• Today my blog was hacked by some (rather primitive) Turkish guerrillas. I don’t know what they did and how the hell did they squeeze in, but domain name was redirected to their site.

    The server support team responded and restored the backup.
    What’s bad, I lost my last post. Of course, Murphy didn’t sleep – it was the longest text I have written.

Viewing 15 replies - 1 through 15 (of 17 total)
  • Michael Torbert

    (@hallsofmontezuma)

    WordPress Virtuoso

    If wordpress itself was hacked, the only thing they could have done to redirect would be to have gone to options->permalinks and edit your .htaccess file if it’s writable by apache (which it should not be).
    Alternatively, they hacked the server, in which case change your passwords.

    Thread Starter suncokret

    (@suncokret)

    Thanks for clearing this a bit, but if I set my .htaccess to 644, what about WP updating the permalinks when I save a new post?

    The online WP manual says that it needs a 666 access in order to use permalinks. I assume this is not safe?!

    I think it should be your theme and other additional scripts you added in your blog. I heard that it will auto generate and change your index.html… Change a new theme or delete the scripts you added should be fine.

    I happened this once…

    Michael Torbert

    (@hallsofmontezuma)

    WordPress Virtuoso

    Suncokret:

    You read it wrong. If you change the permalinks structure from the admin interface in wordpress, and want wordpress to automatically change the .htaccess for you, apache needs write permissions on the file (which needs the 3rd digit to be a 6, so really 646 is fine for that). However, that’s only for changing the permalinks structure. Once it is the way you want it, 644 is fine for .htaccess, which means that only you can change .htaccess.

    lol. this is a great thread.

    646 is no more secure than 666 —

    Michael Torbert

    (@hallsofmontezuma)

    WordPress Virtuoso

    Whooami:

    Read my post. I said to only CHMOD it to 646 for the purpose of changing it through wordpress. Then change it to 644, which is plenty secure unless someone hacks your server account.

    Thread Starter suncokret

    (@suncokret)

    Ok, I understood, .htaccess is now 644 and everything is working great.

    +++ Whooami, he thought that 646 is fine for apache to write down new permalinks structure, not to leave it afterwards.

    I also changed permissions for wp-content dir. Now it’s 755.

    I dont need to re-read your post.

    I said nothing about 644. I said this:

    646 is no more secure than 666

    Your post implies that 646 is more secure than 666 – it isnt. Not for 1 minute, not for one hour, not for one day. (not when talking about files that are web accessible)

    Now, unless you want to go back and forth with me, let it go.

    sunrocket, I knew exactly what he was saying. Thats NOT what I was responding to.

    Michael Torbert

    (@hallsofmontezuma)

    WordPress Virtuoso

    If you change the permalinks structure from the admin interface in wordpress, and want wordpress to automatically change the .htaccess for you, apache needs write permissions on the file (which needs the 3rd digit to be a 6, so really 646 is fine for that).

    You were neither addressing his issue, nor correctly inferring from my message. I didn’t compare 646 to 666, as you suggest, rather I stated that 646 is fine temporarily for allowing WordPress access for writing to the file.

    To suggest that I would say that 646 is more secure than 666 as it relates to web access is just silly.

    You could have left this alone..

    You responded to this, did you not?

    Thanks for clearing this a bit, but if I set my .htaccess to 644, what about WP updating the permalinks when I save a new post?

    The online WP manual says that it needs a 666 access in order to use permalinks. I assume this is not safe?!

    You offered no yes or no answer. Instead you proffered up a solution, without much explanation as to why 646 is better or not.

    Do tell, why use 646 over 666? If in fact, you were not suggesting exactly what I read into your reply.

    After all, you could have just said, 666 is fine, since its only a temporary thing anyway.

    —-\

    Why is this an issue?

    Because this thread will be read by countless others — and the vast majority of new WordPress users do not read the context of advice. They just read “646” and .htaccess” in the same sentence.. and go off thinking that it’s a safe chmod setting.

    Michael Torbert

    (@hallsofmontezuma)

    WordPress Virtuoso

    (which needs the 3rd digit to be a 6, so really 646 is fine for that). However, that’s only for changing the permalinks structure. Once it is the way you want it, 644 is fine for .htaccess, which means that only you can change .htaccess.

    I explicitly state that for wordpress to change .htaccess, 646 is fine. I never compare/contrast the security of 646 versus 666. I also explicitly state that after making the modifications to the permalinks structure through the wordpress interface, 644 is fine for .htaccess.

    how come you cannot answer my questions?

    why offer up 646 in the context of what was asked..?? Why not say 666 is fine?

    I assume this is not safe?!

    You cant, regardless of what you explicitly say.

    Please keep in mind that the vast majority of ppl here need more than than just an alternative answer. If its NOT safer, which it isnt, they need to be told that. This knowledge comes with a good deal of experience on these forums.

    Have a great day.

    Thread Starter suncokret

    (@suncokret)

    Omg…… this thread lost its meaning by this pointless argue. Is it 666 or 646? Doesn’t matter as both aren’t safe. So, let’s get over it! It’s a temporary change anyway.

    I perfectly understood what hallsofmontezuma said in his second post and that helped me – I changed my .htaccess to 644 since my permas are well formated and I don’t need to modify them.

    Thank you!

    Michael Torbert

    (@hallsofmontezuma)

    WordPress Virtuoso

    You’re incorrectly inferring that my message could suggest that 646 is a more secure alternative to 666. I could have just as easily said 666 for his purpose of temporarily CHMODing .htaccess but didn’t.
    Don’t read into it so much.
    I understand that you’re saying people who are in unfamiliar territory on these forums can get confused if we don’t word things a certain way, but I don’t agree that people would generally reach the same conclusion from my post as you did.
    For instance, Suncokret understood.
    Perhaps you could have been more eloquent and we wouldn’t have had this discussion:
    lol. this is a great thread.

    646 is no more secure than 666 — suggests that I was sending the message that 646 is more secure than 666 (relative to web accessible files). If you felt I wasn’t clear, you could have just said, “To add to Hallsofmontezuma’s post, I want to clarify that using 646 or 666 will allow WordPress to modify the file, and make sure that you CHMOD it to 644 immediately after wordpress makes the permalinks changes.”
    Your original post in fact didn’t help anyone.

    I could have just as easily said 666 for his purpose of temporarily CHMODing .htaccess but didn’t.

    And again, you didnt. Why? Until you can provide a reason why you offered up an alternative within the context of answering something that specifically asks if 666 is insecure, we are going to go round and round.

    Need a metaphore/allegory/whatever:

    If you ask me if you should buy a Jeep but express that you are worried about gas milage, and I answer with .. “An accord will get you to the same places”.. you can see very clearly I am inferring that one has better gas milage than the other.

    And dont presume to think that the OP understood that 646 is basically the same thing. he or she certainly knows now, since Ive made my point.

    Thats the whole reason I even bothered with challenging you – you either did presume, or you didnt realize and are now simply too stubborn to admit that you thought that you were offering a more secure solution, however temporary it might be.

    Now, I gave you a pass, and basically let this go with an “ok, he just didnt realize that dealing with new users about security takes a little more wording”.. but if you want to continue, we surely can..

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘My WP 2.3.3 was hacked’ is closed to new replies.