WordPress Auto-Updates and File Permissions

enduring123 · January 4, 2024, 10:58am

1. The problem I’m having:

According to the WordPress hardening guide, auto-updates write all files with 0644 permissions and all directories are set to 0755.

I was previously guided to use 660 and 770 respectively in this thread so that Caddy (which is the www-data group) can read the WordPress content. This was part of the solution that solved 403 errors.

I now fear that when WordPress auto-updates, that 403 errors will re-emerge and I’ll have to SSH into the server every time to run the chmod commands. Is my fear unfounded, or is there a fix (such as editing the caddy systemd service to use the www-data user)?

2. Error messages and/or full log output:

$ ls -al /var/www/gracefulart/wordpress
total 244
drwxrwx---  5 www-data www-data  4096 Jan  4 08:17 .
drwxrws---  4 www-data www-data  4096 Jan  2 14:45 ..
-rw-rw----  1 www-data www-data   405 Feb  6  2020 index.php
-rw-rw----  1 www-data www-data 19915 Jan  1  2023 license.txt
-rw-rw----  1 www-data www-data  7399 Jul  5  2023 readme.html
-rw-rw----  1 www-data www-data   132 Jan  2 15:19 .user.ini
-rw-rw----  1 www-data www-data  7211 May 12  2023 wp-activate.php
drwxrwx---  9 www-data www-data  4096 Dec  6 16:25 wp-admin
-rw-rw----  1 www-data www-data   351 Feb  6  2020 wp-blog-header.php
-rw-rw----  1 www-data www-data  2323 Jun 14  2023 wp-comments-post.php
-r--r-----  1 www-data www-data  3656 Jan  2 16:15 wp-config.php
-rw-rw----  1 www-data www-data  3013 Nov 15 17:47 wp-config-sample.php
drwxrwx---  9 www-data www-data  4096 Jan  4 10:56 wp-content
-rw-rw----  1 www-data www-data  5638 May 30  2023 wp-cron.php
drwxrwx--- 27 www-data www-data 12288 Dec  6 16:25 wp-includes
-rw-rw----  1 www-data www-data  2502 Nov 26  2022 wp-links-opml.php
-rw-rw----  1 www-data www-data  3927 Jul 16 13:16 wp-load.php
-rw-rw----  1 www-data www-data 50924 Sep 29 23:01 wp-login.php
-rw-rw----  1 www-data www-data  8525 Sep 16 07:50 wp-mail.php
-rw-rw----  1 www-data www-data 26409 Oct 10 15:05 wp-settings.php
-rw-rw----  1 www-data www-data 34385 Jun 19  2023 wp-signup.php
-rw-rw----  1 www-data www-data  4885 Jun 22  2023 wp-trackback.php
-rw-rw----  1 www-data www-data  3154 Sep 30 08:39 xmlrpc.php

3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04.3. Running Caddy on bare metal.

b. Command:

sudo systemctl restart caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

n/a

francislavoie · January 4, 2024, 4:36pm

The caddy user is also part of the www-data group, so as long as the files are group-owned by www-data and has r for group, then you’ll be fine.

enduring123 · January 5, 2024, 2:43pm

Thanks for your reassurance!

As a test, I ran:

sudo find /var/www -type d -exec chmod 0755 {} \;
sudo find /var/www -type f -exec chmod 0644 {} \;

And the websites continue to work just fine

system · February 4, 2024, 2:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.