Solved

Wordpress permissions problem on IIS 7

Posted on 2014-02-06
17
703 Views
Last Modified: 2014-02-15
Hello, I have a big problem on a WP site I've set up. I can't upload images or update plugins and so on.

Now I know this is quite a common issue, but I have 3 other WP sites on my IIS server and they work without problems. I have set the same permissions I always use for the wp content folder, but this time they don't work. Also, I have another version of this website in another domain hosted on the same server and it works without flaws.

So, keeping in mind that I have googled this all around, do you have any suggestions?

I have set permissions to Full Control on the folder for IUSR, IIS_IUSRS and NETWORK SERVICE as I usually do but it doesn't work. I've tried giving write permission to Everyone and it works (I took it down after 30 seconds) so there's some user who should have write permission and doesn't...
0
Comment
Question by:Daniele Brunengo
  • 9
  • 8
17 Comments
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
When websites run in IIS, they execute as the user selected in the App Pool. What is the user identity for the app pool for this site vs the others?
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
Where can I get this info?
0
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
In IIS Management Console, above Sites there is an "App Pool" option. Click it and it will list the app pools along with what sites use each:
http://3.bp.blogspot.com/-_GzlkJVjPWk/TwbE7xKnxcI/AAAAAAAAAIg/TRtMt7ReBdM/s1600/AdvSet.png

On the Advanced Settings of each site you can see which Identity it is set to: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
Found it. The app pool is called plesk(default)(2.0)(pool) with an identity of IWAM_plesk(default).

It's the same as the other, working sites though.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
Ok, does IWAM_plesk have permission to the wp-content folder in question though? If it works when you add "Everyone" permission to the folder; it would have to work if IWAM_plesk has write permission to the folder as that is the user that the site executes as.

There are other possibilities (such as if you have Impersonation setup as the Authentication type for the site), but assuming those are unlikely.
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
I have tried giving IWAM_plesk write permission, but nothing changes. I still have to resort to the "everyone" write permission.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
Ok is php running under fast cgi woth impersonation?
Check your php.ini file (likely c:\php\php.ini) and see if impersonate is set to 1.

Then find the user running php in iis in website properties, directory security, authenication and then click edit on the enabled option.

I tried googling how to get wordpress to show you the windows user its running under on the page, but no luck. Iis executes either as the app pool identity or impersonating identity, windows authentication, or anonymous.

Check what authentication options are enabled on this site vs the others.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Daniele Brunengo
Comment Utility
The options are exactly the same throughout the sites. Here's a screenshot:

Authentication options
0
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
Sorry, at a loss. Anonymous Authentication should authenticate to the wp-content folder as the AppPool Identity user. Unless you are authenticating as your account (with Windows Authentication); I am out of ideas.
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
It's strange stuff...
0
 
LVL 18

Accepted Solution

by:
Matthew Kelly earned 500 total points
Comment Utility
Yeah, again, if you highlight anonymous auethentication in iis (on the screenshot you posted herr) and click edit it will show you what user runs the process. Maybe it isnt set correctly?
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
Ok, it was set differently from the other site! This was set to a particular user (IUSR_WebStoreLoaLoa) instead of the app pool.

After I set it to the app pool, it works without the "Everyone" write permission but I get tons of errors in WP.

Loading any page I get this:


Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(C:\Inetpub\vhosts\webstoreloano.net\httpdocs/.maintenance) is not within the allowed path(s): (C:/Inetpub/vhosts/webstoreloano.net\;C:\Windows\Temp\) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php on line 145

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php:145) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-content\plugins\woocommerce\classes\class-wc-session-handler.php on line 63
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
Moreover I can't seem to get back to the way things were because if I set the user for anon auth back to what it was I get asked for a password and nothing gets accepted.

So I'm stuck with these errors and my customer is not happy... Can you help me out?
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
I've managed to get rid of the errors by setting open_basedir setting in Plesk Panel to "none".
0
 
LVL 18

Expert Comment

by:Matthew Kelly
Comment Utility
Are you sure the other sites were using the AppPool for anonymous authentication though? What are they setup as? Is each site running with a different IUSR account when utilizing anonymous access? It may have been setup that way to segregate the sites so that they don't have access to each others files? If so, did "IUSR_WebStoreLoaLoa" have access to its wp-content folder?

The password prompt isn't for the IUSR account (since there isn't a password for built in accounts), it means it doesn't have permission to run the site (not sure why since you were using it before). The Windows Event Logs should have more information.

If each site is running under separate user accounts, the open_basedir was most likely enabled to enforce one site not being able to write content to another sites directory. It isn't required, is disabled by default, but is a security item when to keep any server compromise of the code scripts contained to that sites content/files.
0
 

Author Comment

by:Daniele Brunengo
Comment Utility
I've checked and all the other sites (the WP ones at least) are using AppPool for anon authentication.

Each site has a different IUSR account, that's automatically created by Plesk I think.

IUSR_WebStoreLoaLoa didn't have complete control over the folder, but giving it complete control didn't change anything.

Anyway, I'm quite content with the way it's working now.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…
The viewer will learn how to dynamically set the form action using jQuery.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now