WordPress.org

Ready to get started?Download WordPress

Forums

Super Cache Security Clarification (8 posts)

  1. cachemoney
    Member
    Posted 6 years ago #

    First off, thanks for a great plugin, I've notice a huge difference in speed with this!

    I've read over some of the topics here regarding super-cache and security. I'm a noob but I think most of them are regarding the correct CHMOD for directories. Still not 100% on what the warning in the admin page means and what exact files/directories it's talking about.

    Can anyone put in simple terms, what exactly needs to be done to ensure maximum security when using this plugin?

    A few days after installing it I found a folder in my home directory that shouldn't be there. This is the first time I've had anything like that, so I imagine I'm doing something wrong with this plugin.

    I changed my hosting and wordpress passwords, anything else I should do?

    Also is that a really horrible security breach? FWIW, the folder was named for the domain of some adult site and sub directories in the folder matched a directory structure until it reached the last sub folder called 05.jpg. I chmodded the folder to 0. Other than that, I couldn't find any other obvious changes.

    Any comments/ideas appreciated!

  2. Donncha O Caoimh
    Member
    Posted 6 years ago #

    It's not a security breach. Some people see odd directories appear in their root directory, but I haven't been able to reproduce it at all.

    You should however tighten the permissions on your root directory. Your web server shouldn't be allowed write there at all. Either use chmod to change permission or chown if you can to change ownership.

  3. whooami
    Member
    Posted 6 years ago #

    donncha,

    I can tell you that over the last week or so, I helped someone that was seeing directories created in her site root.

    The cause was 4 things:

    1. Despite the fact that her equivalent of public_html was chmod 755, supercache was saying the directory was writable.

    2. She was running 1 other plugin, the name of it escapes me, but I can dig it out of my emails if you are interested.

    3/4. Her 404.php was not actually sending a 404 but instead a 304. This was caused by a query_post that was being done in a sidebar file that was called via an include on 404.php

    Changing any of the above 4 items caused the directories to not be created.

    The solution, btw, that I came implemented was to insure that her 404.php actually sent a 404.

    supercache looks for 404s, not finding one, (under the above set up) the latter have of the url ended up causing a directory to be made, ie:

    http://www.blog.com/some_permalink/something_that_doesnt_exist

    would create something_that_doesnt_exist within the cache directory,

    and this:

    http://www.blog.com/some_permalink/http://something_that_doesnt_exist

    would create something_that_doesnt_exist within the WordPress root.

    If you are interested I can pass along the info of the site and an email addy of the owner..

    --

  4. cachemoney
    Member
    Posted 6 years ago #

    Thank you both for the insight into how this may have happened. It sounds like someone's browser requested an image from another website for some reason and wordpress/super-cache created the directory structure to match that failed request. That's a relief, I was panicking when I first saw it.

    My webhost (dreamhost) has the directory structure set up a little differently than most hosts. My / dir contains folders with the names of the domains in my account, and each of those is it's own "root" for that site. Those folders themselves are chmodded 755.

    I'm using the sandbox template, which I believe does something differently with 404 pages, beyond that is beyond me.

  5. Donncha O Caoimh
    Member
    Posted 6 years ago #

    whooami - that's really interesting. I'll have to test that and debug it. Can you email me at donncha @ ocaoimh.ie please? I have enough to go on, but I'd like to give credit where it's due!

  6. Donncha O Caoimh
    Member
    Posted 6 years ago #

    I Just tried to replicate the 404 problem and couldn't. That's strange.

  7. cachemoney
    Member
    Posted 6 years ago #

    I can't replicate it either. The site in question is fairly busy and I've only seen it happen that once.

  8. whooami
    Member
    Posted 6 years ago #

    yes, I will send off an email to you this evening -- unfortunately I have my hands tied with a disk failure right now.

Topic Closed

This topic has been closed to new replies.

About this Topic