WordPress Permissions on IIS

A lot has been written about this, but I have yet to find the Holy Grail of IIS/Wordpress permissions. The tricky part seems to be the permissions for the root folder – allowing WP to update, while being secure. I have had a bad experience where a plugin – WP Super Cache – has a recursive delete function when removing itself and it ended up walking all folders on the server that IUSR had access to, deleting as it went. This killed dozens of sites and made a huge nightmare for me. Backups were in place, but still – it sucked!

Slightly better is:

CREATOR OWNER – special permissions
IUSR – Read & Execute, List Folder contents, Read
SYSTEM – Full Control
Administrators – Full Control
Users – Full Control
IIS APPPOOL\ – full control
*Note: you have to type in the full apppool identity as it is not selectable from the GUI

From this thread: , however WordPress update failed (plugin installs worked). The same thread suggests adding the appools to the IIS_Users group and giving it full control, but that would seem to give other apppools access to all sites.

Upated with new solution April30, 2022 From

Use Recommend IIS Permissions

Historically IIS sites used the IUSR account for anonymous authentication and so permissions we’re granted to this.  Best practice now however is to run each site under its Application Pool Identify.

  1. Ensure your site has its own Application Pool
  2. Right Click the Application Pool and go to Advanced Settings > Processing Model > Application Pool Identity
  3. On your site, double click > Authentication > Anonymous Authentication > Application Pool Identity (not IUSR)
  4. Next in explorer, browse to the sites folders and grant read/write/modify permissions using IIS AppPool\MyAppPoolName

WordPress Temporary Folder

define(‘WP_TEMP_DIR’,dirname(_FILE_). ‘wp-content/temp/’);

After the lines that define ( ABSPATH: define(‘ABSPATH’, dirname(__FILE__) . ‘/’)) and then pull in the settings (require_once(ABSPATH . ‘wp-settings.php’);), paste the following if you want to specify your own temporary folder.  For example the following line tells WordPress to use a folder within wp-content:

define('WP_TEMP_DIR',dirname(__FILE__). 'wp-content/temp/');

Next in explorer, browse to the temporary folder and ensure you have granteded read/write/modify permissions using IIS AppPool\MyAppPoolName

Windows Temporary Folder

Now you may still receive an error when uploading even after the above has been done.  This can be because PHP uses its own temporary folder while the file is being streamed to the server before moving it to the WordPress temporary folder to work on it.

Whatever the folder is (see below), you need to ensure that the same Application Pool group has read/write/modify access to it, for example: IIS AppPool\MyAppPoolName

If you want to specify the folder PHP uses, you need to update this line in the php.ini file (typically found in C:\Windows\Program FIles\PHP or C:\Windows\Program Files (x86)\PHP):

; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
upload_tmp_dir = C:\Windows\Temp