How do I enable Wordpress to update itself through its back end?

  • Posted September 30, 2013

On hosts where I didn’t have the control over the server that I have now, I could update Wordpress’ core, plugins, themes and the like from Wordpress’ back end. Now, running multiple sites on virtual servers, if I try to update something, I get the following prompt:

<b>To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed.</b> Under that are boxes for the Hostname, FTP User, and FTP Password, and then radio buttons for FTP or FTP (SSL).

I’ve tried the IP address of my server, the name of my server, ‘localhost’, and the domain name of the site I’m trying to update - none of which work. I’m able to log in to FTP (SSL) with Cyberduck with user/password when pointing to the server’s IP, but it seems Wordpress doesn’t know what to do with that.

Could someone help me fix this problem?


This comment has been deleted

This comment has been deleted

I don’t even have an FTP server, as I’ve soly been using Win SCP port 22 to upload and download files using explorer mode. I’m running an Ubuntu 16.04 SSD VPS, which would probably translate to a droplet in DO terms. I tried adding # adduser wordpressuser www-data

chown wordpressuser:www-data -R /var/www/html

#reboot The same thing still kept happening.

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bingo! Permissions problems, indeed! <br> <br>Easy fix, my friend: <br> <br><code>sudo chown -R www-data:www-data /var/www</code>

Thanks, ethan. <br> <br>As far as I know, apache should be running as ‘www-data’. Try allowing www-data to write to /var/www/ <br> <br><pre>sudo chgrp -R www-data /var/www/ <br>sudo chmod -R g+w /var/www/ <br>find /var/www/ -type d -exec chmod g+s {} ;</pre> <br> <br>The first command changes the group owernship of every file in /var/www/ to be owned by the group ‘www-data’. The second command allows members of the file’s group to write to the file (+w). The third command searches for directories in /var/www/ and sets setgid so that new subdirectories/subfiles are also owned by the group ‘www-data’. <br> <br>Please let me know if that helps. <br> <br>Thanks.

This comment has been deleted

Awesome Pablo! worked:)

I would recommend to disallow all writing permissions for the www-data user and use the wp-cli command line tool ( to update Wordpress yourself (or with a cron job). You can also use wp-cli tool to install themes and plugins. The only times when you need to enable writing for the www-data user is when there is a version update (like from 4.2 to 4.3), otherwise these kinds of upgrades don’t work with wp-cli, but afterwards you can disable writing permission again. On minor version upgrades the command line tool works like a charm.

By doing that, if one of your sites is ever hacked they won’t be able to change any files in the server (like injecting malicious code in php files).

I wrote a blog post with security tips for Wordpress:

Running this command fixed the “Must connect via FTP / SFTP / SSH2” message:

sudo chown -R www-data:www-data /var/www

I am having this same issue but I am wondering if I can use the same solution with my set up. <br> <br>I have LEMP stack and installed wordpress via this tutorial, <br> <br> <br>I also ran, ls -la /var/www as Pablo suggested before and this is what I got, <br> <br> <br>Should I also run, sudo chown -R www-data:www-data /var/www ? <br> <br> <br> <br> <br>

Hey Pablo, <br> <br>If it is a security risk, then would this be the best method for fixing the issue? I’m also facing the same issue myself and I’ve been searching for countless hours for the most reasonable, yet, most secure way of fixing this issue.

<b>“…how to create directories that are automatically owned by www-data.”</b> <br> <br>I’ve never really thought this through, but I wonder if doing so (assuming it’s possible) would present some security risks? Given that not only WordPress, but your webserver also operates under the www-data user account – what if your sites were hit by a DDoS attack? <br> <br>You wouldn’t want the hijacker to be able to start creating additional directories on your server.