UNSAFE file permissions set by plugin
-
I’ve been using this plugin for a long time to try help harden WordPress installs against hackers.
I recently noticed that the file permissions on the wp-config.php files kept being changed to 666 and thought that my sites had been hacked.
By pure luck and chance, while looking at a site error log, I found that this file wp-content/plugins/salt-shaker/_inc/core.class.php has this code towards the bottom
//set the recommended permissions to wp-config.php read:
chmod($config_file, 0666);
This changes the permissions on your wp-config.php file to 666 meaning that the whole world can read and write to your wp-config file!!!!! WTF!
Anyone would have total access to server paths, database details as well as password, etc.Additionally I have noted that while it is changing the SALTS it still allows me to remain logged into the site instead of logging ALL users out as it should be.
UNINSTALLED IMMEDIATELY.
I DO NOT RECOMMEND INSTALLING THIS PLUGIN.
- The topic ‘UNSAFE file permissions set by plugin’ is closed to new replies.