Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 774
  • Last Modified:

Wordpress permissions problem on IIS 7

Hello, I have a big problem on a WP site I've set up. I can't upload images or update plugins and so on.

Now I know this is quite a common issue, but I have 3 other WP sites on my IIS server and they work without problems. I have set the same permissions I always use for the wp content folder, but this time they don't work. Also, I have another version of this website in another domain hosted on the same server and it works without flaws.

So, keeping in mind that I have googled this all around, do you have any suggestions?

I have set permissions to Full Control on the folder for IUSR, IIS_IUSRS and NETWORK SERVICE as I usually do but it doesn't work. I've tried giving write permission to Everyone and it works (I took it down after 30 seconds) so there's some user who should have write permission and doesn't...
0
Daniele Brunengo
Asked:
Daniele Brunengo
  • 9
  • 8
1 Solution
 
Matthew KellyCommented:
When websites run in IIS, they execute as the user selected in the App Pool. What is the user identity for the app pool for this site vs the others?
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Where can I get this info?
0
 
Matthew KellyCommented:
In IIS Management Console, above Sites there is an "App Pool" option. Click it and it will list the app pools along with what sites use each:
http://3.bp.blogspot.com/-_GzlkJVjPWk/TwbE7xKnxcI/AAAAAAAAAIg/TRtMt7ReBdM/s1600/AdvSet.png

On the Advanced Settings of each site you can see which Identity it is set to: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Found it. The app pool is called plesk(default)(2.0)(pool) with an identity of IWAM_plesk(default).

It's the same as the other, working sites though.
0
 
Matthew KellyCommented:
Ok, does IWAM_plesk have permission to the wp-content folder in question though? If it works when you add "Everyone" permission to the folder; it would have to work if IWAM_plesk has write permission to the folder as that is the user that the site executes as.

There are other possibilities (such as if you have Impersonation setup as the Authentication type for the site), but assuming those are unlikely.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
I have tried giving IWAM_plesk write permission, but nothing changes. I still have to resort to the "everyone" write permission.
0
 
Matthew KellyCommented:
Ok is php running under fast cgi woth impersonation?
Check your php.ini file (likely c:\php\php.ini) and see if impersonate is set to 1.

Then find the user running php in iis in website properties, directory security, authenication and then click edit on the enabled option.

I tried googling how to get wordpress to show you the windows user its running under on the page, but no luck. Iis executes either as the app pool identity or impersonating identity, windows authentication, or anonymous.

Check what authentication options are enabled on this site vs the others.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
The options are exactly the same throughout the sites. Here's a screenshot:

Authentication options
0
 
Matthew KellyCommented:
Sorry, at a loss. Anonymous Authentication should authenticate to the wp-content folder as the AppPool Identity user. Unless you are authenticating as your account (with Windows Authentication); I am out of ideas.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
It's strange stuff...
0
 
Matthew KellyCommented:
Yeah, again, if you highlight anonymous auethentication in iis (on the screenshot you posted herr) and click edit it will show you what user runs the process. Maybe it isnt set correctly?
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Ok, it was set differently from the other site! This was set to a particular user (IUSR_WebStoreLoaLoa) instead of the app pool.

After I set it to the app pool, it works without the "Everyone" write permission but I get tons of errors in WP.

Loading any page I get this:


Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(C:\Inetpub\vhosts\webstoreloano.net\httpdocs/.maintenance) is not within the allowed path(s): (C:/Inetpub/vhosts/webstoreloano.net\;C:\Windows\Temp\) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php on line 145

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php:145) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-content\plugins\woocommerce\classes\class-wc-session-handler.php on line 63
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Moreover I can't seem to get back to the way things were because if I set the user for anon auth back to what it was I get asked for a password and nothing gets accepted.

So I'm stuck with these errors and my customer is not happy... Can you help me out?
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
I've managed to get rid of the errors by setting open_basedir setting in Plesk Panel to "none".
0
 
Matthew KellyCommented:
Are you sure the other sites were using the AppPool for anonymous authentication though? What are they setup as? Is each site running with a different IUSR account when utilizing anonymous access? It may have been setup that way to segregate the sites so that they don't have access to each others files? If so, did "IUSR_WebStoreLoaLoa" have access to its wp-content folder?

The password prompt isn't for the IUSR account (since there isn't a password for built in accounts), it means it doesn't have permission to run the site (not sure why since you were using it before). The Windows Event Logs should have more information.

If each site is running under separate user accounts, the open_basedir was most likely enabled to enforce one site not being able to write content to another sites directory. It isn't required, is disabled by default, but is a security item when to keep any server compromise of the code scripts contained to that sites content/files.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
I've checked and all the other sites (the WP ones at least) are using AppPool for anon authentication.

Each site has a different IUSR account, that's automatically created by Plesk I think.

IUSR_WebStoreLoaLoa didn't have complete control over the folder, but giving it complete control didn't change anything.

Anyway, I'm quite content with the way it's working now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now