cnymike

I am in agreement concerning the Admin. It is a huge waste of space…very poorly implemented and a giant step backwards in my opinion. Why so much wasted space? Why is everything so BIG? It’s as if the Admin was being designed for people with failing eyesight and made super large for them to see.

I’ve confirmed that I have the wp-trackback.php file in my blog directory. I have confirmed that I have the following code in the header.php file
<link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />

I have confirmed that the necessary options are checked…

# Attempt to notify any blogs linked to from the article (slows down posting.)
# Allow link notifications from other blogs (pingbacks and trackbacks.)
# Allow people to post comments on the article

So when I enter a trackback URI at the time I create a blog post, the other blog (a blog I own as well, with the same options set) never receives it.

Akismet is not catching it as far as I can tell, it just isn’t getting received (or sent… I dont’ know)

Any ideas what I need to check at this point?

Same problem here with 2.3.2.

Can’t say for how long this has been happening, but it is definitely happening right now and I don’t know how to fix either.

Whoa Nelly! I solved the mystery.

I had written into my .htaccess file a permanent redirect for my domains… ie: domain.com permanently redirected to https://www.domain.com

Of course I had neglected to check the WP Options to make sure the correct domain was being specified and I found that I had specified domain.com instead of https://www.domain.com.

Problem solved!

OK…on my hostrocket.com account I just installed into a test directory, a brand new installation of WP 2.2 using fantastico.

I was not able to upload photos into that either.

Two entirely different hosts… three different installations of WP including one brand new installation… and I can’t upload photos into -any- of them. I’ve tried using two different computers too, a Mac desktop and a PC notebook. I even reset my router and cablemodem thinking it might be some weird firewall thing or something. Still no dice. HELP.

This is getting even more mysterious.

I have another WP v2.1 blog on a different server which I had added to on June 15. I just tried to make a new post there with the same result. I was unable to upload photos successfully even though no error was displayed.

Now both my blogs are dead in the water and I have not done anything to them since my last successful post on them. I can add an entry, but I can’t upload images anymore.

Here’s the blurb on php-cgiwrap that came from my webhosts support area…

“php-cgiwrap is a “script wrapper” that lets your scripts execute under your own userid and group instead of user nobody and group www. It works in the same fashion as cgiwrap but handles paths in such a way that it can be used to run PHP pages under your own userid. Running PHP pages under your own userid allows you to use chmod 700 to lock out other users on the server from viewing the source code. Locking out other users can be especially important if you are interfacing with a MySQL database, thereby preventing people from obtaining your password.”

Almost forgot to put this out there…

my webhost said the best solution is to run php-cgiwrap.

I spoke with my webhost about the .htaccess “solution” and it’s not really a solution but to the most casual hacker. You see, if a hacker knows how to gain access to your webspace with user “nobody” then they will be able to modify, delete or do whatever they want to that .htaccess file. So it’s really not a true solution. Nonetheless, I have placed them in the directories that I must have 777 permissions on. I figure it can’t hurt and if if provides even a bit more protection while the directory is world-writable, then it’s worth it. But the real problem is that the hackers are coming in through the backdoor with probably some sort of rootkit installed in your webspace, so if it’s to that point, a .htaccess file won’t afford you any protection. That’s how my webhost explained it to me anyway.

Bobcat, It’s not secure if someone has hacked into the shared host somewhere because they have server rights. They have free reign. Furthermore if I set permissions to anything other than 777, WP will NOT upload anything because I don’t have world-writable permissions on the Uploads directory.

Furthermore, setting permissions to 700 results in this error…
“Warning: is_dir(): Stat failed for /home/xxxxxx/public_html/blog/wp-content/uploads/2007 (errno=13 – Permission denied) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 970

Warning: is_dir(): Stat failed for /home/xxxxxx/public_html/blog/wp-content/uploads (errno=13 – Permission denied) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 970

Warning: Cannot modify header information – headers already sent by (output started at /home/xxxxxx/public_html/blog/wp-includes/functions.php:970) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 1219
WordPress

Unable to create directory /home/xxxxxx/public_html/blog/wp-content/uploads/2007/04. Is its parent directory writable by the server?”

The only way to upload on my server through the dashboard is with 777 permissions.

Time to move on.

I understand now that WP technically doesn’t set the permissions, but WP enables it by requiring that the parent directory be world-writable in order for the uploads directory to be created by the server.

You know what, I finally get it. And for me, having the ability to upload photos via the dashboard is simply not worth the risk.

The confusion is because doodlebee said
“The problem here is that *WordPress* doesn’t set permissions for *anything*.”

My question “How is this secure?” was sort of a rhetorical question. It’s not secure.

OK…I just did a brand new install of WP for installation testing purposes and to see just exactly what permissions are being used and WHO is creating them.

I downloaded a zip of WP to my local computer. I unzipped it, filled in the necessary data in the wp-config.php file and then ftp’d the entire WordPress directory to my server.

I ran the install script and once that was comleted, I logged into admin of my newly created blog.-
I ftp’d to the directory where WP was installed and noticed that the wp-content directory had permissions of 755. All well and good thus far.

I created a new blog entry. I browsed for an image on my local computer and attempted to upload it. Got the following error…

Unable to create directory /usr/www/users/xxxx/xxxx/wordpress/wp-content/uploads/2007/04. Is its parent directory writable by the server?

A-ha! So the ONLY way to create the uploads/2007/04 directory is to make the wp-content world writable with 777 permissions. OK I changed permissions and then attempted to upload the image again. Success.

Now I have to change the directory ‘wp-content’ back to 755. Done!

But lo and behold, the newly created directories…

wp-content/uploads/2007/04
wp-content/uploads/2007
wp-content/uploads

…now have permmissions of 777 and are owned by nobody (the server).

So if WordPress didn’t create these world-writable directories, owned by the server (nobody) then what am I missing?

How is this secure? Furthermore, since they are owned by the server, I cannot rename them, change their permissions or delete them unless I call my webhost and have them change ownership to me.

So help me out here doodlebee and explain to me what just happened cuz I’m just not getting it.

doodlebee, I can’t really get too deep into this conversation because I don’t have good enough knowledge of the whole permissions scheme.

I never said my host “made” me keep the permissions at 777. My host provided me with good guidance on how to help prevent this in the future by using .htaccess as I described previously in an earlier post.

My Host conceded that a shared server -is- open to this sort of abuse. Of the hundreds of sites hosted on the server, who knows how many are operated by folks like me that don’t really have a clue what they are doing? I’d guess the majority. This leaves the potential for HUGE gaping holes in the security of the server. Any world writable directory in that shared environment is vulnerable if any one of the hundreds of other users space is compromised. Once the hacker gets in, either by brute force, or by learning the login info for an account, they have the ability to wreak all sorts of damage.

What is really a hassle is that the Uploads directory is owned by the server because it is the WP script that is installing, not me. Is this because I uploaded the tar file to my server and then untarred it as opposed to unzipping it locally and then ftp’ing it to my server?

It’s clear to me from reading about this issue a lot, both here and other forums and websites, that this is a big problem on WordPress Blogs. In fact, there are probably a lot of WP blogs that are hacked/compromised without the knowledge of their owners because the hackers use rootkits to gain control and do a pretty good job hiding their activity. The only way I noticed anything suspicious was because I happened to be looking at Google Webmaster tools for my site and noticed thousands of 404 errors. That was the tipoff.

I’ve learned enough now to know that in a shared server environment you do not want to leave any directories in a 777 state for very long or you are a hack job waiting to happen. As for me, I have paid a pretty stiff price in all this. Google has completely taken away my page ranking and my site has disappeared in the results pages where a week ago I was the #1 result using certain search terms. I hope that in time, Google will restore my ranking because I have removed all traces of the hackers work and hopefully have a more secure site now.

I would strongly encourage you NOT to have world writable permissions, owned by nobody, on your installation. I had just that scenario and my site was hacked.

In a shared server environment, it is quite easy for someone with the knowledge to place a php script inside that world writable directory, install a rootkit and then basically do whatever they want in that directory. Happened to me and I am paying the price. My site completely lost its ranking in Google and I had over 85,000 spam links leading to my website directory where the hacker invaded. It was the wp-content/Uploads directory.

I cannot believe that WP puts world writable directories in place.

Also read this thread…
https://www.webmasterworld.com/community_building/3040091.htm