WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] How did someone add files to my wp-content folder? (8 posts)

  1. K3200
    Member
    Posted 7 years ago #

    A strange thing happened today as I checked my web stats. Some of my more popular pages that are being visited are in my wp-content folder. What's even stranger is that I didn't put them there. Some of the files are:

    /wp-content/somaonline.htm
    /wp-content/pharmacyphentermine.htm
    /wp-content/cheapalprazolam.htm

    How does someone place these files in my wp-content folder without me knowing or giving permission?

    Thanks

  2. vkaryl
    Member
    Posted 7 years ago #

    Probably because you did "give permission" by leaving your wp-content folder world-writeable (777).

  3. K3200
    Member
    Posted 7 years ago #

    That's the case. What should permission be set at, 644? Is this the only folder I should worry about or are all folders at risk to something like this?

    Thanks so much for quickly getting to this issue and solving it!!

  4. vkaryl
    Member
    Posted 7 years ago #

    Files at 644, folders at 755 is generally sufficient. Any folder will be at risk if set at 777. If you need to have a folder set at 777 for a short time for whatever reason, fine, just be SURE that you return it to 755 when you've finished.

    This was relatively harmless in your case; there are far far worse things that can happen!

  5. K3200
    Member
    Posted 7 years ago #

    Thanks so very much. I appreciate the help!!!

  6. snipeseye
    Member
    Posted 7 years ago #

    Edit: Post Updated -not necessary.

  7. pizdin_dim
    Member
    Posted 7 years ago #

    "How does someone place these files in my wp-content folder without me knowing or giving permission?"

    Once you've granted "writable permission" to your content directory, anyone with the even the basic scripting skills can pretty much put anything they bloody well like there.

    This is unfortunately quite a problem for most installations. If you're in a SHARED environment, you should check that your hosting provider (if they use Apache) is using the PHP directive "open_basedir" for ALL their virtual domains, assuming your website is running in a shared environment.

    If your ARE in a shared environment, and your hosting people ARE using Apache but they're NOT implementing the "open_basedir" directive (usually via vhosts.conf), then you're asking for trouble because your 755 mask will NOT save you.

    EDIT: I forgot to say that the reason I mentioned the "open_basedir" directive is because I STILL encounter hosting providers who don't bother to set it.

  8. spencerp
    Member
    Posted 7 years ago #

    If your host is good about things, good to you, and is good in general, you can ask them to make your folder and file permissions set to the following default settings:

    Folders = 755
    Files = 644

    So from then on, they should already get those above two settings automatically.. I've asked my host to do that, and it's setup like that now.. Good luck! ;) =)

    spencerp

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags