Amazon EC2 Apache Setup Permissions for WordPress

I have been doing my best to figure out the Amazon EC2 Apache setup of permissions to enable WordPress to be able to manage all of the files on my Amazon EC2 instance without WordPress asking for FTP permissions when I try to upload a plugin or theme via the Admin site. I ended up having to give file and group ownership of the files in my html folder to apache user for WordPress to run correctly. This article and its comments helped me reach this conclusion.

sudo su
chown -R apache:apache /vol/html

I then set permissions to what the hardening WordPress guide recommends for my html root as all my WordPress files are there as I am running MultiSite with multiple domains.

find /vol/html/ -type d -exec chmod 755 {} \;
find /vol/html/ -type f -exec chmod 644 {} \;

As apache doesn’t have a login I feel this is worth the risk though there is probably a better way to do this. I then added ec2-user to the apache group and changed the permissions of the wp-content folder to have group write permission 775.

useradd -G apache ec2-user
sudo chmod -R 775 /vol/html/wp-content
This allows FileZilla or any other program logged in as ec2-user the ability to change files and folders in the wp-content folder only. If anyone has a better way of doing this I would like to know. I am only using SSH and SFTP to access the server with key files.

Music to Write this Code to

Simian Mobile Disco – Live @ Sonar 2012 – Nothing beats some head bending techno for head bending permissions.

 

Leave a Reply

29 comments on “Amazon EC2 Apache Setup Permissions for WordPress

  1. This worked but it causes issue with git! I don’t want to have to switch owners everytime i want to update but i may have to. The search continues.

  2. Thanks David,
    I can now run my system (Joomla actually) and also SFTP with FileZilla. However, I notice that the user:group of my current server files are apache:apache, but those uploaded from FileZilla are the SFTP username as the user/group. Is this going to cause a problem? Do I have to manually change ownership of all new files uploaded to apache:apache, or is there a way that this can be automated, or is it unnecessary?

  3. Is it best practice to have everything owned by ec2-user? I also get an error saying make sure I have the right permissions every time I save with Transmit FTP client. But it still saves.

    • Creating users for each of the specific tasks required and giving them the specific permissions would probably be best practice. As it is only me connecting to this VM and only via SSH I didn’t see enough benefit to outweigh the time and effort to get it right.

  4. Thanks, dude. I have been trying to fix permission problems with Filezilla for three days now. Your solution is the only one that worked well. I could not list my directories and now I can.

    Thanks

  5. i’m getting this error on ec2 when i try to add ec2-user to group can you help please? useradd: user ‘ec2-user’ already exists

    • Seems like the user has already been added, I get the same thing when I run the command again. You should be good to just run the next step without any issues. Let me know if that is not the case.

      • I had the same problem. Found out that if the user already exists and isn’t in the Apache group, you’ll still be unable to modify or add anything. The fix is simple. Use usermod instead: [usermod -G apache ec2-user]
        Then restart the server [service httpd restart]. Sorted!

  6. Thanks for pulling this together. After going through my own checklist [really who runs root’d apache installs?] I knew this is where I was heading and you confirmed it. Deployed, and all is happy. Much easier to manage.

  7. Hey David,
    I’ve seen & tried several different ways to fix the WordPress permissions problems I’d had. Your documentation is the first that I’ve seen that worked well. Thank you for your sharing!

  8. @Jeff I still have everything set up in the same way. SSH / sFTP is pretty secure and the amount of time and effort it would take to set it up in another way doesn’t justify the risk of someone breaking in that way. Just making sure I run updates to both WordPress and the Linux box on a regular basis.

  9. I’ve got things set up the exact same way on my end. Curious to hear if you’ve come across any improvements since writing. I do feel like there are some vulnerabilities, but like you have justified by fact that apache doesn’t have login. Still feel somewhat insecure though, just seeing if you’ve adjusted anything. Thanks!

  10. I have to admit, I only use the cpanel that my hosting provides to change permissions. I haven’t looked in to multi-site WP yet I have four slots on my hosting and four installations of WP, when I used to use Drupal, which has an amazing front end editor now btw, I always though I should be able to host multiple sites on one installation but I could never find out how… then sometimes I just don’t know what I’m looking for!

  11. That requires setting up a FTP server, the nice thing about the above approach is that it isn’t required and you an still update all of your plugin and theme files. I decided against running FTP for security reasons as all of my connections to the server go through SSH. Cheers for the tip though.

%d bloggers like this: