Daniele Brunengo
asked on
Wordpress permissions problem on IIS 7
Hello, I have a big problem on a WP site I've set up. I can't upload images or update plugins and so on.
Now I know this is quite a common issue, but I have 3 other WP sites on my IIS server and they work without problems. I have set the same permissions I always use for the wp content folder, but this time they don't work. Also, I have another version of this website in another domain hosted on the same server and it works without flaws.
So, keeping in mind that I have googled this all around, do you have any suggestions?
I have set permissions to Full Control on the folder for IUSR, IIS_IUSRS and NETWORK SERVICE as I usually do but it doesn't work. I've tried giving write permission to Everyone and it works (I took it down after 30 seconds) so there's some user who should have write permission and doesn't...
Now I know this is quite a common issue, but I have 3 other WP sites on my IIS server and they work without problems. I have set the same permissions I always use for the wp content folder, but this time they don't work. Also, I have another version of this website in another domain hosted on the same server and it works without flaws.
So, keeping in mind that I have googled this all around, do you have any suggestions?
I have set permissions to Full Control on the folder for IUSR, IIS_IUSRS and NETWORK SERVICE as I usually do but it doesn't work. I've tried giving write permission to Everyone and it works (I took it down after 30 seconds) so there's some user who should have write permission and doesn't...
When websites run in IIS, they execute as the user selected in the App Pool. What is the user identity for the app pool for this site vs the others?
ASKER
Where can I get this info?
In IIS Management Console, above Sites there is an "App Pool" option. Click it and it will list the app pools along with what sites use each:
http://3.bp.blogspot.com/-_GzlkJVjPWk/TwbE7xKnxcI/AAAAAAAAAIg/TRtMt7ReBdM/s1600/AdvSet.png
On the Advanced Settings of each site you can see which Identity it is set to: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
http://3.bp.blogspot.com/-_GzlkJVjPWk/TwbE7xKnxcI/AAAAAAAAAIg/TRtMt7ReBdM/s1600/AdvSet.png
On the Advanced Settings of each site you can see which Identity it is set to: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
ASKER
Found it. The app pool is called plesk(default)(2.0)(pool) with an identity of IWAM_plesk(default).
It's the same as the other, working sites though.
It's the same as the other, working sites though.
Ok, does IWAM_plesk have permission to the wp-content folder in question though? If it works when you add "Everyone" permission to the folder; it would have to work if IWAM_plesk has write permission to the folder as that is the user that the site executes as.
There are other possibilities (such as if you have Impersonation setup as the Authentication type for the site), but assuming those are unlikely.
There are other possibilities (such as if you have Impersonation setup as the Authentication type for the site), but assuming those are unlikely.
ASKER
I have tried giving IWAM_plesk write permission, but nothing changes. I still have to resort to the "everyone" write permission.
Ok is php running under fast cgi woth impersonation?
Check your php.ini file (likely c:\php\php.ini) and see if impersonate is set to 1.
Then find the user running php in iis in website properties, directory security, authenication and then click edit on the enabled option.
I tried googling how to get wordpress to show you the windows user its running under on the page, but no luck. Iis executes either as the app pool identity or impersonating identity, windows authentication, or anonymous.
Check what authentication options are enabled on this site vs the others.
Check your php.ini file (likely c:\php\php.ini) and see if impersonate is set to 1.
Then find the user running php in iis in website properties, directory security, authenication and then click edit on the enabled option.
I tried googling how to get wordpress to show you the windows user its running under on the page, but no luck. Iis executes either as the app pool identity or impersonating identity, windows authentication, or anonymous.
Check what authentication options are enabled on this site vs the others.
Authentication option iis screenshot http://windowsitpro.com/site-files/windowsitpro.com/files/archive/windowsitpro.com/content/content/99963/figure2.jpg
Sorry, at a loss. Anonymous Authentication should authenticate to the wp-content folder as the AppPool Identity user. Unless you are authenticating as your account (with Windows Authentication); I am out of ideas.
ASKER
It's strange stuff...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, it was set differently from the other site! This was set to a particular user (IUSR_WebStoreLoaLoa) instead of the app pool.
After I set it to the app pool, it works without the "Everyone" write permission but I get tons of errors in WP.
Loading any page I get this:
Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(C:\Inetpub\vhosts\web storeloano .net\httpd ocs/.maint enance) is not within the allowed path(s): (C:/Inetpub/vhosts/webstor eloano.net \;C:\Windo ws\Temp\) in C:\Inetpub\vhosts\webstore loano.net\ httpdocs\w p-includes \load.php on line 145
Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\webstore loano.net\ httpdocs\w p-includes \load.php: 145) in C:\Inetpub\vhosts\webstore loano.net\ httpdocs\w p-content\ plugins\wo ocommerce\ classes\cl ass-wc-ses sion-handl er.php on line 63
After I set it to the app pool, it works without the "Everyone" write permission but I get tons of errors in WP.
Loading any page I get this:
Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(C:\Inetpub\vhosts\web
Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\webstore
ASKER
Moreover I can't seem to get back to the way things were because if I set the user for anon auth back to what it was I get asked for a password and nothing gets accepted.
So I'm stuck with these errors and my customer is not happy... Can you help me out?
So I'm stuck with these errors and my customer is not happy... Can you help me out?
ASKER
I've managed to get rid of the errors by setting open_basedir setting in Plesk Panel to "none".
Are you sure the other sites were using the AppPool for anonymous authentication though? What are they setup as? Is each site running with a different IUSR account when utilizing anonymous access? It may have been setup that way to segregate the sites so that they don't have access to each others files? If so, did "IUSR_WebStoreLoaLoa" have access to its wp-content folder?
The password prompt isn't for the IUSR account (since there isn't a password for built in accounts), it means it doesn't have permission to run the site (not sure why since you were using it before). The Windows Event Logs should have more information.
If each site is running under separate user accounts, the open_basedir was most likely enabled to enforce one site not being able to write content to another sites directory. It isn't required, is disabled by default, but is a security item when to keep any server compromise of the code scripts contained to that sites content/files.
The password prompt isn't for the IUSR account (since there isn't a password for built in accounts), it means it doesn't have permission to run the site (not sure why since you were using it before). The Windows Event Logs should have more information.
If each site is running under separate user accounts, the open_basedir was most likely enabled to enforce one site not being able to write content to another sites directory. It isn't required, is disabled by default, but is a security item when to keep any server compromise of the code scripts contained to that sites content/files.
ASKER
I've checked and all the other sites (the WP ones at least) are using AppPool for anon authentication.
Each site has a different IUSR account, that's automatically created by Plesk I think.
IUSR_WebStoreLoaLoa didn't have complete control over the folder, but giving it complete control didn't change anything.
Anyway, I'm quite content with the way it's working now.
Each site has a different IUSR account, that's automatically created by Plesk I think.
IUSR_WebStoreLoaLoa didn't have complete control over the folder, but giving it complete control didn't change anything.
Anyway, I'm quite content with the way it's working now.