My ISP changed the hosting for my WordPress blog and everything stopped working. There was a DNS issue but they resolved that, but then every page apart from the home page returned a 404 error.
When I checked the permalinks page (/wp-admin/options-permalinks.php
) in wp-admin I saw the following:
If your .htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.
Adding what it listed (via my ISP’s file manager) fixed the problem but got me wondering.
What I’d like is for the .htaccess
file be writeable for wp-admin.
I know that the file should not be writable for everyone and I would keep the permissions as restrictive as possible to keep things secure, I’m just interested in making my life easier.
However, I note the that the permissions on the file are:
rw-r--r--
So what permissions do I need to set to make the file writeable by wp-admin, but not by anyone and everyone? Or is it some other permissions on the server that need to be set?
I can manually make edits through the ISP’s file manager interface so it’s not as if I can’t update the file at all. It’s just that it could get to be a pain if I have to keep doing this.
2 Answers
Short version: You can’t.
Long version: Technically there are ways this can be achieved but they are ① likely not available to you as a user on a shared server where you do not have root permissions and ② even if they were, they come with ‘gotchas’ that you really don’t want to deal with.
First of all, if you are not the sys-admin with root permissions it is doubtful that you have any hope of setting the necessary permissions.
-
The UNIX permission bits control whether each of you, people in your group and anybody can read, write and execute files. Given that set of options and the fact that you and the web server are likely not in the same group, there is no way for you no use those permissions to set a value whereby you and the web server user can write the file but other people cannot. By definition you would have to change the “world” permissions and … you can do the math.
On the off chance that your user account and the web server in fact run in the same user group, you should seriously begin to doubt the security of your web service provider.
A slightly less insane technique that some hosts employ is giving you a special interface to convert specific files and folders to be owned by the web server. This is a convenience-over-security choice they make that makes like easy for folks, but it comes with strings attached. In any event you would not be able to manually edit the file without changing the ownership back to yourself.
-
Even if one or more way is afforded you to let the webserver software edit the .htaccess file, you are much better off not taking them up on it. In a shared hosting environment you have to realize that other people besides you are ALSO executing code as the web server user. If your WordPress installation is able to change your .htaccess file, what is to stop the next guys’s wordpress from maliciously changing yours? Well theoretically PHP’s open_base_dir sittings will jail it to reading and writing things inside of your DOCUMENT_ROOT, but while the PHP module is reasonably good about enforcing this it is quite common for ISP’s and small time hosts to have other CGI systems that are not properly jailed or straight up miss-configured server settings that allow other users on the same server to mess with anything any other users have converted to be owned by the webserver.
The only technical way to really make this possible is with a virtual host setup that actually runs as you when serving your site (which actually introduces other risks) or with file system ACL’s — and while possible it is unlikely that your ISP is equipped to configure those correctly.
In summary, you are actually better off security-wise with wp-admin not being able to write to .htaccess. This should be an infrequent issue anyway, usually on version changes of either WordPress or the server software (e.g. the switch from Apache 2.2 to 2.4 meant a lot of .htaccess files across the net had to be updated, but that was years in the making). This is not something that should be changing every time you update your site, only if you made an architectural change and needed to facilitate the migration of old URL’s to new ones, etc.