Solved

Wordpress permissions problem on IIS 7

Posted on 2014-02-06
17
715 Views
Last Modified: 2014-02-15
Hello, I have a big problem on a WP site I've set up. I can't upload images or update plugins and so on.

Now I know this is quite a common issue, but I have 3 other WP sites on my IIS server and they work without problems. I have set the same permissions I always use for the wp content folder, but this time they don't work. Also, I have another version of this website in another domain hosted on the same server and it works without flaws.

So, keeping in mind that I have googled this all around, do you have any suggestions?

I have set permissions to Full Control on the folder for IUSR, IIS_IUSRS and NETWORK SERVICE as I usually do but it doesn't work. I've tried giving write permission to Everyone and it works (I took it down after 30 seconds) so there's some user who should have write permission and doesn't...
0
Comment
Question by:Daniele Brunengo
  • 9
  • 8
17 Comments
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39840730
When websites run in IIS, they execute as the user selected in the App Pool. What is the user identity for the app pool for this site vs the others?
0
 

Author Comment

by:Daniele Brunengo
ID: 39840746
Where can I get this info?
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39840778
In IIS Management Console, above Sites there is an "App Pool" option. Click it and it will list the app pools along with what sites use each:
http://3.bp.blogspot.com/-_GzlkJVjPWk/TwbE7xKnxcI/AAAAAAAAAIg/TRtMt7ReBdM/s1600/AdvSet.png

On the Advanced Settings of each site you can see which Identity it is set to: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:Daniele Brunengo
ID: 39841266
Found it. The app pool is called plesk(default)(2.0)(pool) with an identity of IWAM_plesk(default).

It's the same as the other, working sites though.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39843455
Ok, does IWAM_plesk have permission to the wp-content folder in question though? If it works when you add "Everyone" permission to the folder; it would have to work if IWAM_plesk has write permission to the folder as that is the user that the site executes as.

There are other possibilities (such as if you have Impersonation setup as the Authentication type for the site), but assuming those are unlikely.
0
 

Author Comment

by:Daniele Brunengo
ID: 39844516
I have tried giving IWAM_plesk write permission, but nothing changes. I still have to resort to the "everyone" write permission.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39844582
Ok is php running under fast cgi woth impersonation?
Check your php.ini file (likely c:\php\php.ini) and see if impersonate is set to 1.

Then find the user running php in iis in website properties, directory security, authenication and then click edit on the enabled option.

I tried googling how to get wordpress to show you the windows user its running under on the page, but no luck. Iis executes either as the app pool identity or impersonating identity, windows authentication, or anonymous.

Check what authentication options are enabled on this site vs the others.
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39844586
0
 

Author Comment

by:Daniele Brunengo
ID: 39845064
The options are exactly the same throughout the sites. Here's a screenshot:

Authentication options
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39849083
Sorry, at a loss. Anonymous Authentication should authenticate to the wp-content folder as the AppPool Identity user. Unless you are authenticating as your account (with Windows Authentication); I am out of ideas.
0
 

Author Comment

by:Daniele Brunengo
ID: 39849420
It's strange stuff...
0
 
LVL 18

Accepted Solution

by:
Matthew Kelly earned 500 total points
ID: 39856792
Yeah, again, if you highlight anonymous auethentication in iis (on the screenshot you posted herr) and click edit it will show you what user runs the process. Maybe it isnt set correctly?
0
 

Author Comment

by:Daniele Brunengo
ID: 39856937
Ok, it was set differently from the other site! This was set to a particular user (IUSR_WebStoreLoaLoa) instead of the app pool.

After I set it to the app pool, it works without the "Everyone" write permission but I get tons of errors in WP.

Loading any page I get this:


Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(C:\Inetpub\vhosts\webstoreloano.net\httpdocs/.maintenance) is not within the allowed path(s): (C:/Inetpub/vhosts/webstoreloano.net\;C:\Windows\Temp\) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php on line 145

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-includes\load.php:145) in C:\Inetpub\vhosts\webstoreloano.net\httpdocs\wp-content\plugins\woocommerce\classes\class-wc-session-handler.php on line 63
0
 

Author Comment

by:Daniele Brunengo
ID: 39856955
Moreover I can't seem to get back to the way things were because if I set the user for anon auth back to what it was I get asked for a password and nothing gets accepted.

So I'm stuck with these errors and my customer is not happy... Can you help me out?
0
 

Author Comment

by:Daniele Brunengo
ID: 39857024
I've managed to get rid of the errors by setting open_basedir setting in Plesk Panel to "none".
0
 
LVL 18

Expert Comment

by:Matthew Kelly
ID: 39858027
Are you sure the other sites were using the AppPool for anonymous authentication though? What are they setup as? Is each site running with a different IUSR account when utilizing anonymous access? It may have been setup that way to segregate the sites so that they don't have access to each others files? If so, did "IUSR_WebStoreLoaLoa" have access to its wp-content folder?

The password prompt isn't for the IUSR account (since there isn't a password for built in accounts), it means it doesn't have permission to run the site (not sure why since you were using it before). The Windows Event Logs should have more information.

If each site is running under separate user accounts, the open_basedir was most likely enabled to enforce one site not being able to write content to another sites directory. It isn't required, is disabled by default, but is a security item when to keep any server compromise of the code scripts contained to that sites content/files.
0
 

Author Comment

by:Daniele Brunengo
ID: 39861727
I've checked and all the other sites (the WP ones at least) are using AppPool for anon authentication.

Each site has a different IUSR account, that's automatically created by Plesk I think.

IUSR_WebStoreLoaLoa didn't have complete control over the folder, but giving it complete control didn't change anything.

Anyway, I'm quite content with the way it's working now.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
The viewer will learn how to dynamically set the form action using jQuery.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question