Google Sitemap Opens Door to Hackers

there are quite a few plugins that require either directories being chmod’d insecurely, or files being chmod’d insecurely.

This is an ages old topic, unfortunately and not just a WP issue.

In fact, editing themes in the admin area requires insecure permissions.

The results of which are scattered all over the forums, unfortunately.

It’s a shame more people dont realize this and take the necessary steps to avoid having so many ‘open doors’ on their sites. They dont.

Kudos to you for revisiting this topic though.

So what do you recommend? ??

who me? ?? or the OP?

Because it requires a folder with write access (666 or better)

No, it doesn’t. Give the *file* 666 permissions, but leave the folder secure. Then the worst they can do is overwrite the file.

who: half joke, half directed to anyone who wanted to answer. I know on the wp.com forums, we try to get folks not to direct their questions to anyone specifically as it has caused issues in the past.

Would assigning the files and directories to be owned by username:(the account the webserver runs under) and with permissions set to be 660 or 640 be better?

No, because if you’re not in the same group as the webserver, then you wouldn’t have access to them either. And if you are in the same group as the webserver, then likely so is everybody else on your shared server, meaning they still have access to your directories.

The short of it is that with a shared webserver and only basic unix type permissions handling, there’s absolutely no way to both allow uploads/modifications and still keep the system 100% secure. You need something more than the simple unix permissions system.

Some hosts allow the webserver instance to run the PHP programs as the user who owns them, thus getting the user’s own permissions. This is a reasonable compromise, as even if somebody gets hacked, only their site is compromised, not the whole shared server.

Regardless of all of the above, this is not a flaw in WordPress. It’s a standard webserver issue. Your host has to deal with it and tell you how they treat security in this sort of a case. Don’t mention WordPress, say that you want to allow the webserver to modify certain files, but without making all the other shared users able to modify those files as well, and without revoking your own access to those files. If they don’t have a solution for you, well, then you can either live with it or talk to another host instead.

Some hosts allow the webserver instance to run the PHP programs as the user who owns them, thus getting the user’s own permissions. This is a reasonable compromise, as even if somebody gets hacked, only their site is compromised, not the whole shared server.

So that would be on the webserver’s end and not with the file permissions, right?

Gotta admit that the company i contract out for support deals with this but I have to do it myself on mu and have been wondering about it.

Not really worried about those elsewhere on the box, just more concerned about worldwide.

So that would be on the webserver’s end and not with the file permissions, right?

Right. There’s a few downsides to this though. It doesn’t work with mod_php, generally speaking. They have to use PHP as a CGI program. This can be slightly slower, but it’s almost never noticable.

Google for phpSuExec. That’s one of the ways I’ve seen to do this sort of thing.

The php as a CGI ends it right there. Too many issues with that, especially with WPMu. (I don’t think anyone has gotten it running with that yet.)

Thnaks though for the reply.

Hmmm.. Honestly, there’s not all that much difference with CGI vs. a mod_php install. At least, none (or very little) from the php scripts point of view. I think that Apache still recommends using a PHP as CGI installation on production systems, as it’s more secure (in theory) and less vulnerable to breakdown.

Still, I do understand not wanting to use php as a cgi for speed purposes and such.

I think that Apache still recommends using a PHP as CGI installation on production systems,

Strange as I always thought it was the other way.

I’m going to bounce this off my personal webhost as I want to known her own opinion. I know we’re running mod_security both on my own sites and on the servers so I’m guessing we’re protected at least from teh causal hacker/ cracker/ exwife. Always can’t be too careful.

Thanks again,
-drmike