Why doesn't chown -R root:www-data work on my Wordpress installation?

July 29, 2015 11.5k views
WordPress Security Nginx Ubuntu

Quite some time ago, I was following this tutorial which showed me how to install Wordpress on an NGINX + Ubuntu (LEMP) setup:


I got stuck on this portion for quite some time back then as I used root as the user for this instruction snippet below:

The group that nginx operates under is www-data. For the user portion, enter your user account name. We will demonstrate with an account called demo here:

sudo chown -R demo:www-data /var/www/html/*

To clarify, it didn't give me any errors or anything, but what I found out was that if I used root:www-data for my file ownership settings, I wouldn't be able to add / update plugins / edit code on the site. It would always prompt me for FTP / SFTP details, in which it would fail even if i entered the correct credentials due to the permissions being drwxr-xr-x (Owner has write permission).

So i tried this:

sudo chown -R www-data:www-data /var/www/html/*

and it worked -- I was able to write / update plugins freely as the Wordpress site admin.

However, I now have a roughly better understanding of how ownership and groups work, and I'm concerned that by doing chown -R www-data:www-data, I opened a security flaw on my own.

Am I doing it right? Why didn't root:www-data work for being able to update the site in the first place?

2 Answers

I researched the same problem and I found the solution.
The trick is to add your user "demo" to the group www-data (since www-data is a group)

add user "demo" to group "www-data" (below replace demo with your username)

sudo usermod -a -G www-data demo

set permissions for user group www-data

sudo chgrp -R www-data /var/www/html

followed by

sudo chmod -R g+w /var/www/html

Now you can modify files as "demo" via SFTP and your wordpress installation can modify files without requesting credentials

Since the nginx process is running as www-data the root:www-data ownership would only work with group write permissions set. There is no major issue with running with your web files owned by www-data:www-data but if you are concerned you could give ownership of wp-content to www-data and leave the rest of the install as root:www-data.

Have another answer? Share your knowledge.