wp-config security and curl_exec

  • Resolved Clarus Dignus

    (@clarus-dignus)


    9 years, 4 months ago

    wp-config.php security:

    iThemes Security requires file updating:

    Many of the functions of this plugin require editing your wp-config.php or .htaccess files. Would you like to allow us to safely update these files for you automatically?

    I’m concerned about leaving wp-config.php writable. Isn’t this considered a vulnerability or does your plugin somehow circumvent this vulnerability?

    curl_exec

    Does iThemes Security require curl_exec to be enabled like other security plugins? I prefer to disable this function. If your plugin requires curl_exec, again, does it somehow circumvent the vulnerability the requirement creates?

    https://wordpress.org/plugins/better-wp-security/

Viewing 6 replies - 1 through 6 (of 6 total)
  • gcampton

    (@gcampton)

    9 years, 4 months ago

    I’m concerned about leaving wp-config.php writable. Isn’t this considered a vulnerability or does your plugin somehow circumvent this vulnerability?

    It makes it non writable (4-0-0).

    For instance once enabled if you go into permalink settings you will get a warning saying WordPress can not write to htaccess file so you need to make changes manually or enable write permissions.

    As for the curl_exec I have no idea…

    Thread Starter Clarus Dignus

    (@clarus-dignus)

    9 years, 4 months ago

    My wp-config is set to 444 after having fully configured iThemes Security.

    1. Should I manually remedy the permission?
    2. My wp-config is moved up one directory for security. Does this prevent iThemes Security from doing its job?
    gcampton

    (@gcampton)

    9 years, 2 months ago

    Sorry for taking so long to reply, …this support forum /*shoots self in the head */

    1. Yes make it 400.
    2. No, if wordpress can find it ithemes can. That’s fine.

    3. Please mark thread as solved, if you figured it out.

    dwinden

    (@dwinden)

    9 years, 2 months ago

    The answer to your curl question, from your initial post, related to iTSec plugin is NO.
    The iTSec plugin uses curl as a fallback mechanism in only 1 function (get_ssl()).
    This function is used to determine whether the server supports SSL.
    It will first attempt to use the WordPress HTTP API (wp_http_supports()) and if that fails it will try to use curl (if (function_exists( ‘curl_init’ )) { ).

    So I guess it’s safe to disable the curl_exec() function.

    dwinden

    dwinden

    (@dwinden)

    9 years, 2 months ago

    If your questions were answered to your satisfaction please mark this topic as ‘resolved’.

    dwinden

    Thread Starter Clarus Dignus

    (@clarus-dignus)

    9 years, 2 months ago

    Thanks for the confirmation on curl_excec() and the wp-config.php location/permissions.

    I’m very satisfied with this plugin.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘wp-config security and curl_exec’ is closed to new replies.