup of permissions to enable WordPress to be able to manage all of the files on my Amazon EC2 instance without WordPress asking for FTP permissions when I try to upload a plugin or theme via the Admin site. I ended up having to give file and group ownership of the files in my html folder to apache user for WordPress to run correctly. This article and its comments helped me reach this conclusion.
sudo su chown -R apache:apache /vol/html
I then set permissions to what the hardening WordPress guide recommends for my html root as all my WordPress files are there as I am running MultiSite with multiple domains.
find /vol/html/ -type d -exec chmod 755 {} \;
find /vol/html/ -type f -exec chmod 644 {} \;
As apache doesn’t have a login I feel this is worth the risk though there is probably a better way to do this. I then added ec2-user to the apache group and changed the permissions of the wp-content folder to have group write permission 775.
useradd -G apache ec2-user sudo chmod -R 775 /vol/html/wp-content
Music to Write this Code to
This is the great help, thank you.
Thanks for this solution! The issues with WordPress were gone.
However, though apache permissions were fixed, ec2-user was failing to write.
Following worked for me:
I added ec2-user to the apache group:
usermod -a -G apache ec2-user
Next, I made ec2-user the owner and apache the group for the wordpress directory (/var/www/html in my case):
chown -R apache:ec2-user /var/www/html
WordPress is happy now, and I can SFTP via ec2-user! Thanks.
This is the only thing that absolutely worked for me. I was switching between permissions for apache and ec2-user
Great worked for me. Thumbs up
I tried following these directions and I am still unable to overwrite files via SFTP (Filezilla). I was really hoping this tutorial would be the solution for me, it’s really clear and well-written (no robot haha).
I know the thread is a bit old but, anyone still around and have suggestions? Thanks
It just works for me.
Awesome tip. Thanks!
Perfect solution. Many Thanks
this worked great thanks, however after i upload an image there is a problem loading the image it still says forbidden i am using aws cdn please advise what can i do to fix it, thanks
From my understanding Cloudfront should hit your site the “origin” as a regular HTTP user in order to cache it so I am confused as why you should get a different response than without it. I use the WordPress CDN that comes free with Jetpack for my images and haven’t had any issues so maybe try that.
Yes!!! Thanks 🙂
This worked but it causes issue with git! I don’t want to have to switch owners everytime i want to update but i may have to. The search continues.
AWESOME!!
Thanks David,
I can now run my system (Joomla actually) and also SFTP with FileZilla. However, I notice that the user:group of my current server files are apache:apache, but those uploaded from FileZilla are the SFTP username as the user/group. Is this going to cause a problem? Do I have to manually change ownership of all new files uploaded to apache:apache, or is there a way that this can be automated, or is it unnecessary?
Matthew, I noticed the same but is hasn’t caused me any problems so far and haven’t had to change any ownerships permissions thankfully.
Thanks you!
Pleasure.
Is it best practice to have everything owned by ec2-user? I also get an error saying make sure I have the right permissions every time I save with Transmit FTP client. But it still saves.
Creating users for each of the specific tasks required and giving them the specific permissions would probably be best practice. As it is only me connecting to this VM and only via SSH I didn’t see enough benefit to outweigh the time and effort to get it right.
Thanks David. This has been a great help.
Wasn’t going to comment, but since you posted the SMD E-mix I now have to. Thanks for the help!
Thanks, dude. I have been trying to fix permission problems with Filezilla for three days now. Your solution is the only one that worked well. I could not list my directories and now I can.
Thanks
Glad to be of assistance spent quite a while figuring all this out myself, hence the blog posts so I would remember.
i’m getting this error on ec2 when i try to add ec2-user to group can you help please? useradd: user ‘ec2-user’ already exists
Seems like the user has already been added, I get the same thing when I run the command again. You should be good to just run the next step without any issues. Let me know if that is not the case.
I had the same problem. Found out that if the user already exists and isn’t in the Apache group, you’ll still be unable to modify or add anything. The fix is simple. Use usermod instead: [usermod -G apache ec2-user]
Then restart the server [service httpd restart]. Sorted!
Thanks for pulling this together. After going through my own checklist [really who runs root’d apache installs?] I knew this is where I was heading and you confirmed it. Deployed, and all is happy. Much easier to manage.
Happy to be of assistance Andy, was bugging me for quite a while hence the post.
Hi David,
I found this post on stackoverflow quite useful, look at Jake’s answer and let me know what you think:
http://stackoverflow.com/questions/8686125/update-wordpress-theme-on-ec2
@Yannick I think that it would be more secure to use sFTP using SSH rather than a password. The last answer suggests a pretty similar thing to what I have done.
Hey David,
I’ve seen & tried several different ways to fix the WordPress permissions problems I’d had. Your documentation is the first that I’ve seen that worked well. Thank you for your sharing!
@Jeff I still have everything set up in the same way. SSH / sFTP is pretty secure and the amount of time and effort it would take to set it up in another way doesn’t justify the risk of someone breaking in that way. Just making sure I run updates to both WordPress and the Linux box on a regular basis.
I’ve got things set up the exact same way on my end. Curious to hear if you’ve come across any improvements since writing. I do feel like there are some vulnerabilities, but like you have justified by fact that apache doesn’t have login. Still feel somewhat insecure though, just seeing if you’ve adjusted anything. Thanks!
I have to admit, I only use the cpanel that my hosting provides to change permissions. I haven’t looked in to multi-site WP yet I have four slots on my hosting and four installations of WP, when I used to use Drupal, which has an amazing front end editor now btw, I always though I should be able to host multiple sites on one installation but I could never find out how… then sometimes I just don’t know what I’m looking for!
That requires setting up a FTP server, the nice thing about the above approach is that it isn’t required and you an still update all of your plugin and theme files. I decided against running FTP for security reasons as all of my connections to the server go through SSH. Cheers for the tip though.