WordPress.org

Ready to get started?Download WordPress

Forums

[closed] security vulnerability in 2.9.2 (14 posts)

  1. dugbug
    Member
    Posted 4 years ago #

    The rash of hacks on network solutions wordpress blogs were from harvested SQL accounts by scanning for and reading the SQL account info from wp_config.php.

    Suggest two changes (gleamed from sucuri.net's discovery)
    1) Make sure after an install or upgrade that wp_config.php is chmod 750. Maybe this is a network solutions install choice, I dunno but to be safe Im asking wordpress to change your install.
    2) Can the DB password somehow not be in the clear?

    Existing sites can protect themselves by doing the above (and changing your SQL DB password to be sure). Its just a matter of time before folks start copying this technique and scan other hosting sites.

  2. ClaytonJames
    Member
    Posted 4 years ago #

    I've always been under the impression that files need to be at most, 644. Why would they need to be 750, and what were they when they were "scanned"?

    Existing sites can protect themselves by doing the above
    (Make sure after an install or upgrade that wp_config.php is chmod 750)

    I'm not certain that's accurate advice. Could you elaborate as to why that will protect the wp-config.php file?

  3. ClaytonJames
    Member
    Posted 4 years ago #

    I think this could be a more accurate representation of what was paraphrased in the first post.

    "Precautions you should take if you’re using WordPress:

    1. Change your WordPress administrative password immediately;
    2. Review the list of WordPress users who have access to your account and delete any users you do not recognize;
    3. Update your WordPress account to the most recent version that Network Solutions offers;
    4. Run your security and malware system scans on all computers that are used to access your WordPress account;
    5. Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755;
    6. Change the password for your mySql user and update wp-config. You can recreate the same user with an updated password; and
    7. Double check in settings writing that XML-RPC is turned off and maybe as an extra precaution disable/move/delete xmlrpc.php."

    Source: //www.blog.networksolutions.com

    Article: Alert: WordPress Blog & Network Solutions

  4. dugbug
    Member
    Posted 4 years ago #

    Ok folks correct me if Im wrong, because this is a killer hole (imho)

    If the wp install folder is 750, folks can't access your site, so it has to stay 755. If wp-config.php is **4 then anyone can read your wp-config.php file. I made my wp-config.php 640 and then modded it with a new db account.

    Do you folks understand the ramifications? The guy read our SQL user and database passwords and server information, then just went to the database.

    He could even install a local wordpress somewhere at home mod his config file to point to our database, create and delete users and edit posts (presumably with malware) as he wished... and your web site logs would show NOTHING because he never accessed our site.

    -d

  5. ClaytonJames
    Member
    Posted 4 years ago #

    If the wp install folder is 750, folks can't access your site,

    Why not?

    I can only speak from my own experience when I say that all of my web accessible directories currently have permissions of 750, all of the WordPress installations inside of those directories have files that are 644 and all the directories are 755 (and again, occasionally a variation temporarily or otherwise in the uploads location ) but I don't seem to have any problems with site access from LAN or WAN.

  6. dugbug
    Member
    Posted 4 years ago #

    If I do 750 on the wp install folder I get this:

    Forbidden
    You don't have permission to access / on this server.

    This is how they access index.php, from the .htaccess file. Perhaps there are some subtle install differences between us.

  7. ClaytonJames
    Member
    Posted 4 years ago #

    I would have to question the directory ownership and group settings on your public_html folder then.

  8. dugbug
    Member
    Posted 4 years ago #

    Why? Im changing the "other" setting. How would the owner of the folders matter (which is the same "owner" as the rest of the files... this is a network solutions hosted site, user is always the same as far as I have seen it). Group is always the same as well.

  9. ClaytonJames
    Member
    Posted 4 years ago #

    is your wordpress installed in a sub-directory in your html folder?

  10. ClaytonJames
    Member
    Posted 4 years ago #

    I suggest you contact network solutions support for the following reasons:

    You state: "If I do 750 on the wp install folder I get this: Forbidden You don't have permission to access / on this server....
    ....this is a network solutions hosted site"

    This is the statement issued by network solutions on their blog I linked to above: "5.Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755;

    Seems like they wouldn't make that bold of a statement if 750 permission on their accounts were going to throw 403's. They should have your answer.

    Good luck to you!

  11. dugbug
    Member
    Posted 4 years ago #

    755 on folder and 640 on config

    per latest ns blog
    http://blog.networksolutions.com/2010/alert-wordpress-blog-network-solutions/

    so again wpress during install make the config file 640

  12. MathSmath
    Member
    Posted 4 years ago #

    FYI, assuming WordPress is not installed in a folder you can just move your wp-config file out of the web root.

    From the Hardending WordPress article in the Codex:

    You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 750 permission).

  13. dadaji
    Member
    Posted 3 years ago #

    Hi, my blog got hacked couple of times, I have the latest wordpress 3.0.1 installed, however changing the wp-config.php permissions to "750" gives this warning/error in wp-load.php :

    Warning: require_once(/###/###/public_html/wp-config.php) [function.require-once]: failed to open stream: Permission denied in /###/###/public_html/wp-load.php on line 30

    Even moving the wp-config.php one level above gives same error on line 35 then.

    Can some one please help me or suggest any solution on this issue?

    Thanks
    Binoy D.

  14. mrmist
    Forum Janitor
    Posted 3 years ago #

    Unfortunately one set of permissions does not fit every hosting platform. Some platforms require the other flag to be more than 0, because of how their web services run. Of course, that doesn't always prevent you from achieving a secure platform. Sometimes you can set the permissions at a different level.

    I'm closing this thread now, as it's not timely. If you wish to discuss permissions please start a new thread in how-to or the misc forum.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags