WordPress Permissions

I have groped my way through this a few times, and it's time to just document it authoritatively. How do I get directory permissions right on a WordPress site so that it functions correctly and does not need FTP access for maintenance?

1. MySQL

(I actually use MariaDB, of course, not MySQL.)

I have a usual way of creating a database for a web site, which grants only the four basic permissions (select, insert, update, and delete). However, WordPress needs to be able to create and modify tables, not just at installation time, but when installing and upgrading modules, as well. I have a script for this on my database server, and it has an option for granting all privileges:

mkdb -a DATABASE USERNAME PASSWORD HOSTNAME

If you're someone reading this that without my script, that would be the following MySQL statements:

create database DATABASE;
create user 'USERNAME'@'HOSTNAME' identified by 'PASSWORD';
grant all privileges on DATABASE."'*'" to 'USERNAME'@'HOSTNAME';
flush privileges;

2. Apache

The cleanest "Permalink" URLs are possible with the following Apache configuration. I prefer to avoid using or allowing .htaccess for security reasons, so I put this in the actual config.

<Directory DOCROOT>
	<IfModule mod_rewrite.c>
		RewriteEngine On
		RewriteBase /
		RewriteRule ^index\.php$ - [L]
		RewriteCond %{REQUEST_FILENAME} !-f
		RewriteCond %{REQUEST_FILENAME} !-d
		RewriteRule . /index.php [L]
	</IfModule>
</Director>

X. File Permissions

chgrp -R apache DOCROOT
chmod -R g=u DOCROOT

X. SElinux

SElinux (on RHEL) comes with two default contexts for web sites, one for read-only, and one that allows the httpd process to write in the DocumentRoot. WordPress needs to be able to write.

chcon -Rt httpd_sys_rw_content_t DOCROOT

X. WordPress

Once the prerequisite file permissions are correct, WordPress needs to be told to make updates directly, rather than using FTP. Add the following entry to the wp-config.php file:

define('FS_METHOD', 'direct');