Share via:

To Perform the Requested Action, WordPress Needs to Access Your Web Server

No, Wordpress really does not need FTP access to update or install plugins. But, you might want to use a more secure way to manage your site. Find out why in this article!

201 views

Edited: 2020-01-31 18:06

To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.

Changing directory permissions for Wordpress.

There is a problem that might happen when attempting to install a new plugin in Wordpress, the problem will cause users to be met with a message informing them that they need FTP or FTPS access.

However, the message is missleading, as you really should not need FTP access just to update the site. The problem often happens because of a missconfigured server, and can be easily solved by assigning the required permissions.

For security reasons, however, you might not want to allow installing plugins or changing the site significantly from the browser based administration. If you are a developer working on a site for a client, you should instead consider using wp-cli to develop the site, and not allow the client to use browser based administration to do development work.

You could just provide the FTP credentials, as they will not be stored persistently. However, this is really impractical when developing a site, as you will just be prompted again, and again..

Caused by incorrect permissions

The problem is often caused because of incorrect file permissions on the server. To solve the problem, developers should make sure that the relevant Wordpress directories is writable by the web server's user account. For example, if the host is running the Apache web server, the user account for the web server will often be "www-data".

Ideally, a web application should be allowed to write to its own directories, and it should be described in the documentation which exact directories needs write-permissions.

For example, if an application, such as Wordpress, has an auto-update feature that can be used in a browser, then the web-server will need full write access in order to update the files. However, for security reasons this is not always good, since there could be a lurking security hole in the application.

Note. For security reasons, it is recommended only to give access to the directories necessary for the application to carry out the work it needs. But, simply giving full access to the root of the application (I.e. /var/www/some-app/ should not lead to any problems unless the application has an actual vulnerability and is hacked.

With Wordpress, I have seen this happen many times, so you best assume the worst!

It is mostly about damage-control when something does happen—and with Wordpress, you best assume that the app is not secure, especially since it relies on plugins and third party developers that should not trusted..

Now, while developing a site, it is fine to grant full permissions:

sudo chown www-data:www-data -R /var/www/my-wordpress-site/
sudo chmod 755 -R /var/www/my-wordpress-site/

Then change back the permissions once done:

sudo chown my-ftp-user:my-ftp-user -R /var/www/my-wordpress-site/

After finishing the development process, you best limit access to directories that needs to be writable, such as the uploads directory for users personal files. Also, be sure to regularly backup the data, as your site might still get hacked and you could loose data in those writable places.

Note. The above will assign www-data as the owner, of all the files. The meaning is [USER]:[GROUP]. In this case the group is not relevant, but it may be in case you need more complex permissions configured.

The command line is more secure

Alternatively, you could also use wp-cli to maintain the site, rather than the browser-based administration tools. Doing things from the command line will also ensure that a developer does not accidentally forget to change back the permissions after fiddling around in the browser-based administration.

Developers should be very comfortable doing this, and, ideally, you probably should not allow clients to make changes to their Wordpress installations from a browser, as it can be a great security risk.

Once you got wp-cli installed, you will be able to install a plugin in a given Wordpress installation with these commands:

cd /var/www/my-wordpress-site/
wp plugin install some-plugin-name
wp plugin activate some-plugin-name

Plugins will usually be using a database rather than the local file-system, which means you should generally be able to use the plugin from the Wordpress browser administration. If not, simply change the permissions on the directories used by the given plugin.

I am not against using the local file system, very far from it in fact, but we really should be careful about which directories and files we make writable.

Links

  1. wp-cli - wp-cli.org
  2. Wordpress File Permissions - wordpress.org

Comments