[wp-trac] [WordPress Trac] #26802: Wordpress FTP component fails to update core on IIS7+

Thu Jan 9 22:51:27 UTC 2014

#26802: Wordpress FTP component fails to update core on IIS7+
--------------------------+------------------------------
 Reporter:  WinWPAdmin    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  IIS           |     Version:  3.7.1
 Severity:  major         |  Resolution:
 Keywords:                |
--------------------------+------------------------------

Comment (by WinWPAdmin):

 >> FTP Server (I'm assuming it's the built in Windows server?)

 Correct, using the built in IIS FTP server.  Tested on Windows 2008,
 2008R2, and 2012R2

 >> Is the PHP FTP Extension loaded? (Check phpinfo)
 Under the ftp heading in phpinfo it says : FTP support enabled

 >> Has it ever worked on this particular server? (ie. Have you performed
 an automatic update on this server in the past)
 Not on this particular server, but FTP updates used to work on some of our
 production servers.  I believe it stopped working sometime in the last 6
 months.

 >>Most windows configurations I've seen set the file permissions so that
 WordPress isn't forced to use FTP, AFAIK the Microsoft-suggested PHP
 installation methods also result in PHP being able to write to the
 filesystem

 We try to lock down permissions a bit more so that anonymous users don't
 have write access to the entire web root.

 I set each IIS site to run under its own application pool, and under
 authentication > anonymous authentication I set each site to authenticate
 as "application pool user" instead of as the generic IUSR account.  In
 terms of NTFS permissions, I grant Administrator:FULL , SYSTEM:FULL,  and
 "IIS AppPool\sitename" : READ read access to the web root and revoke all
 other permissions.  I also grant the application pool user write access to
 the wp-content/uploads folder.  Certain plugins require additional
 permissions to their own subdirectory so I either grant those as needed,
 or I grant write access to the entire wp-content folder if there are a lot
 of plugins needing write access.

 In terms of PHP, I follow the default MS setup instructions, but I grant
 IIS_IUSRS read access to C:\PHP folder, and write access to C:\PHP\LOGS
 and C:\PHP\TEMP\Session and C:\PHP\TEMP\upload.  This allows all
 application pool users to access the PHP executables, write php logs, and
 save session and uploads into a temp folder.

 In essence this permission structure allows each site to run under its own
 credentials, but no IIS site has read permissions to another sites web
 root.

 If I can be of any further assistance let me know.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/26802#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress blogging software