Correct permissions for WordPress on LEMP?

February 6, 2014 2.2k views
I'm confused about how to set permissions for a WordPress install. I've got it setup and running very well on ubuntu based droplet using LEMP. The only issue I'm having is getting permissions correct. I went for the normal: sudo chown www-data:www-data * -R sudo usermod -a -G www-data usernamehere That worked great, but stopped my user from creating files inside the WordPress install which I use for manually installing some plugins. I've also tried using: sudo chown usernamehere:www-data * -R However while that gives me permission it stops WP from uploading/updating. I've also used: sudo chmod g+s directoryname To make it so all files created in the folder by me are owned by the web server. Can anyone recommend a good permission setup that will allow my user to create files, allow WP to update & upload but doesn't introduce any security issues? I know a decent amount about web servers but permissions are my downfall. Any help would be greatly appreciated.
4 Answers
TLDR; I'm looking for a permission setup that will allow WordPress to upload/update, but allow me to create files without exposing my server to security problems.
The commands you ran are fine, however there's one missing step:
sudo chmod -R g+w directoryname

This command allows users of the group that owns the files (www-data in this case) to write to the files.
Would that be still safe from a security point of view? I've heard people saying you should never give write access to the web server's group.

To me though I've never figured out how that is a security risk when the web server is the owner of the files anyway.
You usually shouldn't but that would be the easiest way to enable Wordpress's automatic updating system to work properly.

Check out—it's written for Apache but should work fine on nginx with some tweaks.
by Justin Ellingwood
WordPress is the most popular content management system (CMS) on the web currently. While WordPress can be a great way to manage you content, there are some very insecure configurations that are given throughout the internet. This article will cover how to set up secure updates and installations using SSH keys instead of FTP, which is an inherently insecure protocol.
  • Kamain7

    What are the tweaks? I followed the tutorial you provided a link to and I'm still unable to install themes - have yet to even try anything else. I keep getting "Public and Private keys incorrect for wp-user"
    I'm also using Nginx, with multiple server blocks on Ubuntu 14.04

Have another answer? Share your knowledge.