• Resolved mosheeshel

    (@mosheeshel)


    MVIS recommends changing permissions on my /wp-admin and other folders – it says to remove read & execute permissions for “world” (setting permissions to 750)

    is this for the top folder only, or including all files in the directory?

    Also when I do this, say for my /wp-content folder, the site loads with out the theme files (which makes sense), and when I do it for /wp-admin – my admin interface doesn’t load. What am I doing wrong?!?

    Thanks!

    https://www.ads-software.com/extend/plugins/mvis-security-center/

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author secconsult

    (@mvis)

    Hello Mosheeshel,

    Are you hosting the WordPress on your own server?
    If not then the issue is likely to be in the setup of your hosting provider.
    Could you share which users own the files and which group user is set for your directories? Additionally, we would need to find out which user your webserver runs as (e.g www-data) and if it is part of the group.

    If you don’t want to share the information publicly, you can also send me an e-mail using the “Feedback, Bugs or Feature Requests?” link in the top right corner.

    Cheers,
    Stefan

    Plugin Author secconsult

    (@mvis)

    Hello again, were you able to solve the problem with your site?

    Thread Starter mosheeshel

    (@mosheeshel)

    Hi Again, and thanks for your patience.
    No I didn’t resolve the issue, I host in a hosting company, it is a shared host and my interface is cPanel (I change the permissions via the “File Manager”)
    I have no way of knowing the Apache configuration behind…

    Plugin Author secconsult

    (@mvis)

    Hello mosheeshel,

    Do you have ftp/sftp access to the system, then you should be able to see what the owner name and group name of specific files/directories are, which should help us determine how your file permissions can be secured without breaking the site.

    In the meantime, please share the default file permissions that are set on /wp-config.php and /index.php, because these are some of the most important files to secure in a shared hosting environment.

    Thread Starter mosheeshel

    (@mosheeshel)

    Hi,

    I’ve checked what it says on the FTP, under the Owner/Group column, it just gives numbers
    594 592

    Regrading the file permissions
    wp-config 400
    index.php 400
    wp-blog-header.php 400
    all the rest are 644

    All the folders are 755 (setting any to 705 “breaks” the site)

    Thread Starter mosheeshel

    (@mosheeshel)

    Also recently I had a small hack performed
    my index.php file was replaced, and the db user passwords were corrupted.

    I noticed that someone uploaded a new theme to the themes folder, I’m unclear how this was accomplished, but I suspect there is some opening there which I am missing still.

    How can this be accomplished? I am quite sure no one got my password, I use a 15 characters randomized string (using Lastpass) and certainly don’t share it with anyone else, nor have anything on my personal computer…

    Plugin Author secconsult

    (@mvis)

    That is weird, because this would indicate that only the file owner has read permissions on the e.g wp-config.php file, which would also mean that the file owner is the web server. Otherwise the setup would not work, because the web server would not be able to read the config file. That in turn could mean that you could easily upload a php file that reads all other directories on the shared host. Regarding your permission problem, it seems like you can’t fix it due to the Linux user setup for the virtual hosts. I am speculating a bit here and I would have to take a closer look to be sure about that.

    Are you using HTTPS to connect to the wp-admin interface?
    Do you store the WP admin password in the FTP application on your computer?

    Having a shared host can be quite dangerous, because if one other customer on the same server is hacked, attackers can potentially spread to all other sites, even though you would have done everything right and secured the site properly.

    Plugin Author secconsult

    (@mvis)

    Hello, you can contact me again if there are any further questions. I’m closing the topic.

    Thread Starter mosheeshel

    (@mosheeshel)

    Thanks for all the help…

    Plugin Author secconsult

    (@mvis)

    Sure thing ??

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Permission recommendations break my site’ is closed to new replies.