WordPress on Amazon EC2: Permission Denied Error Message

This is part of my Introduction to Hosting WordPress on Amazon Web Services (AWS) tutorial.

  • Are you new to hosting WordPress on Amazon Web Services (AWS) EC2 instances?
  • Are you having problems accessing the files in your WordPress installation via FTP?
  • Do you see a Permission denied error message when you try to upload, edit, or delete a file from your WordPress Installation using FTP?

Read these instructions for a quick (and dirty) fix to this problem. After that, if you want, you can read on for an explanation.

These troubleshooting steps assume that you have already familiarized yourself with the steps in Use SSH to Connect with an Amazon Web Services (AWS) EC2 WordPress Instance and Connect to an Amazon Web Services (AWS) EC2 Instance for WordPress Using FTP. I am using Terminal and Cyberduck on a Mac, but the commands I use in Terminal and the steps I take in Cyberduck are very basic.

Symptom: Permission Denied error messages

I have established an SFTP connection to my WordPress installation, which is a WordPress Certified by Bitnami Amazon Machine Image (AMI) from Amazon Web Services (AWS). When I try to use the Cyberduck client to upload, edit, or delete files on my WordPress installation, I see the following error message:
Permission denied. Please contact your web hosting service provider for assistance.

  • Upload failed/Permission denied error message when trying to upload a file from the WordPress installation via SFTP:
  • Download failed/Permission denied error message when trying to edit or download a file from the WordPress installation via SFTP:
  • Cannot delete/Permission denied error message when trying to delete a file from the WordPress installation via SFTP:

Without an ability to create, update, or delete the files in my WordPress installation, I will be very limited in my abilities to customize my WordPress site. To remedy this, I need to use the chown command to change the ownership of the entire WordPress installation.

Solution: chown Your WordPress Installation

  1. Connect to your EC2 instance by following the steps in Use SSH to Connect with an Amazon Web Services (AWS) EC2 WordPress Instance.
  2. Type cd /opt/bitnami/apps/wordpress/htdocs/ and press Enter. This will change the directory to the WordPress installation.
  3. First, let’s use the stat command to see the user and group that own this directory. Type stat -c %U /opt/bitnami/apps/wordpress/htdocs/ and press Enter.
  4. The command line responded that the owner of the directory is daemon, which basically means you do not control it. For our purposes, we need to change the owner to bitnami, which is the name of the user we are using to connect to the EC2 instance, both via SSH and via SFTP. We will do this by typing sudo chown -R bitnami:bitnami /opt/bitnami/apps/wordpress/htdocs/ and pressing Enter.
  5. Now that we have changed the ownership, use Cyberduck to connect to your instance and navigate to the WordPress installation by following the steps in Connect to an Amazon Web Services (AWS) EC2 Instance for WordPress Using FTP. When you get there, find wp-config.php, click on it once, and then click the pencil icon for Edit at the top of the Cyberduck browser window.
  6. If you changed the ownership to bitnami correctly, the file will open in your code editor. Just opening the file is something you can’t do if bitnami does not have ownership, so now we know that you can edit files in the WordPress instance. Close wp-config.php without editing it.
  7. Next we are going to make sure we can upload files to the WordPress installation. Let’s navigate to the current month in the uploads folder. Twirl the arrows down so that you navigate to htdocs/wp-content/uploads/2018/06.
  8. Drag and drop a file from your computer into the 2018/06 directory. Cyberduck’s Transfers window should show you the progress of the upload and display Upload complete when it’s done.
  9. OK, so now we’ve uploaded a file. Let’s delete the file we just uploaded to test if we can also delete files. Click on the file to select it.
  10. Right-click or control-click on the file and select Delete from the menu.
  11. A pop-up will ask you to confirm that you want to delete the file. Click Delete.
  12. The file is gone. We now know that we can create, update, and delete files in the WordPress installation using our FTP client.
  13. It is very important that when you are done updating the files in your WordPress installation that you change the ownership back to daemon. Go back to Terminal, type sudo chown -R daemon:daemon /opt/bitnami/apps/wordpress/htdocs/, and press Enter.
  14. Let’s use the stat command to confirm that we chown’d the directory back to daemon. Type stat -c %U /opt/bitnami/apps/wordpress/htdocs/ and press Enter.
  15. OK, the owner is daemon. We’re done here. Type exit and press Enter.

For People Who Care: What Just Happened Here?

Before trying to host WordPress on Amazon Web Services (AWS) EC2 instances, I had used HostGator, StableHost, and GoDaddy. With each of these hosting services, you can use cPanel to easily create FTP accounts, and then use an FTP client to connect to your hosting provider and, more specifically, your WordPress installation.

Having FTP access to your WordPress installation is critical for many WordPress functions, including customizing your own themes and child themes, or even just updating the wp-config file, perhaps the most important single file in your entire WordPress installation.

But as soon as I started using AWS, everything changed. The SFTP connection protocol was new for me, and I didn’t really know what the private keys and PEM files were. Once I actually succeeded in connecting to the EC2 instance with Cyberduck I had to poke around and find where the WordPress Certified by Bitnami AMI places the WordPress location. I found it, navigated into wp-content, tried to upload something, and got Permission denied.

I played around some more and found that I could download files, and if it was something like a JPEG, I could open it, but essentially I was stuck with read-only privileges: no way to create, update or delete anything in my WordPress installation.

I kept poking around, going back up the way I came to see if I could figure it out. With WordPress Certified by Bitnami, the file path is opt/bitnami/apps/wordpress/htdocsbitnami is the home directory when you connect via SSH or SFTP, while htdocs is the WordPress installation.

  1. I was read-only in htdocs, where WordPress is.
  2. I went up a level and found I also could not upload to or delete files from wordpress.
  3. Same with apps.
  4. Once I got to bitnami, I could upload an image and then delete it.

I was seriously stuck. I asked the guy who had introduced me to AWS and, when he tried to replicate the problem, he did. I did a lot of Googling and did not find an answer right away. I started to wonder if AWS was going to work out for me. Eventually I found posts on the Bitnami Community and learned that what I need to learn was the chown command.

chown is a command used on Unix-based systems. It stands for change ownership. I’m only here to talk about a very specific use of this command, so I am only going to talk about this:

sudo chown -R daemon:daemon /opt/bitnami/apps/wordpress/htdocs/

  • sudo: super-user do
  • chown: change ownership
  • -R: recursively applies this chown command to the specified directory and all of the other files and directories contained within it
  • daemon:daemon: the user and group (user:group) that have ownership permissions; in this case both the user and the group are daemon, which is kind of like the system acting for itself, as opposed to being controlled by you
  • /opt/bitnami/apps/wordpress/htdocs/: again, this is the location of the WordPress installation

To be a little more thorough, I want to check who own the thing before I change anything, so I use this command:
stat -c %U /opt/bitnami/apps/wordpress/htdocs/

The response is daemon. So daemon owns the file, and it is daemon who is stopping me from changing or deleting files in the WordPress installation. I’ve been researching AWS enough to know that my username is bitnami: it’s the username for my FTP connection and it appears on the command line when I connect to the instance:
sudo chown -R bitnami:bitnami /opt/bitnami/apps/wordpress/htdocs/

After this you will find that you can put files in the WordPress installation, delete them, or update your PHP, CSS, and other types of files using a code editor.

Listen: This is the most important part of what we are doing here today. You need to change the ownership back to daemon. Not only would not doing so immediately leave your site vulnerable, it will also leave WordPress unable to perform its most basic functions that make the whole thing work. If you don’t believe me, try updating your wp-config file with the ownership set to bitnami and see what happens. (I’ve also noticed that I can’t run my favorite backup plugin, BackWPUp, when the ownership is not set to daemon.)

It’s the same command, but with daemon:daemon as the user and group:
sudo chown -R daemon:daemon /opt/bitnami/apps/wordpress/htdocs/

Type exit to disconnect on Terminal. You can also disconnect on Cyberduck.

You’re done. I’m not a prolific Terminal user, so I have snippets of the commands used in this process (specific to my own EC2 instance) in a text file so that I can do all of this a lot quicker.

Again, do not forget: when you are finished, chown it back to daemon:daemon.