When WordPress 5.5 upgrade asks for FTP access ...

When WordPress 5.5 upgrade asks for FTP access ...

Some years ago, my brother asked me for building a website for their parkour and freerunning group. I was like - sure, but I need to ensure that site updates are reliable.

Back in 2012, I was a heavy WordPress user, with an Elegant Themes theme included for building blocks. This changed over time with now running Ghost (private) and Middleman deployed with GitLab (work).

teamobsession.at is still running, and once every while, there comes a new WordPress major version, lately 5.5 released this week. I wanted to spend some cycles on our Family and Friends day at GitLab to update the family tech stack :-)

WP asks for FTP access

I have seen this before but could not remember the cause. I never use the old-fashioned FTP way, nor would I expose my SSH credentials. SSH keys everywhere.

This means that WP thinks it is not able to write to disk and update the content of the wp-content directory.

Verify permissions on disk

Navigating into the WP installation path: Looks OK on my terminal, and the previous plugin updates worked as well.

# ls -lah 
drwxrwxr-x 10 www-data www-data 4.0K Aug 14 13:39 wp-content

In case you need to update the wp-content permissions, avoid the magic chmod -R 775 ... command. This makes files executable which is not needed and may open security problems. Instead, update them by file or directory type.

find . -type d -exec sh -c 'chmod 775 {}' \;
find . -type f -exec sh -c 'chmod 664 {}' \;

Wrong webserver user?

Diving deeper: The setup runs on a VM with an Nginx proxy and PHP FPM. This avoid previous problems with Apache memory leaks and resource consuming processes. I've also switched to Nginx because I've found the configuration to be more reliable to manage. Before you ask: I'm too lazy to rebuild everything in Docker, I only do that with new projects like this site.

The check for running processes and their username matches www-data as directory owner above.

# ps aux | grep www-data

www-data 28235  0.9  8.5 567544 170200 ?       S    13:07   0:26 php-fpm: pool www
www-data 28257  1.1  8.5 569372 170196 ?       S    13:08   0:29 php-fpm: pool www
www-data 29134  0.7  8.1 562880 162524 ?       S    13:19   0:14 php-fpm: pool www
www-data 29436  0.0  0.4 146056  9436 ?        S    13:25   0:01 nginx: worker process

App Armor and SELinux friends are not active on this Ubuntu host.

Use your Google foo

  • First idea: wordpress update access to ftp server
  • First round of research and learning more about the updater.
  • wordpress 5.5 no ftp finally led to some sites which discussed possible solutions.
  • One of them mentioned the direct filesystem method which lead to the solution.
  • Another one mentions that too but I did not understand the meaning of it first.
  • Also to mention - this one follows my thinking of fastCGI, and is a good pointer too.

I was wondering about the FS_METHOD setting - why would I need to set that manually, this seems to be a new requirement. I've edited wp-config.php and add the constant definition at the end ( esc shift+4 enter o in vim).

vim wp-config.php 

/** Setup direct method for WP, auto-update without FTP */

VoilĂ !

Bug or Security Feature?

I did a "post mortem" search: fs_method director wordpress breaking change. This triggered the right keywords and has shown that this is an ongoing problem. It seems WP now uses the index.php file to detect file access which may lead into false positives.

There are security considerations with leaving the setting intact on a shared web host. Even though I control the entire VM, I have commented the setting again - and will come back when the upgrade fails again next time.

/** Setup direct method for WP, auto-update without FTP */