Solved

Wordpress permissions problem on IIS 7

Posted on 2014-02-06
17
723 Views
Last Modified: 2014-02-15
Hello, I have a big problem on a WP site I've set up. I can't upload images or update plugins and so on.

Now I know this is quite a common issue, but I have 3 other WP sites on my IIS server and they work without problems. I have set the same permissions I always use for the wp content folder, but this time they don't work. Also, I have another version of this website in another domain hosted on the same server and it works without flaws.

So, keeping in mind that I have googled this all around, do you have any suggestions?

I have set permissions to Full Control on the folder for IUSR, IIS_IUSRS and NETWORK SERVICE as I usually do but it doesn't work. I've tried giving write permission to Everyone and it works (I took it down after 30 seconds) so there's some user who should have write permission and doesn't...
0
Comment
Question by:Daniele Brunengo
  • 9
  • 8
17 Comments
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39840730
When websites run in IIS, they execute as the user selected in the App Pool. What is the user identity for the app pool for this site vs the others?
0
 

Author Comment

by:Daniele Brunengo
ID: 39840746
Where can I get this info?
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39840778
In IIS Management Console, above Sites there is an "App Pool" option. Click it and it will list the app pools along with what sites use each:
http://3.bp.blogspot.com/-_GzlkJVjPWk/TwbE7xKnxcI/AAAAAAAAAIg/TRtMt7ReBdM/s1600/AdvSet.png

On the Advanced Settings of each site you can see which Identity it is set to: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:Daniele Brunengo
ID: 39841266
Found it. The app pool is called plesk(default)(2.0)(pool) with an identity of IWAM_plesk(default).

It's the same as the other, working sites though.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39843455
Ok, does IWAM_plesk have permission to the wp-content folder in question though? If it works when you add "Everyone" permission to the folder; it would have to work if IWAM_plesk has write permission to the folder as that is the user that the site executes as.

There are other possibilities (such as if you have Impersonation setup as the Authentication type for the site), but assuming those are unlikely.
0
 

Author Comment

by:Daniele Brunengo
ID: 39844516
I have tried giving IWAM_plesk write permission, but nothing changes. I still have to resort to the "everyone" write permission.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39844582
Ok is php running under fast cgi woth impersonation?
Check your php.ini file (likely c:\php\php.ini) and see if impersonate is set to 1.

Then find the user running php in iis in website properties, directory security, authenication and then click edit on the enabled option.

I tried googling how to get wordpress to show you the windows user its running under on the page, but no luck. Iis executes either as the app pool identity or impersonating identity, windows authentication, or anonymous.

Check what authentication options are enabled on this site vs the others.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39844586
0
 

Author Comment

by:Daniele Brunengo
ID: 39845064
The options are exactly the same throughout the sites. Here's a screenshot:

Authentication options
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39849083
Sorry, at a loss. Anonymous Authentication should authenticate to the wp-content folder as the AppPool Identity user. Unless you are authenticating as your account (with Windows Authentication); I am out of ideas.
0
 

Author Comment

by:Daniele Brunengo
ID: 39849420
It's strange stuff...
0
 
LVL 18

Accepted Solution

by:
Matthew Kelly earned 500 total points
ID: 39856792
Yeah, again, if you highlight anonymous auethentication in iis (on the screenshot you posted herr) and click edit it will show you what user runs the process. Maybe it isnt set correctly?
0
 

Author Comment

by:Daniele Brunengo
ID: 39856937
Ok, it was set differently from the other site! This was set to a particular user (IUSR_WebStoreLoaLoa) instead of the app pool.

After I set it to the app pool, it works without the "Everyone" write permission but I get tons of errors in WP.

Loading any page I get this:


Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(C:\Inetpub\vhosts\webstoreloano.net\httpdocs/.maintenance) is not within the allowed path(s): (C:/Inetpub/vhosts/webstoreloano.net\;C:\Windows\Temp\) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php on line 145

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php:145) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-content\plugins\woocommerce\classes\class-wc-session-handler.php on line 63
0
 

Author Comment

by:Daniele Brunengo
ID: 39856955
Moreover I can't seem to get back to the way things were because if I set the user for anon auth back to what it was I get asked for a password and nothing gets accepted.

So I'm stuck with these errors and my customer is not happy... Can you help me out?
0
 

Author Comment

by:Daniele Brunengo
ID: 39857024
I've managed to get rid of the errors by setting open_basedir setting in Plesk Panel to "none".
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39858027
Are you sure the other sites were using the AppPool for anonymous authentication though? What are they setup as? Is each site running with a different IUSR account when utilizing anonymous access? It may have been setup that way to segregate the sites so that they don't have access to each others files? If so, did "IUSR_WebStoreLoaLoa" have access to its wp-content folder?

The password prompt isn't for the IUSR account (since there isn't a password for built in accounts), it means it doesn't have permission to run the site (not sure why since you were using it before). The Windows Event Logs should have more information.

If each site is running under separate user accounts, the open_basedir was most likely enabled to enforce one site not being able to write content to another sites directory. It isn't required, is disabled by default, but is a security item when to keep any server compromise of the code scripts contained to that sites content/files.
0
 

Author Comment

by:Daniele Brunengo
ID: 39861727
I've checked and all the other sites (the WP ones at least) are using AppPool for anon authentication.

Each site has a different IUSR account, that's automatically created by Plesk I think.

IUSR_WebStoreLoaLoa didn't have complete control over the folder, but giving it complete control didn't change anything.

Anyway, I'm quite content with the way it's working now.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Contact Form 7 3 26
move expression web site to a new server 13 54
Start Auto-download of File when page loads? 1 23
if (is_singular not working 5 19
Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
The purpose of this video is to demonstrate how to reset a WordPress password if you are locked out and cannot reset the password. A typical use would be if you cannot access the email to which WordPress would send the password recovery email to…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question