Login/Register
Can I install/update WordPress plugins without providing FTP access?
Asked Answered
wordpress
A

32

646

I am using WordPress on my live server which only uses SFTP using an SSH key.

I want to install and upgrade plugins, but it appears that you are required to enter your FTP login to install the plugins. Is there a way to install and upgrade plugins by manually uploading the files instead of having WordPress handle the entire process?

Aligarh answered 12/3, 2009 at 20:46 Comment(3)
Yes you can. Simply using cPanel or any other file upload tool you have; upload the zipped plugin and extract into wp-content/plugins/ then from wp dashboard go to plugins tab and enable it.Arrange
If using a VPS, should try this: https://mcmap.net/q/65043/-file_put_contents-failed-to-open-stream-permission-deniedHammered
@Arrange If your comment was listed as an answer I would upvote it again, that was the most helpful.Chook
G
839

WordPress will only prompt you for your FTP connection information while trying to install plugins or a WordPress update if it cannot write to /wp-content directly. Otherwise, if your web server has write access to the necessary files, it will take care of the updates and installation automatically. This method does not require you to have FTP/SFTP or SSH access, but it does require your to have specific file permissions set up on your webserver.

It will try various methods in order, and fall back on FTP if Direct and SSH methods are unavailable.

https://github.com/WordPress/WordPress/blob/4.2.2/wp-admin/includes/file.php#L912

WordPress will try to write a temporary file to your /wp-content directory. If this succeeds, it compares the ownership of the file with its own uid, and if there is a match it will allow you to use the 'direct' method of installing plugins, themes, or updates.

Now, if for some reason you do not want to rely on the automatic check for which filesystem method to use, you can define a constant, 'FS_METHOD' in your wp-config.php file, that is either 'direct', 'ssh', 'ftpext' or 'ftpsockets' and it will use that method. Keep in mind that if you set this to 'direct', but your web user (the username under which your web server runs) does not have proper write permissions, you will receive an error.

In summary, if you do not want to (or you cannot) change permissions on wp-content so your web server has write permissions, then add this to your wp-config.php file:

define('FS_METHOD', 'direct');

Permissions explained here:

Goddess answered 13/4, 2011 at 13:25 Comment(11)
I had to do: sudo chown -R www-data wp-content as well as granting write permissionsSandhurst
The use of getmyuid on line 876 is arguably incorrect here, as it returns the UID of the script owner, not the script executor. I believe it should be posix_getuid.Characterize
This was exactly my problem. After I corrected the permissions using CHOWN I was all set. Thanks for the help!Piste
What are the security implications of this approach?Hamford
If you want to see under which user is php running, you can use this: print_r(posix_getpwuid(posix_geteuid())); You can add the code in the wp-config file.Prelate
You must add this option but you only need to change the perms on wp-content/pluginsSeat
chown -R www-data wordpress/wp-content did not work for me, but chown -R www-data wordpress didOccasional
Simple on Windows... icacls wp-content /grant wordpressaccount:(OI)(CI)(M)Brunobruns
Thanks for giving me the shortcut to the solution instead of hours of trying it to fix while not even understanding the problem behind it and why it reacts like that.Hobbledehoy
SELinux context required is httpd_sys_rw_content_t.Melodie
This is the first hit on this question, and it has been wrong for over 10 years - you need to fix it. You need to give the web server write access, and (not or) you must set FS_METHOD to direct. If WP has a mechanism to determine if wp-content is writeable, it's broken, period. I can log in as www-data and directly create a file in wp-content, but WP will still refuse to update without the FS_METHOD fix.Enterovirus
A
284

As stated before none of the perm fixes work anymore. You need to change the perms accordingly AND put the following in your wp-config.php:

define('FS_METHOD', 'direct');
Acting answered 22/2, 2012 at 19:36 Comment(8)
Even though I had the correct permissions such that the web server could write to the plugins directory and wp-content directory, this setting fixed it so the admin did not prompt for the FTP/SFTP settings for updating plugins. Thank you. Worked perfectly.Rewrite
I had to explicitly do this as well.Plesiosaur
When did they make this a requirement?Cutin
I also had to rely on this setting, on the WP installed by the debian package on Ubuntu 12.04. Otherwise, permissions were alright, wp-content has rwx permission for group www-data...Rudolfrudolfo
Watch to make sure the following isn't already in the wp-config.php file: define('FS_METHOD','ftpext'); In this case, placing define('FS_METHOD', 'direct'); at the bottom of the file won't work. You'll have to erase or comment out the define('FS_METHOD','ftpext'); This might be particularly likely to happen if you've migrated from another server that required FTP.Godgiven
You must add this option but you only need to change the perms on wp-content/pluginsSeat
I can confirm I did not change permissions, tested upload an failed, implemented this code snippet and upload succeeded. I am on 4.4 WP.Wheen
This worked for me. IE you have to change the permissions AND also add the configuration parameter. I am using Wordpress 4.7.2Amin
M
118

Just wanted to add that you must NEVER set the wp-content permission or permission of any folder to 777.

This is what I had to do to:

1) I set the ownership of the wordpress folder (recursively) to the apache user, like so:

# chown -R apache wordpress/

2) I changed the group ownership of the wordpress folder (recursively) to the apache group, like so:

# chgrp -R apache wordpress/

3) give owner full privilege to the directory, like so:

# chmod u+wrx wordpress/*

And that did the job. My wp-content folder has 755 permissions, btw.

TL;DR version:

# chown -R apache:apache wordpress
# chmod u+wrx wordpress/*
Mello answered 17/5, 2013 at 22:34 Comment(13)
setting your wordpress as owned by apache is just as bad as setting 777. The result is the same: any php script can now alter your wordpress files. Best option is to chown apache:apache temporary, install your updates and chown back to original OR use the ssh/ftp trickPeake
I disagree. It's not quite the same as setting to 777. Any user in the machine would have write access if you set the permissions to 777. That is a problem in itself. and while you are correct, that apache can alter php files now, that would be the intent in the first place (in order to update or install anything). If somebody manages to put malicious php files in the server, that's a whole new problem and chowning to different users would do little to help.Mello
Thanks, it saved my day too, as i don't have FTP privileges, but only root access.Comeuppance
Hello, this worked great for me! My server setup is that the /var/www/vhosts/mydomain.com is owned by root, and the /var/www/vhosts/mydomain.com/public_html is owned by another user (this is so that the domain is jailed). Would i need to use the apache user for this, or could i stick to the user i have setup?Ventail
can someone explain why do you need to have 755 permission instead of 750, because except you and apache no one else doesn't need access to files or folders correct? all files folders accessed by apache when when accessing from outside, even when uploading files. so why do we need to give 755 permission that others can have access. appreciate if someone can explain, thanksManille
This is the only one that helped me! Thanks a lot, after years developing Wordpress sites, this is still a classic problem!Minded
If you're running WordPress under an unusual build, stick this in a PHP file to check who Apache is running as (ubuntu, for example, is www-data): <?php echo exec('whoami'); ?>Paraplegia
This worked for me on ubuntu except i didnt have to do a chmod. Just sudo chown -R www-data:www-data wp-content ( see Imperative note above) My wordpress permissions are default (wp-content is drwxr-xr-x) (I have been following the 'install on ubuntu' instructions on the web). Thanks. I also feel like network accessible ftp and/or ssh solutions have their own security problems, i dont understand how chown to apache's user is worse. There is some info at codex.wordpress.org/Hardening_WordPress Thanks againKarlkarla
i suggest using chmod -R u+rwX .... -R for recursive setting, and X instead of x so that only folders are set as executable. Not a good idea to have all files executable, you never know what may happenDaisydaitzman
Thanks for mentioning the permissions that need to fix the issue.Intangible
Any user can use a PHP script to still access your files. This is terrible practice. DO NOT DO THIS.Barbital
In case anyone is using VirtualMin, the user is your domain name (without the top level domain): chown -R mydomain:mydomain wordpress/Dismember
is this method secure?Armanda
B
69
  1. In wp-config.php add define('FS_METHOD', 'direct');
  2. Make server writable the directories wp-content/, wp-content/plugins/.
  3. Install the plugin (copy the plugin dir into the wp-content/plugins dir).

Worked on version 3.2.1

Ballonet answered 16/4, 2012 at 5:5 Comment(3)
Worked on version 4.0 as well.Zedoary
You must add this option but you only need to change the perms on wp-content/pluginsSeat
This is explicitly the steps you should take to install a plugin without getting prompted for FTP info. You can take the steps to Harden WordPress with permissions, and then make these 2 changes, and you should remain mostly secure.Captivity
L
34

Just a quick change to wp-config.php

define('FS_METHOD','direct');

That’s it, enjoy your wordpress updates without ftp!

Alternate Method:

There are hosts out there that will prevent this method from working to ease your WordPress updating. Fortunately, there is another way to keep this pest from prompting you for your FTP user name and password.

Again, after the MYSQL login declarations in your wp-config.php file, add the following:

define("FTP_HOST", "localhost");
define("FTP_USER", "yourftpusername");
define("FTP_PASS", "yourftppassword");
Louannlouanna answered 26/12, 2014 at 12:41 Comment(0)
L
29

Change from php_mod to fastcgi with cgi & SuEXEC enabled (ISPConfig users). Works for me.

If don't work, try to change wp-content to 775 as root or sudo user:

chmod -R 775 ./wp-content

Then Add to wp-config.php:

define('FS_METHOD', 'direct');

Good Luck

Langan answered 11/9, 2017 at 17:18 Comment(0)
S
23

Usually you can just upload your plugin to the wp-content\plugins directory. If you don't have access to this directory via SFTP I'm afraid you may be stuck.

Sallust answered 12/3, 2009 at 20:59 Comment(1)
Yep, just drop 'em in wp-content/plugins.Ciliary
T
22

In order to enable the use of SSH2 for your updates and theme uploads, you have to generate your SSH keys and have the PHP SSH module installed. Then WordPress will detect that you have SSH2 available and you'll see a different option (SSH2) displayed when doing an upload/upgrade.

1.) Make sure you have the PHP module installed for debian it is:

sudo apt-get install libssh2-php

2.) Generate SSH keys, adding a passphrase is optional:

ssh-keygen
cd  ~/.ssh
cp id_rsa.pub authorized_keys

3.) Change the permission so that WordPress can access those keys:

cd ~
chmod 755 .ssh
chmod 644 .ssh/*

Now you'll get the SSH2 option when doing an upload/upgrade/plugin. WP SSH Connection

4.) For added ease you can setup the defaults in your wp-config.php and this will pre-populate the SSH credentials in the WordPress upload window.

define('FTP_PUBKEY','/home/<user>/.ssh/id_rsa.pub');
define('FTP_PRIKEY','/home/<user>/.ssh/id_rsa');
define('FTP_USER','<user>');
define('FTP_PASS','passphrase');
define('FTP_HOST','domain.com');

The 'passphrase' is optional, if you don't setup a passphrase during ssh-kengen; then don't add it in wp-config.php

This solved my issue. And I didn't have to do the chown at all. But I have seen this method referenced in other places.

References:

Transposition answered 16/6, 2013 at 16:53 Comment(4)
i am not a security expert, and i realize wordpress included this capability and thought it was OK.... but i do not feel good about this... 1. having an ssh account with no passphrase, (anyone who ever gets the private key can then login remotely any time they want without a password) and 2. having a passphrase stored in plaintext (see 1). it reminds me of rsh, depending on the idea that "nobody will have access to my local files" to protect the network password to a system.Karlkarla
I'm sure you can generate the passphrase and NOT add it to wp-config.php, then you'll just have to type it in when you get to the Connection Information dialog.Transposition
It IS a huge security hole to use an unencrypted private key this way. But you can mitigate the problem by prepending a "from=whatever " to the relevant line in authorized_keys.Xyster
This is great, but seems there's an incomptability with php7: core.trac.wordpress.org/ticket/35517Fuld
L
19

You can get it very easily by typing the following command on command promt

sudo chown -R www-data:www-data your_folder_name

or copy & paste the following code in your wp-config.php file. 

define('FS_METHOD', 'direct');

Where "your_folder_name" is the folder where your WordPress is installed inside this folder.

Lavonia answered 21/6, 2014 at 7:32 Comment(0)
S
16

If you're on Ubuntu, a quick solution that worked for me is giving ownership to the Apache user (www-data by default) like so:

cd your_wordpress_directory
sudo chown -R www-data wp-content
sudo chmod -R 755 wp-content
Sandhurst answered 12/2, 2012 at 20:32 Comment(1)
Don't give execute permission to files that don't need it.Unmarked
E
16

Execute the following code in terminal

sudo chown -R www-data /var/www

For further detail visit Wordpress on Ubuntu install plugins without FTP access

Enchanter answered 24/7, 2015 at 9:51 Comment(2)
It's not a good idea to give www-data access to everything in your webdirectoryAggarwal
variant that worked for me: sudo chown -R www-data /var/www/htmlFibrinous
G
15

Add the following code to wp-config

define('FS_METHOD', 'direct');

FS_METHOD forces the filesystem method. It should only be direct, ssh2, ftpext, or ftpsockets. Generally, you should only change this if you are experiencing update problems. If you change it and it doesn't help, change it back/remove it. Under most circumstances, setting it to 'ftpsockets' will work if the automatically chosen method does not.

(Primary Preference) "direct" forces it to use Direct File I/O requests from within PHP, this is fraught with opening up security issues on poorly configured hosts, This is chosen automatically when appropriate.

(Secondary Preference) "ssh2" is to force the usage of the SSH PHP Extension if installed

(3rd Preference) "ftpext" is to force the usage of the FTP PHP Extension for FTP Access, and finally

(4th Preference) "ftpsockets" utilises the PHP Sockets Class for FTP Access

For more information visit: http://codex.wordpress.org/Editing_wp-config.php#WordPress_Upgrade_Constants

Goldsmith answered 22/5, 2014 at 5:13 Comment(0)
K
12

WordPress 2.7 lets you upload a zip file directly (there's a link at the bottom of the plugins page) -- no FTP access needed. This is a new feature in 2.7, and it works for plugins only (not themes yet).

Kirsti answered 12/3, 2009 at 21:0 Comment(2)
BTW, upgrading is even easier -- you'll see an icon indicating that a new version is available, and you click "upgrade" and let it do its thing. Very nice. Even the WordPress core is upgraded this way - I went from 2.7 to 2.7.1 w/o uploading anything.Kirsti
This is only true if you have the file permissions set so the web server / PHP user can write to them. If not, it will prompt you for FTP/SFTP credentials. See stereointeractive.com's answer.Taliped
I
12

Please add define('FS_METHOD','direct'); in wp-config.php

Improvise answered 21/6, 2019 at 10:57 Comment(0)
W
9

Resurrecting an old thread, but there's a fantastic new plugin called SSH SFTP Updater Support that adds in SFTP capabilities without needing to edit your wp-config.php file. Also, Wordpress's SFTP implementation relies on some somewhat obscure PHP modules that are often not enabled on servers; this plugin packages a different PHP SFTP plugin so you don't have to configure anything on the Apache side.

I had run into tons of problems getting SFTP support to work - this plugin solved all of them and is just fantastic.

Wingate answered 8/2, 2012 at 16:47 Comment(0)
I
8

The answer from stereointeractive covers all the options. Just wanted to mention an alternate way of using FTP. I'm guessing that the reason you are not allowing FTP access is for security. One way to address those security concerns is to run your FTP server listening only on 127.0.0.1

This allows you to use FTP from inside WordPress and you will be able to install plugins while not exposing it to the rest of the world. This can also be applied to other popular web applications such as Joomla! and Drupal. This is what we do with our BitNami appliances and cloud servers and works quite well.

Immobility answered 27/7, 2011 at 14:43 Comment(0)
M
8

I also recommend the SSH SFTP Updater Support plugin. Just solved all my problems too...especially in regards to getting plugins to delete through the admin. Just install it in the usual way, and the next time you're prompted by WordPress for FTP details, there'll be extra fields for you to copy/paste your private SSH key or upload your PEM file.

Only problem I have is in getting it to remember the key (tried both methods). Don't like the idea of having to find and enter it every time I need to delete a plugin. But at least it's a solid fix for now.

Mcgean answered 27/2, 2012 at 19:34 Comment(1)
" there'll be extra fields for you to copy/paste your private SSH key" .... i am not a security genius but ... isnt the whole point of private ssh keys that you never have to send them across a network?Karlkarla
U
8

Yes, directly install the plugin in WordPress.

  1. Copy the plugin folder and paste in WordPress plugin folder.
  2. go to admin side (/test/wp-admin) then after go to on the plugin link and check the name of the plugin.
  3. Activate the plugin so Install the plugin easily.

other Option

  1. create the zip file for the plugin code.
  2. go to admin side (/test/wp-admin) then after go to on the plugin link and then click on the add new then browse the plugin zip folder and install the plugin then come out the option activate plugin so so do activate plugin and activate plugin.
Untinged answered 26/11, 2013 at 10:2 Comment(0)
Q
7

I saw a lot of people recommending to set permission to 777. I had same problem like 2 days ago and all I did was, add this to wp-content

define('FS_METHOD', 'direct');

and

set permission to 775 for plugin folder

This solved my problem of asking FTP access login/password.

Before that, I had to add plugin manually by adding .zip file to plugin folder and then go to wp-admin/plugins and had to installed it.

Qktp answered 23/7, 2017 at 2:19 Comment(0)
S
6

We use SFTP with SSH (on both our development and live servers), and I have tried (not too hard though) to use the WordPress upload feature. I agree with Toby, upload your plugin(s) to the wp-content/plugins directory and then activate them from there.

Sowell answered 14/3, 2009 at 18:42 Comment(0)
N
6

It is possible to use SFTP or SSH to auto update Plugins in WordPress, but you need to have ssh2 pecl extension. You can find out how to do it, using the following tutorial

Nubilous answered 14/9, 2009 at 11:3 Comment(0)
C
6

Try this

1) In the wp-config.php add define('FS_METHOD', 'direct');

2) Set the wp-content directory to 777 for writable.

3) Now install the plugin.

Copywriter answered 28/9, 2012 at 7:4 Comment(2)
Hi Mohan, thanks heaps for the FS_METHOD option. This is indeed what I was looking for. I do need to say the following: no directory should every need 777 unless circumstances are exceptional. This makes a directory world readable,writeable and executable. This is a massive security risk. The proper solution is finding out who your apache user is (www-data, _www or similar). This user needs read and write access to wp-content or needs ownership over this dir ('sudo chown www-data wp-content'), no execution rights. I'm sorry to be a bit blunt but 777 is dangerous for web content.Promethean
Do not 777 your uploads directory, this is unsafe and should not be an answer!Wojak
R
5

Try this Check whether the correct permission is given to wp-content folder.

Edit the wp-config.php add the following line 

define('FS_METHOD', 'direct');

chmod the "wp-content" directory to www-data for full access.

Now try installing the plugin.

Rhodie answered 18/12, 2017 at 7:49 Comment(0)
A
4

Yes you can do it.

You need to add 

define('METHOD','direct');

in your wpconfig. But this method won't be preferable because it has security voilances.

Thanks,

Analog answered 21/5, 2019 at 5:30 Comment(1)
shouldn't be FS_METHOD?Unbutton
E
3

Method 1: You can set this: 1. in wp-config.php you need to write this lines. 

define('FS_METHOD', 'direct');

Note: put this after define( 'DB_CHARSET', 'utf8mb4' ).

  1. set wp-content permission or permission recursively 775 full permission you can give it via filezilla. write click on directory > permissions> check read-write and execute and also check Recurse into subdirectories

Method 2:

or You can also set this 

define("FTP_HOST", "localhost");
define("FTP_USER", "yourftpusername");
define("FTP_PASS", "yourftppassword");
Edgy answered 12/3, 2009 at 20:46 Comment(1)
by Feb 2020, it's a clear instruction, Note: put this after define( 'DB_CHARSET', 'utf8mb4' ).Telencephalon
H
3

setting up a ftp or even an SFTP connection or chmod 777 are bad ways to go for anything other than a local environment. Opening even an SFTP method introduces more security risks that are not needed.

what is needed is a writeable permission to /wp-content/uploads & /wp-content/plugins/ by the owner of those directories. (linux ls -la will show you ownership).

Default apache user that runs is www-data.

chmod 777 allows any user on the machine to edit those file, not just the apache/php thread user.

SFTP if you are not already using it, will introduce another point of possible failure from an external source. Whereas you only need access by the local user running the apache/php process to complete the objective.

Didn't see anyone making these points, so I thought I would offer this info to help with our constant WP security issues online.

Heterothallic answered 12/8, 2018 at 21:7 Comment(0)
C
2

Here is a simple method.

Execute following commands.

This will enable your mod_rewrite module for Apache

$sudo a2enmod rewrite

This Command will change the owner of the folder to www-data

$sudo chown -R www-data [Wordpress Folder Location]

After You executing above commands you can install any themes without FTP.

Cardigan answered 1/4, 2019 at 19:54 Comment(1)
For Nginx just run the second command sudo chown -R www-data [Wordpress Folder Location]Mountie
H
1

The best way to install plugin using SSH is WPCLI.

Note that, SSH access is mandatory to use WP CLI commands. Before using it check whether the WP CLI is installed at your hosting server or machine.

How to check : wp --version [ It will show the wp cli version installed ]

If not installed, how to install it : Before installing WP-CLI, please make sure the environment meets the minimum requirements:

UNIX-like environment (OS X, Linux, FreeBSD, Cygwin); limited support in Windows environment. PHP 5.4 or later WordPress 3.7 or later. Versions older than the latest WordPress release may have degraded functionality

If above points satisfied, please follow the steps : Reference URL : WPCLI

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
[ download the wpcli phar ]

php wp-cli.phar --info [ check whether the phar file is working ]

chmod +x wp-cli.phar [ change permission ]
sudo mv wp-cli.phar /usr/local/bin/wp [ move to global folder ]
wp --info [ to check the installation ]

Now WP CLI is ready to install.

Now you can install any plugin that is available in WordPress.org by using the following commands : 

wp install plugin plugin-slug
wp delete plugin plugin-slug
wp deactivate plugin plugin-slug

NOTE : wp cli can install only those plugin which is available in wordpress.org

Helicoid answered 28/12, 2018 at 4:47 Comment(0)
L
1

The only reason by which WordPress won't allow you to upload any plugin via WordPress admin dashboard when you don't got permission to write on the /wp-content directory. Remember that your wordpress directory /wp-content requires 0755 permission level. There are various ways to change a folder's permission level.

Changing file permissions using cPanel:

Go to File Manager at open the public HTML folder where your wordpress website is supposed to be, or open the site root directory if your website is in some other folder. In your WordPress root directory navigate towards wp-content folder; at the end of wp-content folder row the very last box carries file permissions for this folder. Make sure to edit the folder permission level to 0755, and you are done.

Changing file permissions using SSH terminal:

In your terminal locate the root of WordPress site which in my case was /var/www/html so to move into WordPress root directory enter the following command:

cd /var/www/html

Now you are in WordPress root directory where the required folder /wp-content is located. So to change the file permissions type the following command:

sudo chmod wp-content 755

This will change your /wp-content directory file permission to 0755.

Now you won't get error message of uploading wordpress plugins via FTP.

Lawabiding answered 23/9, 2019 at 19:34 Comment(0)
T
1

Two steps

  1. Add below code in wp-config file

    define('FS_METHOD', 'direct');

  2. We need to give full permission to the folder like if server connected with SSH then paste below code in terminal and make sure you are inside on website folder and then run below code

    sudo chmod -R 775 wp-content/plugins

    or give full permission to website folder 

    sudo chown -R www-data:www-data website_folder
Thebaid answered 4/12, 2019 at 9:2 Comment(0)
H
0

In my case, I was running Apache on RHEL 8.6. Moving files (instead of copying them) resulted in the selinux context being wrong for my wordpress root folder. Disabling selinux allowed me to install plugins again. However, since this is a production server I wanted selinux in enforcing mode. I was able to fix the issue by running this command to restore the default selinux context for my wordpress root.

restorecon -vR /var/www/html/

You can refer to this link for other approaches to resolving any issues related to selinux.

Hylton answered 20/10, 2022 at 18:50 Comment(0)
S
-2

You can have fileZilla and use FTP Account to update plugins and themes. Or you can just login to Cpanel and access wordpress folder and then you can update theme by unzipping theme or plugin.

Salters answered 4/9, 2018 at 6:55 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.