WordPress won’t upload plugins? Try this…

UPDATE: There’s some good discussion on this topic, including alternatives, in the Advanced WP group on Facebook. If you’re not already a member, join us and check it out!

Recently, I was trying to add a couple plugins to a new site and ran into the dreaded FTP credentials screen, telling me that WordPress won’t upload plugins on it’s own.

WordPress won't upload plugins without FTP...

This was an issue because there weren’t any FTP credentials on this server in particular.  It was set up as a development server with only SSH access.  Of course, I could install the plugins using SSH or WP-CLI, but people without shell access needed to be able to install plugins.

Before modifying config files, make sure your permissions are correct.  This may fix any issues you are having without having to do further modification.

The Copy/Paste Solution

Luckily, as is often the case with WordPress, there is a solution.  If you came to this post looking for just a copy/paste solution here it is:

define( 'FS_METHOD', 'direct' );

After inserting that line into wp-config.php, I was back to installing plugins through wp-admin.

But there were still questions about what this solution actually changed. So I started digging.

What is FS_METHOD?

FS_METHOD is a definable constant that specifies the file system method WordPress should use. It can be ‘direct’, ‘ssh2’, ‘ftpext’, or ‘ftpsockets’.

From the WordPress Codex:

Generally, you should only change this if you are experiencing update problems. If you change it and it doesn’t help, change it back/remove it.

Note that your selection here has serious security implications. If you are not familiar with them, you should seek help before making a change.

We will explore some of those security implications below. First let’s look at what each of the possible values of FS_METHOD means.

  • ‘direct’ forces it to use Direct File I/O requests from within PHP.
  • ‘ssh2’ is to force the usage of the SSH PHP Extension if installed
  • ‘ftpext’ is to force the usage of the FTP PHP Extension for FTP Access
  • ‘ftpsockets’ utilises the PHP Sockets Class for FTP Access.

Setting the constsant to direct like we did above enables WordPress (and PHP) to manipulate the file system. This can be great, and works much of the time, but it is also where security concerns can creep in.

Security Concerns

Using the direct method, PHP manipulates the filesystem as the Linux user executing PHP. Sometimes, this is a different user than is running WordPress.

On a shared host, you sites is on the same server as hundreds of other sites. In some cases, this means the user running PHP is the same across many different sites, not just your own.

This means that other users PHP user can run with the same permissions as your PHP user. Downloading files with the direct method sets the permissions on those files to the PHP user.

Because the permissions on those files are set to the shared PHP user instead of your specific WordPress user, anyone running on the same server can manipulate them.

For a more concrete example:

If you upload a file using PHP, the linux user, which is executing PHP is owning the file. This user can now edit, delete, execute etc. the file. This is okay as long as only you are the user, who is executing PHP on your system.

Lets assume, you are on a “poorly” configured shared host. A lot of people run their PHP websites on this system. Lets say only one linux user is executing PHP for all these people. One of the webmasters on this shared host has bad intentions. He sees your page and he figures out the path to your WordPress installation. For example, WP_DEBUG is set to true and there is an error message like

[warning] /var/www/vhosts/userxyz/wp-content/plugins/bad-plugin/doesnt-execute-correctly.php on line 1

“Ha!” the bad boy says. Lets see, if this guy has set FS_METHOD to direct and he writes a script like

<?php unlink( ‘/var/www/vhosts/userxyz/wp-content/plugins/bad-plugin/doesnt-execute-correctly.php’ ); ?>

Since only one user is running PHP and this user is also used by the bad boy he can alter/delete/execute the files on your system if you have uploaded them via PHP and by this attached the PHP user as the owner.

You’re site is hacked.

Should you use FS_METHOD when WordPress won’t upload plugins?

If you’re running into installation/update problems, first check your file permissions.  The WordPress user should be able to edit the wp-content directory.

If your permissions are correct, try putting FS_METHOD in your config and see if that corrects the issue.

There are definitely some concerns with using FS_METHOD to remedy your installation/update problems. In my case, WordPress was running on a dedicated server that I knew only I had access to.  On shared hosting, it’s worth being cautious because you never have full control of your server.