WordPress asking for FTP credentials to install or delete plugins

WordPress Websites For Your Internet Marketing Success

Here I have a solution for “WordPress asking for FTP credentials to install a plugin or delete a plugin”.  it’s a very common issue in WordPress and you can solve this by simply following the few steps given below. But before solving this issue, you need to know about WordPress FS_Method. Read more about FS_method on WordPress docs.

The solution for “WordPress asking for FTP credentials to install a plugin or delete a plugin” is:

step1: you need to the WordPress home directory and find the wp-config.php file.

WordPress asking for FTP credentials to install or delete plugins
WordPress asking for FTP credentials to install or delete plugins

 

Step2: Open the wp-config.php file add define('FS_METHOD', 'direct' );. After adding this line and now save the file and check again by installing plugins.

WordPress asking for FTP credentials to install or delete plugins
WordPress asking for FTP credentials to install a plugin or delete a plugin

 

why use FS_METHOD = 'direct'?

Unfortunately, WordPress’s logic for detecting an at-risk environment is flawed and produces both false-positives and false-negatives. Whoops. The test involves creating a file and making sure it belongs to the same owner as of the directory it lives in. The assumption is that if the users are the same, PHP is running as your own account and it’s safe to install plugins as that account. If they’re different, WordPress assumes that PHP is running as a shared account and it’s not safe to install plugins as that account. Unfortunately, both of these assumptions are educated guesses that will frequently be wrong.

You would use define('FS_METHOD', 'direct' ); in a false positive scenario such as this one: you are part of a trusted team whose members all upload files through their own account. PHP runs as its own separate user. WordPress will assume that this is an at-risk environment and will not default to ‘direct’ mode. In reality, it’s only shared with users you trust, and as such 'direct' mode is safe. In this case, you should use define(‘FS_METHOD’, ‘direct’) to force WordPress to write files directly.

 

What’s the risk?

On a poorly configured shared host, every customer’s PHP will execute as the same user (let’s say apache for discussion). This setup is surprisingly common.

If you’re on such a host and use WordPress to install the plugin using direct file access, all of your plugin files will belong to apache. A legitimate user on the same server would be able to attack you by writing a PHP script that injects evil code into your plugin files. They upload their script to their own website and request its URL. Your code is successfully compromised because their script runs as apache, the same one that owns your plugin files.

Also Read, How to earn money via blogging.

 347 total views,  7 views today

Leave a reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.