security vulnerability in 2.9.2

I’ve always been under the impression that files need to be at most, 644. Why would they need to be 750, and what were they when they were “scanned”?

Existing sites can protect themselves by doing the above
(Make sure after an install or upgrade that wp_config.php is chmod 750)

I’m not certain that’s accurate advice. Could you elaborate as to why that will protect the wp-config.php file?

I think this could be a more accurate representation of what was paraphrased in the first post.

“Precautions you should take if you’re using WordPress:

1. Change your WordPress administrative password immediately;
2. Review the list of WordPress users who have access to your account and delete any users you do not recognize;
3. Update your WordPress account to the most recent version that Network Solutions offers;
4. Run your security and malware system scans on all computers that are used to access your WordPress account;
5. Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755;
6. Change the password for your mySql user and update wp-config. You can recreate the same user with an updated password; and
7. Double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php.”

Source: //www.blog.networksolutions.com

Article: Alert: WordPress Blog & Network Solutions

Ok folks correct me if Im wrong, because this is a killer hole (imho)

If the wp install folder is 750, folks can’t access your site, so it has to stay 755. If wp-config.php is **4 then anyone can read your wp-config.php file. I made my wp-config.php 640 and then modded it with a new db account.

Do you folks understand the ramifications? The guy read our SQL user and database passwords and server information, then just went to the database.

He could even install a local wordpress somewhere at home mod his config file to point to our database, create and delete users and edit posts (presumably with malware) as he wished… and your web site logs would show NOTHING because he never accessed our site.

-d

If the wp install folder is 750, folks can’t access your site,

Why not?

I can only speak from my own experience when I say that all of my web accessible directories currently have permissions of 750, all of the WordPress installations inside of those directories have files that are 644 and all the directories are 755 (and again, occasionally a variation temporarily or otherwise in the uploads location ) but I don’t seem to have any problems with site access from LAN or WAN.

If I do 750 on the wp install folder I get this:

Forbidden
You don’t have permission to access / on this server.

This is how they access index.php, from the .htaccess file. Perhaps there are some subtle install differences between us.

I would have to question the directory ownership and group settings on your public_html folder then.

Why? Im changing the “other” setting. How would the owner of the folders matter (which is the same “owner” as the rest of the files… this is a network solutions hosted site, user is always the same as far as I have seen it). Group is always the same as well.

is your wordpress installed in a sub-directory in your html folder?

I suggest you contact network solutions support for the following reasons:

You state: “If I do 750 on the wp install folder I get this: Forbidden You don’t have permission to access / on this server….
….this is a network solutions hosted site“

This is the statement issued by network solutions on their blog I linked to above: “5.Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755;

Seems like they wouldn’t make that bold of a statement if 750 permission on their accounts were going to throw 403’s. They should have your answer.

Good luck to you!

755 on folder and 640 on config

per latest ns blog
https://blog.networksolutions.com/2010/alert-wordpress-blog-network-solutions/

so again wpress during install make the config file 640

FYI, assuming WordPress is not installed in a folder you can just move your wp-config file out of the web root.

From the Hardending WordPress article in the Codex:

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 750 permission).

Hi, my blog got hacked couple of times, I have the latest wordpress 3.0.1 installed, however changing the wp-config.php permissions to “750” gives this warning/error in wp-load.php :

Warning: require_once(/###/###/public_html/wp-config.php) [function.require-once]: failed to open stream: Permission denied in /###/###/public_html/wp-load.php on line 30

Even moving the wp-config.php one level above gives same error on line 35 then.

Can some one please help me or suggest any solution on this issue?

Thanks
Binoy D.

Unfortunately one set of permissions does not fit every hosting platform. Some platforms require the other flag to be more than 0, because of how their web services run. Of course, that doesn’t always prevent you from achieving a secure platform. Sometimes you can set the permissions at a different level.

I’m closing this thread now, as it’s not timely. If you wish to discuss permissions please start a new thread in how-to or the misc forum.