Plugin install isn't working--WPMU dashboard

I'm attempting to install Marketpress from the WPMU DEV Dashboard. I have not set up one click installation (and I don't want to do that at this time), but when I click on "Manual Install" nothing happens. What am I doing wrong?

On another note, is it really safe to set up one-click installation by adding the ftp creds into the wp-config file? Is it even safe to enter the ftp creds into the wp dashboard at all? I've always wondered about that--isn't that just a major security risk? If not, why not?

  • Raevenne

    When I click on "Add new" under Plugins in the main WP dashboard and select the file from my downloads folder on my hard drive, WP then asks for my ftp information there. Isn't that what should happen if I try to install it from the WPMU DEV dashboard?

    When I click Install under the plugin name on the WPMU DEV screen, I get a popover box that says:

    Hang on a minute... It looks like your WordPress site isn't configured to allow one-click installations of plugins and themes.

    You may still install this plugin using the manual process (by you entering your FTP credentials in the next step), or you can easily set up your site to do it automatically from now on.

    and has two choices: Manual Install or Set up one click installation. If I click Manual Install, nothing happens, and the box just stays there.

    And the properties on the wp-content folder are 755 if that helps.

  • Raevenne

    Yes, the uploads folder exists. This is a well established site that's been running WP for many years, and of course, uploading photos.

    I'm not going to worry about this functionality anyway. I find it odd that it doesn't work at all--it doesn't even take me to a screen where I could enter my ftp details if I wanted to--but I've decided that I'm really not comfortable installing plugins from inside WP anyway. I think it's safer to use an ftp program and upload directly to the server rather than giving WP my fpt credentials.

    Therefore, I'll mark this as resolved and move on. Thanks for trying to help. :slight_smile:

  • Shawn

    It is *much* safer to use an FTP program (as long as you're using SSL) to upload your plugins and other such content. I'm actually more concerned about the user-rights issue though.

    While your web user may have rights to execute content, if your uploads directory is writable by a global user (like apache) then it may be possible for other sites on the same server to write to the uploads folder and execute code in the context of your site - such as gaining access to your wp_users table or adding code to wp-config or anything else that PHP could do on your site. Even if you're not concerned about the dashboard installer working anymore - please look into the permissions and ownership of your uploads directory.

  • Shawn

    It all *really* depends on the server configuration. Some have funky setups that require things to be different and since there are so many different ways to run PHP there are equally as many configuration guides. If you can see the username in your FTP client for who owns the 'uploads' folder - just make sure it's the same as who owns the 'plugins' folder. Likewise, check a few child folders or files in both of those to ensure they have the same ownership. If there's a difference in ownership THAT is where your situation is coming from. At that point I would talk to the host to determine if those ownership options are the only way to make it work in your hosting environment.

    If you can see the owner name (often you can only see the owner id number) then I'd be concerned if the owner is 'apache' or 'www' or 'psacln' or any of the other generic usernames, as this means that ownership is through a shared account on the server. This is the best way to set up some servers, especially if they have low RAM, but it opens up issues to potential exploitation from other domains on the same host (GoDaddy, for example, has been exploited in this way a couple times).

  • Raevenne

    Well, there really is no problem with uploads at all. I can upload just fine, and I can manually install a plugin or update WP from within WP just fine by entering my ftp creds if I really want to do that (which I probably don't now that I've thought about that). The problem was with the WPMU DEV Dashboard addon, like I said above:

    "When I click Install under the plugin name on the WPMU DEV screen, I get a popover box that says:

    Hang on a minute... It looks like your WordPress site isn't configured to allow one-click installations of plugins and themes.

    You may still install this plugin using the manual process (by you entering your FTP credentials in the next step), or you can easily set up your site to do it automatically from now on.

    and has two choices: Manual Install or Set up one click installation. If I click Manual Install, nothing happens, and the box just stays there. "

    What should have happened was that it should go to the manual install screen where it asks for the ftp credentials, but it wasn't doing that. Now, on another site where I've installed WPMU DEV Dashboard, I clicked the box that said "hide this message in future" when the popover box showed up, and then closed the box; after doing that, when I clicked "Install" under a plugin, the page did redirect and send me to the page to enter the ftp creds for the site. So, there is something odd going on with the plugin that really has nothing to do with my permissions or the uploads folder or whatever. The WPMU DEV plugin is failing before it ever gets to the point of uploading anything.

    All that aside, all of my sites are on my own VPS, and there was a point at which I couldn't upload media without the permissions being 775 on the uploads folder, though I can't remember why it was necessary to have it that way, or if my host ever really explained it at all. I don't have a clue whether those permissions are risky or not, though it seems like the host wouldn't have told me to set it that way if it was. I also don't know how to see who is the owner of a folder in my ftp program--I'm using WS_FTP Pro.

  • Shawn

    775 is dangerous, but in your own VPS it's not nearly as bad as it could be. 775 means that anyone in the same 'group' as the group that owns the content (usually a shared value between every site on the server) can access files, including reading and writing and executing them in that folder. In your situation, this really means that if any site on your server is compromised, it's very likely that all of them will be compromised through that second 7.

    I haven't used WS_FTP Pro in over a decade, so this is mostly guesswork. Right-click over the column headers in the remote view (right side) and see if it offers additional columns to view. You're specifically after 'owner' and 'group'. It'll probably display a number (referencing an ID of the user & group on the system directory - NOT within wordpress). The user should be unique to each site. And 755 is really the highest you should go unless your group is unique as well.

  • Raevenne

    Shawn, I appreciate all of your help and advice on this! I did take a look at the column headers and there are no options to see owner or group. However, I did just put a support ticket in with my host, just to see what they're saying about this now. It's been a few years since we went over all of this together, so perhaps things have changed somehow since then and they'll want to revisit this.

    Again, thanks for your help. I appreciate the time you took to answer my questions. :slight_smile:

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.