Jul 04

How to Get WordPress Working Under PHP safe_mode on NearlyFreeSpeech.net

NearlyFreeSpeech.net does not get along well with a brand-new WordPress installation. The WordPress installation will do stuff like this:

  • Refuse to upload a file, with an error message like this:

    “Unable to create directory [blah blah blah]. Is its parent directory writable by the server?”

  • Refuse to allow you to edit a theme or plugin file, with the message:

    “If this file were writable you could edit it.”

  • When you try to change your permalink structure, or to set “Organize my uploads into month- and year-based folders” to “on,” give you these messages:

    “You should update your .htaccess now.”

    “If your .htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.”

This stuff happens because NearlyFreeSpeech has PHP safe_mode turned on, which limits what PHP scripts can do. Specifically, under NearlyFreeSpeech’s setup of safe_mode, a PHP script cannot edit a file or folder that does not have the same “group” as it does. Also, PHP scripts that are going to be writing files must be part of the “web” group. (See their blog post going into more detail about this here, and the safe_mode documentation here.)

(Ironically, though safe_mode does this to protect users from attack, the actual effect is often to weaken security, as confused WordPress/Mambo/Gallery/etc users change their file permissions to “777″ trying to fix broken features, opening themselves up to attacks to which they wouldn’t have been vulnerable before.

(Oh, and if you’re on another host and reading this, and want to figure out if your host has safe_mode enabled, make a file in your hosting account named somethingorother.php and containing this text, then open it in your browser.))

So, for WordPress to work right on NearlyFreeSpeech, the main WordPress directory and everything in it need to be part of group “web.” The reason the fresh WordPress install doesn’t work, is that by default, everything you upload is part of group “me.” To make it work right, you need to change that.

To do this, you’re going to need to get into the shell and do some command-line stuff. And, uhh, if you have no idea what that sentence means (and it’s kind of a wussy sentence), please consider backing away from this guide and going to tech support. I seriously cannot take responsibility for bad stuff that might happen to your website if you do this blind.

(Also, please keep in mind that I’m working from NearlyFreeSpeech’s server conditions as of this particular moment in time – they may have changed stuff by the time you read this.)

Still here? Okay. The rest of this tutorial assumes that,

1) You have WordPress installed already, and you know what directory it’s in.

2) You know how to use an FTP client.

Okay. Here’s what you do:

-

1)

Download Putty.

2)

Download and install the FTP client FileZilla. You won’t actually be using it to do much, but it makes it much easier to see what Putty’s doing.

It doesn’t absolutely have to be FileZilla – if you’ve got another FTP client installed, and it can do SFTP and can show you a file’s permissions, owner, and group, then that’s fine.

3)

Open Putty. There’ll be a box that says “Host Name (or IP address).” Into that box, paste “ssh.phx.nearlyfreespeech.net”. This is NearlyFreeSpeech’s SSH Hostname.

4)

Hit the “Open” button. The first time you do this, you will see a very scary-looking dialog box, saying something like “The server’s host key is not cached in the registry. Indescribably horrible things will happen to you if you click ‘Yes’ down there. My brother died that way.” It’s probably fine, hit “Yes.”

5)

A terrifying terminal window will appear, black as a moonless night. It will say “login as:” Type in your username. This is the same as your FTP username, and can be found on your “Site Information” page.

6)

It’ll ask you for your password. Type that in.

7)

Open FileZilla and log into your account using SFTP. You do that exactly the same way you log in using normal FTP, except that you put “ssh.phx.nearlyfreespeech.net” in the “Host” box instead of “ftp.phx.nearlyfreespeech.net,” and select “SFTP” instead of “FTP” in the “Servertype” box.

The first time you do this, there should be a dialog box asking if you’re sure you want to go through with this and talking about bad guys coming to get you, but you can just ignore it. They’re probably very small bad guys.

When you’re logged in, navigate to the directory WordPress is installed in and look at your file permissions and owner/group columns. Go into a few subdirectories and check them out, too.

In all likelihood, your owner/group column says “me me” all the way down. (If you have an .htaccess file in there, it may possibly say “web me” or “web web.” Don’t worry about it.) Ideally, your file permissions are all set to 664, and your directory permissions are set to 775. If not, we’ll change them in a minute.

7a)

Oh, and if you don’t have an .htaccess file in the main WordPress directory, create an empty one now.

8)

Putty starts out in your “htdocs” directory, aka your “public” directory. If you installed WordPress directly in this directory, skip to the next step.

If not, we need to change directories, using the brilliantly named bash command “cd”. Figure out the pathname for your directory, and type in:

cd path

For example, if your WordPress installation’s in /htdocs/wordpress or /htdocs/personal/wordpress,

cd wordpress
cd personal/wordpress

9)

Okay, so you’re in your WordPress directory. Type in

ls -al

A long list of all the files in the directory will appear. The entries should look something like this:

drwxrwxr-x 8 me me 2048 Jul 3 11:06 wp-admin
-rw-rw-r-- 1 me me 32776 Jul 3 10:54 wp-app.php
-rw-rw-r-- 1 me me 129 Jul 3 10:54 wp-atom.php
-rw-rw-r-- 1 me me 1026 Jul 3 10:54 wp-blog-header.php

Yeah, it looks pretty much like what you’re seeing in FileZilla. The incomprehensible string of characters at the beginning of each line represents the file’s permissions, and the “me me” after it means that the file’s user and group are both “me.”

10)

This is the part where we actually change something. We will be changing every single file and subdirectory in your WordPress installation at once. If you’re going to chicken out, do so now.

We’re first going to change everything in the directory’s group to “web”. The command to do that is

chgrp -R web *

Type that in and hit enter. There’ll probably be a short pause before the command line reappears again.

Once it has, go into FileZilla, move to another directory, then move back. Your owner/group column should now say “me web” all the way down (except possibly for the .htaccess file, which might say “web web”). Now move into a couple of subdirectories and check them out. We did it!

11)

We probbbably did it. Just to double-check, go back to Putty, and type in

find . -group me

This will search for any files in the directory that are still part of group “me”. If you installed WordPress via Subversion, there may still be some in a directory called .svn. You can ignore those – as long as there aren’t any others, you’re safe.

12)

Now we’re going to make sure your file and directory permissions are all correct. They should be fine already – a fresh WordPress install has the correct permissions automatically – but if you or anyone else has been fiddling around with the installation trying to fix things, you may have changed some to 777 or something, which is not good. So just to be paranoid, we’re going to reset them to the default.

First, we want to change all your files’ permissions to 664 – that is, group-writable. To do that, type

find . -type f -exec chmod 664 {} \;

Now, we’ll change all the directories’ permissions to 775 (group-writable all-executable, because directories need to be executable if you ever think you’ll want to, you know, open them):

find . -type d -exec chmod 775 {} \;

Annnd go check around in FileZilla to make sure everything looks right.

13)

Now go test whatever didn’t work before in your WordPress installation. Hopefully it works now!

14)

Remember that whenever you upload a new file via FTP, its group will always be “me” by default. This means that next time you upgrade or install a plugin that needs to be able to write to files, you’re going to need to go back into Putty and change everything to group “web.” Again, the command to do that is:

chgrp -R web *

(I updated this post to add step 14 on 7/12/08, because I forgot about this myself and got very grumpy at the Google Sitemaps plugin.)

64 Responses to “How to Get WordPress Working Under PHP safe_mode on NearlyFreeSpeech.net”

  1. thanks. this information is exactly what I was looking for.

  2. Glad you found it useful!

  3. Why do you have that files have All+Read and directories have All+ReadExecute? Isn’t it sufficient to limit these permissions to Owner and Group?

  4. No idea. Those seem to be WordPress’s preferred permissions, so I stuck with them.

  5. These settings aren’t secure. Check out the nearlyfreespeech forums. There is a lot of recent postings about hacking wordpress. While these instructions do get it up and running to start with, I don’t see why you would need all+write, and I questions whether you would want to leave group+write turned on all the time. Needs more research.

    Sorry it’s taken me a while to respond to this – I haven’t had the energy to hack around in my settings for a while.

    Apologies if I said something to make this unclear, but neither 775 nor 664 are all+write settings. They’re all+read, and though I’ve gotten an NFS WordPress installation working with files at 660 (public can’t read) since writing this, I’ve seen people on the forums saying they’ve found 664 to be necessary. I’m not sure why this would be the case, but it seems best to me to leave it that way.

    I probably need to rewrite the post to make this more clear, but as I tried to say in my introduction, I wrote this guide to address the broken file-upload-and-editing issues. To enable that functionality, yeah, group+write does, in fact, have to be turned on all the time. In this situation, 775 and 664 permissions are as low as you can go.

    If you don’t need upload to work, then you can go down to 755 and 644, and even leave everything’s group set to “me”. But the directions I’ve given here are for setting up a WordPress install with full functionality, not a perfectly secure one. It would certainly be more secure to SSH in and change your permissions before each upload/template edit/whatever, but that’s impractical for people who use these functions frequently (I’m one), and impossible if you want to update from a public computer.

  6. Actually, SSH is possible from a public computer:

    http://www-stu.cai.cam.ac.uk/ssh/

    I guess technically it is (though that depends on the quality of the public computer), but I don’t think most people would find it very convenient.

  7. You are my savior. Thank you for this post, it has been crystal clear and is precisely what was needed.

  8. Awesome. chgrp -R web * is exactly the command I was too dumb to figure out. Thanks.

  9. Thank you so much! This has me on the right track, I’m sure, but I’ve still got the same upload error. The group on all of my wordpress files and folders is now ‘web’, the permissions are as they should be, but still no go. It doesn’t make sense for this to be the case to me, but is there some host event I have to wait for before the changes affect NFS’s apache process?

    And it’s frightening how many discussions of this problem end with folks rejoicing in their discovery of the anything goes permissions non-solution.

    I don’t think so, no – or, I didn’t have to wait for anything. Are you still getting the same error messages as before, or have they switched to new and more exciting error messages?

    (If all else fails, I strongly advise contacting NFS tech support – I’m definitely not an expert.)

  10. Thank you for your help!

  11. [...] Nearly Free Speech – (Proper permissions required – http://www.sarahpin.com/2008/07/04/how-to-get-wordpress-working-under-php-safe_mode-on-nearlyfreespe…) [...]

  12. Thanks so much for the detailed instructions – they were just what I needed. I had been cruising the wordpress help files and all I could find was to change the permissions to 777. I’m not a rocket scientist, but even I could tell that wasn’t the best idea in the world. Thanks again!

  13. great article. just the thing that i was looking for…but in step 11 what is i still have “me” group? what should i do? i keep getting “operation not permitted” and my uploaded images aren’t showing anymore. please help. thanks

    What do you mean by “still have “me” group?” Were you unable to change any of your files to group “web”?

    If you upload images or other files using the WordPress upload interface after doing all these steps, those files will automatically be both group “web” and owner “web,” which means the “chgrp -R web *” command won’t work on them. My understanding is that this is because when you’re logged in via SSH, unless you’ve got root access (which you probably don’t), you’re logged in as user “me,” and so aren’t allowed to edit the permissions on stuff that belongs to user “web”. WordPress itself functions as user “web.”

    However, this shouldn’t prevent your images from being displayed on your website, and it doesn’t mean you can’t delete or replace them via FTP or the WordPress interface itself.

    @espi I also had problems with my images not showing. All of the images I uploaded through the WP upload interface would show as missing (question mark where the image should be) in the WP interface as well as on my blog.

    I fixed it by making sure that under SETTINGS > MISCELLANEOUS, the “Store uploads in this folder” field was filled in with “wp-content/uploads”. Prior to me changing it, it read simply “wp-content”. All of my images ended up in the “wp-content” folder and for some reason I am not familiar with are apparently not able to be used from that folder.

    Once I changed the field to “wp-content/uploads” (I also checked the boxes that read “Organize my uploads into month- and year-based folders” and “Track Links’ Update Times” but I have no idea weather that was necessary) all worked fine.

    Just another of the seemingly eternal mystery of getting NFS and WP to play nice with each other.

    That one’s actually purely a WordPress problem – it’ll happen on any host. They didn’t need any help from NFS.

  14. I wish I had known this page earlier. :)

  15. [...] I host on NearlyFreeSpeech.net and their service and value (for moderate traffic volume sites) is awesome.  But they are a fiddle under the hood host and not everything works without some tuning.  WordPress takes some work and automatic updates aren’t possible without some permission changes.  Some people just open everything up (777) which opens their site right up to attack.  Here’s a post that explains how to change permissions without leaving the barn door wide open. [...]

  16. You are brilliant. Thank you. Only change I had to make was to specify the ownership of the .htaccess file directly, i.e.
    chgrp -R web .htaccess

  17. Oh. My. God. I could curse, I’m so happy. Really.

    After a fair amount of searching (and banging of head against wall) I found this article. And so far it is exactly what I needed. Although, really, I had no idea I would need this much (for me) in-depth technical knowledge to get an install of WordPress working on a host that said that it was ready-to-go for hosting WP sites. It (NFS), conveniently, didn’t mention the compromises one would be making to do so (time, stress, …).

    Anyway, I’ll hopefully get over my frustration at feeling just a taaaad bamboozled by the good folks at NFS if, in the end, I am saving $$$. And oh, what we’ll do to save $$$. These are hard economic times, after all.

    So, a hearty thank you for putting this together. I heart this post so much I copied and pasted and created a PDF file just in case anything should happen to this precious work. Ahhh, the magic of blogs combined with the spirit of giving. Truly wonderful.

    A question, though: with my FTP app (Transmit, on the Mac, if you must know … along with the Terminal.app), with both the “ssh.phx.nearlyfreespeech.net” and a “ftp.phx.nearlyfreespeech.net” connection open, I noticed that when I used the terminal command (chgrp -R web *, I believe) to change the group from “me” to “web” in the “ssh” view the group number in the “ftp” view changed from … well, I can’t remember now … maybe “155817″, as that is what the .htaccess file still has associated with it, to “25000″. Would it be possible, using my FTP app tp modify the group from whatever it was before to “25000″ without needing to go through a the Terminal.app and all of the commands you list above?

    I suppose I will try it myself and get back to you but, in the interim, what are your thoughts?

    Glad you found it helpful. :)

    You can’t change a file’s group to web while logged into http://ftp.phx.nearlyfreespeech.net – you’ve got to have shell access, which means you need to be logged into ssh.phx.nearlyfreespeech.net. I just looked it up, and you can log in securely using Transmit – it’ll look just like any normal FTP session, and you just use the same login information as you normally do, but change the address from “ftp.[...]” to “ssh.[...]“, and make sure you’ve got the connection protocol set to “SSH” or “SFTP”. (I’ve never used Transmit, so I’m not sure which it’ll say, but there should be an option to switch from “FTP” to one or the other.)

    However, I don’t know whether Transmit will have any command to let you actually use chgrp while logged in that way – you’ll have the privileges necessary to do it, but not all FTP clients bother to include an actual command to allow you to use those privileges, if that makes any sense. This page suggests that there should be an option for changing a file’s group in Transmit’s “Get Info” window, so I’d see if you can find that.

    (There’s actually at least one Windows-based FTP program, WinSCP, that will let you change a file’s owner and group through the UI, but I didn’t cover it here because (at the time I was writing this, anyway) it couldn’t recurse through subdirectories. So you’d have to go through and change the contents of every directory individually. With a WordPress installation, this would take a really long time. Also, the program issued a bunch of individual commands through your own computer rather than one command on the server, which is wasteful both time- and bandwidth-wise. So it’s easier to understand, but very, very slow and frustrating.

    Whether Transmit can do this any more intelligently, I don’t know – if you can get it work, please post about it here, for the edification of future generations!)

    OK. So, no, I couldn’t get it to work: Transmit, even while logged in securely via SSH, does not have the ability to change the group of a file or a series of files. Now, I could be wrong on this; I didn’t spend much time looking for the feature.

    When I opened up the info box for a file there was no explicit method for doing what I wanted to do. Other than that, I dug around in Transmit’s preferences for a few minutes. Still, no dice. I suppose that, if I was hell-bent on finding a definitive answer as to weather or not Transmit had the ability to change a files’ group I could email Panic. I’m not hell-bent.

  18. Thanks, this guide was very helpful!

  19. Great article – I got WP auto-upgrades and plugins to work, but lost my media uploads, which were working before. My whole wp-content directory is giving me “operation not permitted” and the group owner is a number. Here is a snippet from NFS support:


    118544 is you (formerly “me”), so if that’s the owner you should be able to do what you need to do. Let us know which files/directories have web/25000 ownership that you’d like changed back to you and we’ll take care of it.

    That number seems to be just for one of my sites, as it is a different one for other sites I have on NFS. Once I get this figured out, I will make it part of my default install procedure. Painful, but this has been my only complain about NFS.

    The “operation not permitted” issue happens because files that you upload through the WordPress interface are always owned by user “web”/25000. When you log into FTP, you’re doing so as user “me,” and so can’t modify files belonging to “web.” This is a little annoying, but I’ve never actually had it cause any problems with WordPress, because (theoretically, at least!) WordPress itself can still access and edit the files. Can you explain how you “lost” the uploads?

    (Apologies for the delay in responding here.)

  20. I followed your guide to the dot, then went back into wp, disabled plugins, typed in the ftp hostname and login,and started the auto upgrade. The problem is the page starts loading indefinitely. If I open a new tab and go to wp-admin/index.php it shows that WP is now the new version but since it never finished I assume some parts didnt get updated….any idea on whats causing it to load indefinitely? Is the version number the last thing to get changed or the first? If it is last I can probably just assume it upgraded fine. Could it have something to do with PHP script memory llimit?

    I would be interested in any thoughts anyone had on this as well. Upgrade behavior has been odd for me as well. I have had to become very patient with the process, sometimes needing to go through it twice before the upgrade seems to “catch”. It still takes a significantly greater amount of time to accomplish than I was formerly accustomed to before moving to NFS. At this point, whenever I upgrade, I now hit the upgrade button, enter my NFS password and then go off somewhere else (on the web or in the house) and let the process do it’s thing. It *seems* to work fine in the end – it displays the proper WP version number after it is all over – but I have always wondered if there was anything I needed to be concerned about given the length of the process and how often I find myself having to finally say “enough-is-enough” and reload the page manually or re-navigate back to my site to see weather the upgrade has taken or not.

    It’s been my experience that WordPress’s automatic upgrade functions just don’t work very well on any host – I’ve experimented with them on NFS, ASmallOrange, and Yahoo, and I don’t recall ever having had a problem-free experience. If you’re comfortable with the command line, I’d suggest updating using Subversion, which has always worked fairly smoothly and quickly for me.

    If you’re finding that WordPress works properly, my guess would be that it did upgrade correctly and you don’t need to worry about it. If something’s broken, however, you may want to back everything up and do a manual or Subversion upgrade. (Which I would recommend sticking to in most cases anyway.)

  21. Thanks much for this. Great Tutorial.

  22. oaowebmonkey says:

    What I did to get auto upgrades of plugins limping along on NearlyFreeSpeech.net was

    in the wordpress directory, did
    chgrp -R web *
    Added a “tmp” directory under the wordpress blog directory owned by group “web”
    Added the following lines to ”wp-config” to point wordpress temp directory to it
    if ( !defined(‘WP_TEMP_DIR’) )
    define(‘WP_TEMP_DIR’, dirname(__FILE__) . ‘/tmp/’);

  23. Your instructions worked great. Thank you.

  24. New Blogger says:

    I Love You. I really do. I would even buy you flowers and dinner for what you have shared with us! Thanks to you I now have a working blog.

    While following your steps, I found that instead of having “me” as a group it had the following: 166839 166839

    The proper files were still web web. I thought it was strange, and even after changing the group as your instructions said, there was no change in how this displayed in both putty and filezilla. However, I tested uploading to my blog and it worked like a charm! I am not sure what is going on with the group thing, but somehow it must have worked. I’m curious as to what the deal is with that. In any case, Thank you so much!

  25. Great step by step tutorial. However, even after changing the group to web, I still can’t seem to upload files and images. I’m managing to work around it by weblinking images from another folder instead of uploading, but it’s still pretty annoying. I’m not getting any new scary messages either, just the same ones.

    On another note, any idea why my group was originally set to an odd number, rather than “me”?

    Check your settings for the upload folder in the WordPress admin area at http://your site here]/wp-admin/options-misc.php

    Sometimes there is something in the “Store uploads in this folder” field when it should be blank.

    Do you mean the options.php file? There’s a line for upload path, that has something like /f1/content/databasename/public/blogname/wp-content already in it.

    For the record, I’m using WordPress 3.0.

    Whoops, sorry for the double post. I found the option in options-media.php. Things are working great now.

  26. Perfect! Thanks, it worked for me (fixed WordPress permalinks). :D

  27. This is the best guide. Worked fabulously for me, thank you!

  28. [...] be configured via the command line to get WordPress to work correctly. After an exhaustive search, Snarp’s post allowed me to get things working correctly without leaving my file permissions wide open.  Now [...]

  29. Hey many thanks for the details. Combined with the helpful post over at the NFSN member forum (https://members.nearlyfreespeech.net/forums/viewtopic.php?t=3720) this really made my day!

  30. [...] Note: This is, by far, a more comprehensive and useful guide: http://www.sarahpin.com/2008/07/04/how-to-get-wordpress-working-under-php-safe_mode-on-nearlyfreespe… [...]

  31. You are awesome. I was having the same issues installing WordPress with my nearlyfeespeech host, and this worked perfectly. Well done. Thanks!

  32. [...] nearlyfreespeech uses php safe_mode which can’t be turned off. This script basically allows writing to files only when the ‘owner’ and ‘group’ names are the same. By default, WordPress uses the group name ‘me,’ or something similar, while you might use something else, like ‘web.’ You can check ownership, groups, and permissions using most FTP clients. So, while WordPress installed correctly, and the Photocrati theme installed correctly, I still got error messages about file permissions and “blah blah this needs to be writable blah blah.” To fix this, you need to connect to your host via SSH and change the group name for WordPress, and while you’re at it, set the permissions of your directories and files to the appropriate levels. This also needs to be done every time an automatic upgrade takes place, or any new plugin gets installed. There is a much more detailed description on this blog. [...]

  33. Ahhhhhh! I’ve been trying to fix this for AGES!!! THANK YOU

  34. Thanks so much, I couldn’t upload images at all because of the permissions. I will say just in case anyone else has this problem, I didn’t use FileZilla. I used FireFTP (in-browser FTP, Firefox add-on) and I’m not sure if that had anything to do with this, but there was no “me” nor “web”. Instead, when you right click and select “Properties” on a file/folder, next to “user”/”group” it should have a number. I was in Putty instead of seeing “me”/”web” repeatedly, I saw the number. So when I had to type “find . -group me”, I replaced “me” with the number, and that worked (because typing it exactly the way described in the guide, with “me” instead of the number, didn’t work.) Hope this helps somebody.

  35. THANK YOU. This is exactly what I was looking for. What an easy fix, actually. I can’t believe how unhelpful nfs is.

  36. [...] ran a quick Google search on the problem and found a solution that works. Here are the instructions (from the author’s [...]

  37. [...] to fix a similar issue with my new Drupal install, I can across a post detailing a solution for How to Get WordPress Working Under PHP safe_mode on NearlyFreeSpeech.net, and believe it or not it works. Thank you, Sarah Pin! It’s a long process written out, but [...]

  38. I’m just curious what creating an empty .htaccess file is going to do. Does this file remain empty and just hang out in the WP folder?

    WordPress needs to be able to write to .htaccess. It’s supposed to create a copy of its own if it can’t find one, but a few times I’ve found that it hasn’t.

  39. +1 to all the praise. You’re advice really helped me. Now up and running!

  40. [...] was incredibly helpful, and it’s worked like a charm since. (Minus managing file permissions. This post from a NearlyFreeSpeech user really helped [...]

  41. If you leave permissions -rw-rw-r– me:web doesn’t that mean that everyone can read all your files? Doesn’t it also mean that any web (all web processes on the shared host) can read and write to your directory?

  42. [...] you’re interested in the technical details of this, visit this blog for the original source of the following information. Otherwise, just follow these [...]

  43. какая – то недосказанность…

  44. I LOVE YOU. thank you thank you thank you!

  45. Thank you so much for writing this up! I was getting quite frustrated, and this was the solution.

  46. [...] [1] [2] Posted in [...]

  47. You. Are. So. Extremely. Awesome.
    Thank you, thank you, thank you for this!

  48. [...] How to Get WordPress Working Under PHP safe_mode [...]

Leave a Reply

You must be logged in to post a comment.