Anyone familiar with creating, supporting and running a website has no doubt used WordPress at some point. WordPress powers around 25% of the web – a figure that rises every day. Everything from simple websites, to blogs, to complex portals and enterprise websites, and even applications, are built with WordPress.
As a webhosting and website design specialist, I have been helping businesses run their websites using WordPress since 2005. With so many themes and plug-ins available, the possibilities for creating a unique website are endless. Even my 65 year old mother uses WordPress to blog about her latest recipe or vacation experience.
With the popularity of WordPress comes a darker side. WordPress is also one of the most vulnerable platforms to hacking and attacks. In most weeks, a new vulnerability is discovered and exploited, rendering websites and the servers they run on, unusable. More importantly, these vulnerabilities can also expose personal information about yourself and your websites visitors. This is why it’s so very important to diligently update your WordPress installation as new updates come available.
I recently had a customer come to me with an issue updating her install of WordPress to the latest and greatest version. She had recently changed to a new web hosting company, and like so many other WordPress Users, she was trying to use the “one-click update” tool available in the WordPress administration dashboard. The error she received was…
“The update cannot be installed because we will be unable to copy some files. This is usually due to inconsistent file permissions.: wp-admin/includes/update-core.php
She had three so-called “competent” WordPress consultants try to figure out why this error was being displayed. None could figure out a solution to get WordPress to update properly. Personally, I was shocked that so many years of combined experience couldn’t fix a simple WordPress update error. Or was it so simple?
The “Try This!” Mentality
With so many others using WordPress, you have to figure that this is not the first time someone has encountered this error. A quick Google search of this error returns over 100 results. Diving right in, it was apparent that this error had something to do with File and Directory permissions. As I read through the experiences of other WordPress users, it occurred to me that the “try this” mentality was not the best way to handle the issue. Sometimes the suggestion would fix the problem, but more often than not, it wouldn’t. And there was always another “try this” recommendation as another potential fix. I wondered, with each failed attempt to fix the issue was tried, did the user back out of the changes that he/she just made? Or maybe each attempt was compounded on top of the last? No wonder some WordPress installs have such screwed up permissions.
The “One-Click Update” Skinny
My search finally lead me to a document in the WordPress codex that finally explained why “one-click updates” was encountering errors. Combined with some of the other interesting experiences I read about, things finally made sense. According to WordPress documentation …
“One-click updates work on most servers. Here’s the technical criteria for what must be satisfied:
(a) file ownership: all of your WordPress files must be owned by the user under which your web server executes. In other words, the owner of your WordPress files must match the user under which your web server executes. The web server user (named “apache”, “web”, “www”, “nobody”, or some such) is not necessarily the owner of your WordPress files. Typically, WordPress files are owned by the ftp user which uploaded the original files. If there is no match between the owner of your WordPress files and the user under which your web server executes, you won’t be able to update using the “Update Now” button.”
(b) file permissions: all of your WordPress files must be either owner writable by, or group writable by, the user under which your Apache server executes.
If you are not a technical person, let me break this down in a way that will hopefully make sense. Basically, it has to do with permissions (who can read and write to these files) and who “owns” the files.
Most people host their WordPress blogs and websites with a web host in a shared environment, or also called shared hosting. This means your website and as many a few hundred other websites are all hosted on the same server. In order to help keep each website secure from the others, the files and directories for each site are owned by the Admin user of the site. When you upload files to your website using FTP, it’s typically done using this user account. For example purposes, we’ll use “wpuser1”.
Each server runs a Web Server application. For example, Apache is used for Linux-based Servers. Apache is just one component running on this server, along with maybe a Database and Mail application, amongst others. Each one of these applications needs a User Account to interact with the rest of the system. In the case of the Apache application, this user is commonly named “apache”, “web”, “www”, “nobody”, or anything else. The most common is “Apache”.
The “one-click update” for WordPress relies on the web server user (In our case: Apache) to handle the file updates. This is where the problem resides. The Apache user is trying to update, or write to, files that it does not own. You could change the ownership of the WordPress files to the same User that the web server uses, but this is not recommended. According to WordPress…
On shared hosts, WordPress files should specifically NOT be owned by the web server.
Allowing a general User such as Apache to have write capability to YOUR files gives someone who knows what they are doing the ability to potentially access your site with nefarious intentions. Most successful hacks attempts are done through the vulnerabilities between the application (WordPress) and/or the web server/web server user. There’s a reason why your files are owned by your User account with specific permissions.
Additionally, you could change the permission level of the WordPress files and directory structure to a level that is writable by the Apache user, but this also creates major security concerns.
If you can update your WordPress with the “One-click Update” feature, be aware that your file and directory permissions and/or ownership may be inconsistent. Your permissions and ownership should be checked immediately to confirm you do not have potential vulnerabilities.
So you ask, What is the answer?
The answer is doing a Manual Update. This is by far the safest and most secure way to update your WordPress. Is it the easiest or fastest way? No. But it will make sure that WordPress gets updated without having to change the permissions or the ownership of files and directories.
Manual updates should always be done by a competent person that knows what they are doing.
**NOTE** Always remember to make a current backup of your site before doing any major WordPress updates. Just in case something goes wrong, you will be able to restore your site to a point prior to the failed update.
The following WordPress article explains everything about updating WordPress. It also includes the steps for manual updating. http://codex.wordpress.org/Updating_WordPress
If you need a competent person to design, update, support, maintain, install or host WordPress for you, contact me, firstname.lastname@example.org. I’ll be happy to work with you.