Question

Correct user/group ownership and file permissions for Joomla and WordPress sites running on Ubuntu server

Posted August 27, 2021 150 views
ApacheWordPressJoomlaLinux CommandsUbuntu 20.04

I am migrating some Joomla and WordPress sites from shared hosting to Digital Ocean. The servers will be running Ubuntu with a LAMP stack.

Each site will have the following permission requirements:

*  Allow the configuration.php (Joomla) to be updated using the administrator panel.
*  Allow all directories and files within /var/www/domain.com to be editable by a custom user created by me. This will happen via SFTP for one single user.
*  Allow the Joomla and WordPress update systems (core and plugins) to work from the respective admin panels. This should happen without the FTP Layer enabled (Joomla) or the equivalent on WordPress.
*  Allow for image/media uploads (images for Joomla and wp-content/uploads for WordPress) to be allowed from the Joomla and WordPress admin panels.
*  When new files or directories are created, they should inherit the user/group ownership and permissions that were previously set. Files or directories will be created from within Joomla/WordPress or via SFTP.

I have been testing out various user/group ownership settings and file permissions from Ask Ubuntu post, but nothing has fully worked so far. Either making config updates via the admin panels work and SFTP does not or vice-versa.

Any suggestions or tips are greatly appreciated.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

By default, the Apache service runs as the www-data user on Ubuntu servers.

If you’ve used the root user to connect via SFTP, this would explain why the www-data user does not have privileges to read/write the files.

You could change the ownership of the files and folders using the chown command:

chown -R www-data:www-data /path/to/your/website/files

Make sure to change the /path/to/your/website/files with the actual path to your website files.

Hope that this helps!
Regards,
Bobby

  • Hello Bobby,

    Thanks for the reply and the info.

    I am connecting to SFTP with a user that was created when I first setup the VPS with Ubuntu and LAMP.

    I have the directories and files set to be owned by www-data and in the group www-data. When I try and edit a file with these privileges, my FTP app shows the following message.

    Couldn’t get remote handle. Make sure you have permission to modify this file.

    Directories are set to 755 and files are set to 644.

    What steps would I need to take to allow proper management of the websites using the five list items in my original question as reference.

    Additional information:

    • PHP-FPM is installed and separate pools are set for domain.com and staging.domain.com. I did this to allow for testing newer versions of PHP on staging before applying them to production. I am not sure if this would affect permissions and ownership. I am new to server management, but am keen to learn.

    I appreciate your assistance with this issue.

    Cheers,

    • Hello,

      If your SFTP user is different from the user that the Nginx and PHP-FPM services are running as, it would explain why you are seeing the permissions problem.

      I could suggest two things:

      • Change the user that the Nginx and PHP-FPM services are running as to your SFTP user. That way when you upload files via SFTP with your user, they will have the same ownership as the Nginx and PHP-FPM users.

      • Alternatively, you could keep things as they are and change the ownership of your files and folders each time you upload files via SFTP.

      Let me know how it goes!

      Regards,
      Bobby

      • Hello Bobby,

        Thanks for the explanation.

        I think I have a good understanding now of how the ownership and permissions are working for the various users on the site.

        As I am the sole user on most of the sites, I will just adjust the ownership for the SFTP user whenever I need to update the theme/template or upload large files.

        Regarding security, are there any pitfalls for leaving the owner and group as www-data. I have set strong passwords and am using SSH keys to connect to the server via the terminal.

        I have read some Stack Overflow posts that seem to have mixed messaging on this.

        Any info is greatly appreciated.

        Cheers,

        • Hello,

          Yes indeed, this is a really big discussion as that way the www-data user would have access to all of your website files and folders. This opens a potential security vulnerability, where if your website gets compromised, the attacker could affect all of the website files. However as the www-data user is a low privileged user, this should not affect the underlying operating system but the website itself only.

          With WordPress, this is more or less necessary as if the www-data user does not have access to your files and folders, things like plugin/theme installations and updates would not work as the www-data user would not be able to deploy the new plugin/themes files.

          What I always try to do with my WordPress websites in order to keep them secure, is to follow these tips here:

          https://www.digitalocean.com/community/questions/how-to-secure-wordpress-without-a-security-plugin

          Hope that this helps!
          Regards,
          Bobby

          • Hello Bobby,

            Thanks for the helpful information.

            I had been implementing the security settings in .htaccess without knowing how they worked with potentially vulnerable web server users.

            I also did the same on Joomla with the great extension called Admin Tools, which allows you to create a .htaccess file that locks down various parts of the server.

            Thanks again for the help.

            Cheers,

          • Hi Mike,

            No problem at all! Happy to help!

            Regards,
            Bobby