WordPress.org

Ready to get started?Download WordPress

Forums

MVIS Security Center
[resolved] Permission recommendations break my site (11 posts)

  1. mosheeshel
    Member
    Posted 1 year ago #

    MVIS recommends changing permissions on my /wp-admin and other folders - it says to remove read & execute permissions for "world" (setting permissions to 750)

    is this for the top folder only, or including all files in the directory?

    Also when I do this, say for my /wp-content folder, the site loads with out the theme files (which makes sense), and when I do it for /wp-admin - my admin interface doesn't load. What am I doing wrong?!?

    Thanks!

    http://wordpress.org/extend/plugins/mvis-security-center/

  2. secconsult
    Member
    Plugin Author

    Posted 1 year ago #

    Hello Mosheeshel,

    Are you hosting the WordPress on your own server?
    If not then the issue is likely to be in the setup of your hosting provider.
    Could you share which users own the files and which group user is set for your directories? Additionally, we would need to find out which user your webserver runs as (e.g www-data) and if it is part of the group.

    If you don't want to share the information publicly, you can also send me an e-mail using the "Feedback, Bugs or Feature Requests?" link in the top right corner.

    Cheers,
    Stefan

  3. secconsult
    Member
    Plugin Author

    Posted 1 year ago #

    Hello again, were you able to solve the problem with your site?

  4. mosheeshel
    Member
    Posted 1 year ago #

    Hi Again, and thanks for your patience.
    No I didn't resolve the issue, I host in a hosting company, it is a shared host and my interface is cPanel (I change the permissions via the "File Manager")
    I have no way of knowing the Apache configuration behind...

  5. secconsult
    Member
    Plugin Author

    Posted 1 year ago #

    Hello mosheeshel,

    Do you have ftp/sftp access to the system, then you should be able to see what the owner name and group name of specific files/directories are, which should help us determine how your file permissions can be secured without breaking the site.

    In the meantime, please share the default file permissions that are set on /wp-config.php and /index.php, because these are some of the most important files to secure in a shared hosting environment.

  6. mosheeshel
    Member
    Posted 1 year ago #

    Hi,

    I've checked what it says on the FTP, under the Owner/Group column, it just gives numbers
    594 592

    Regrading the file permissions
    wp-config 400
    index.php 400
    wp-blog-header.php 400
    all the rest are 644

    All the folders are 755 (setting any to 705 "breaks" the site)

  7. mosheeshel
    Member
    Posted 1 year ago #

    Also recently I had a small hack performed
    my index.php file was replaced, and the db user passwords were corrupted.

    I noticed that someone uploaded a new theme to the themes folder, I'm unclear how this was accomplished, but I suspect there is some opening there which I am missing still.

    How can this be accomplished? I am quite sure no one got my password, I use a 15 characters randomized string (using Lastpass) and certainly don't share it with anyone else, nor have anything on my personal computer...

  8. secconsult
    Member
    Plugin Author

    Posted 1 year ago #

    That is weird, because this would indicate that only the file owner has read permissions on the e.g wp-config.php file, which would also mean that the file owner is the web server. Otherwise the setup would not work, because the web server would not be able to read the config file. That in turn could mean that you could easily upload a php file that reads all other directories on the shared host. Regarding your permission problem, it seems like you can't fix it due to the Linux user setup for the virtual hosts. I am speculating a bit here and I would have to take a closer look to be sure about that.

    Are you using HTTPS to connect to the wp-admin interface?
    Do you store the WP admin password in the FTP application on your computer?

    Having a shared host can be quite dangerous, because if one other customer on the same server is hacked, attackers can potentially spread to all other sites, even though you would have done everything right and secured the site properly.

  9. secconsult
    Member
    Plugin Author

    Posted 1 year ago #

    Hello, you can contact me again if there are any further questions. I'm closing the topic.

  10. mosheeshel
    Member
    Posted 1 year ago #

    Thanks for all the help...

  11. secconsult
    Member
    Plugin Author

    Posted 1 year ago #

    Sure thing :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic