Does WordPress sometimes rely on 777 permissions?

  • Having had trouble with the flash image uploader and with various plugins (Automatic-Upgrader, WP Super Cache, XML Sitemap Generator), I’ve been in dialogue with the people who run my (apache) servers and they seem convinced that 777 permissions – with all the security issues – are necessary to run things smoothly.

    As a control test I set a site up on Godaddy and experienced none of these problems. My server people responded:

    So as for your godaddy site, if the web server can update the site files without you changing the ownership or making them 777 then that suggests the web server can change all of the site files. So whats stopping someone taking say a gallery upload php file, uploading it as their avatar on your site forum/user admin etc and then executing that file?

    If the software you install supports any sort of file upload eg an
    image, then a hacker can just as easily upload perl or php. If there are 777 directories in there then they can upload a whole root kit to the site and be launching attacks or defacing every site on the server
    before you can blink.

    I’m out of my depth here and would greatly appreciate any help!

    Many thanks

    Gerard

Viewing 3 replies - 1 through 3 (of 3 total)

  • Assuming your uploads and themes and plugins are in wp-content, some hosting situations might require wp-content and its sub-folder to be 777. WordPress developers intended for wp-content to be 777 (of course that will always start an argument!).

    Resources:
    Hardening WordPress
    Changing File Permissions

    meh.

    Here is how it works:

    Some hosts set things up so that the files and directories are writable by the web server. Some dont. In cases where the web server can write to the files, changing the permissions from the default isnt necessary.

    In cases where the web server cannot write to the dirs or files, it is necessary to change permissions, keeping in mind that a good deal of hosts dont allow directories or files to be chmod 777 or 666, respectfully, and that attempting to do so will result in 500 errors.

    WordPress developers intended for wp-content to be 777

    Yes, and I can guaran-farking-tee you that Matt doesnt have his filspace set up as such. It would take a screenshot, in my email, signed and delivered by him, for me to believe he actually uses that on his site.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Does WordPress sometimes rely on 777 permissions?’ is closed to new replies.