[wp-trac] [WordPress Trac] #64371: wp-admin pages constantly ping wp-config.php for write access
WordPress Trac
noreply at wordpress.org
Sat Dec 6 21:26:42 UTC 2025
#64371: wp-admin pages constantly ping wp-config.php for write access
--------------------------+-----------------------------
Reporter: bviktor | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.9
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Hi,
Now that I tried to debug something on my Fedora Server 43 VPS, I realized
my SELinux audit log is full of entries like this:
{{{
type=AVC msg=audit(1765054057.476:7731): avc: denied { write } for
pid=37938 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054065.332:7734): avc: denied { write } for
pid=37988 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054069.003:7735): avc: denied { write } for
pid=38003 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054753.316:8266): avc: denied { write } for
pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054785.233:8423): avc: denied { write } for
pid=41178 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054791.764:8456): avc: denied { write } for
pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054798.338:8487): avc: denied { write } for
pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054801.672:8488): avc: denied { write } for
pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=8075
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054824.267:8581): avc: denied { write } for
pid=40675 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054825.791:8582): avc: denied { write } for
pid=41178 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765054878.257:8685): avc: denied { write } for
pid=43568 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
}}}
In human language it means that PHP tries to write to wp-config.php, but
is (rightfully) denied from doing so, because normally that shouldn't
happen at all. The relevant SELinux defaults:
{{{
/var/www(/.*)? all files
system_u:object_r:httpd_sys_content_t:s0
/var/www/html(/.*)?/uploads(/.*)? all files
system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp-content(/.*)? all files
system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp_backups(/.*)? all files
system_u:object_r:httpd_sys_rw_content_t:s0
}}}
In English, SELinux by default assumes that everything under /var/www is
read-only, except for the files under "uploads", or "wp-content", or "wp-
backups". This, again, seems reasonable.
Then I realized this happens on the vast majority of admin pages, e.g.
Dashboard, Posts, Media, Pages, and so on. Every single time you open
them.
I couldn't for the life of me figure out what it is WP is trying to write
there, so I figured, I might as well let it:
{{{
cp wp-config.php wp-config.php.orig
chcon unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-config.php
}}}
Then indeed the denied messages are gone. The file timestamp isn't updated
though:
{{{
[root at noobient noobient.com]# date -r wp-config.php
Sat Mar 6 04:22:57 AM UTC 2021
}}}
Hm, that's weird, but let's see what the fuss is about:
{{{
[root at noobient noobient.com]# diff -u wp-config.php.orig wp-config.php
[root at noobient noobient.com]#
}}}
Yup. WP wants to constantly write NOTHING into wp-config.php, just for the
sake of it.
Alright, let's see if WP maybe settled down:
{{{
[root at noobient noobient.com]# restorecon -rv .
Relabeled /var/www/html/noobient.com/wp-config.php from
unconfined_u:object_r:httpd_sys_rw_content_t:s0 to
unconfined_u:object_r:httpd_sys_content_t:s0
}}}
Unfortunately the errors are back in full force:
{{{
[root at noobient noobient.com]# tail -f -n0 /var/log/audit/audit.log | grep
denied
type=AVC msg=audit(1765056003.108:8727): avc: denied { write } for
pid=43948 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765056005.196:8728): avc: denied { write } for
pid=43948 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
type=AVC msg=audit(1765056008.060:8729): avc: denied { write } for
pid=43948 comm="php-fpm" name="wp-config.php" dev="vda1" ino=2054159
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
}}}
**TLDR** WordPress
- constantly tries to write a file it shouldn't
- it doesn't even want to write anything, just checks if it's possible at
all, then silently continues regardless of it failing or not
Can you please stop doing that? I don't want to either allow WP to write
this file, or my log being constantly full of this useless error, if
possible.
Thanks a lot!
----
- WordPress 6.9
- Fedora Server 43
{{{
Server architecture Linux 6.17.9-300.fc43.x86_64 x86_64
Web server nginx/1.28.0
PHP version 8.4.15 (Supports 64bit values)
PHP SAPI fpm-fcgi
PHP max input variables 1000
PHP time limit 30
PHP memory limit 128M
PHP memory limit (only for admin screens) 256M
Max input time 60
Upload max filesize 32M
PHP post max size 32M
cURL version 8.15.0 OpenSSL/3.5.4
Is SUHOSIN installed? No
Is the Imagick library available? Yes
Are pretty permalinks supported? Yes
robots.txt Your site is using the dynamic robots.txt file which is
generated by WordPress.
Current time 2025-12-06T21:23:52+00:00
Current UTC time Saturday, 06-Dec-25 21:23:52 UTC
Current Server time 2025-12-06T23:23:50+02:00
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64371>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list