Title: Cannot shut off notifications Last modified: November 25, 2017 --- # Cannot shut off notifications * Resolved [bkjproductions](https://wordpress.org/support/users/bkjproductions/) * (@bkjproductions) * [8 years, 6 months ago](https://wordpress.org/support/topic/cannot-shut-off-notifications/) * Really annoying! I cannot get Sucuri to stop bothering me with every Tom, Dick and Harry who are failing to log into the site: * This setting: **Receive email alerts for failed login attempts (you may receive tons of emails)** will not save when I submit the form. * I believe it is because Sucuri is not storing its settings in the database, but rather seems to be writing a file to the uploads folder? Here is a message that appeared after I deactivated the plugin and reactivated the plugin, trying to diagnose the problem. * **SUCURI: Storage is not writable: /myname/public_html/wp-content/uploads/sucuri/ sucuri-settings.php** * I didn’t think it was considered proper to put a PHP file into your uploads folder, isn’t that a security risk? At least from what I have read; a quick search shows that most people recommend locking down the /uploads folder so you’re not executing php code there. * This must be a new thing, because there was no such message when I arrived on the settings page on a site where the plugin has been running for years. * **Another bone to pick:** Sucuri is sort of vague about who gets notified. I would prefer to have an email address that is NOT an admin of the website, but some other address for a person whose job is just to monitor the notices. That person doesn’t need to be a registered user. It seems like maybe I could do this, in that there is a setting: * > **Alerts Recipient** > By default, the plugin will send the email alerts to > the primary admin account, the same account created during the installation > of WordPress in your web server. You can add more people to the list, they > will receive a copy of the same security alerts. * Below this there is a list of users, one of whom is the main Admin. But, probably due to the problem with saving settings to a PHP file rather than the database, removing the Admin from the list will not “stick.” Nor will adding a new user. Still, I think if I dare allow PHP to execute in my /uploads folder, then I think that I can remove the default Admin and put in another address. If this is the case, the text in the Alerts Recipient instructions should say “You can add or remove people…” * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fcannot-shut-off-notifications%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 1 replies (of 1 total) * [yorman](https://wordpress.org/support/users/yorman/) * (@yorman) * [8 years, 6 months ago](https://wordpress.org/support/topic/cannot-shut-off-notifications/#post-9722159) * > I believe it is because Sucuri is not storing its settings in the database, > but rather seems to be writing a file to the uploads folder? * That is correct, more specifically in this file [1]. * > SUCURI: Storage is not writable: /myname/public_html/wp-content/uploads/sucuri/ > sucuri-settings.php * This is the entire reason of why you are unable to enable/disable the security alerts. If the plugin has no access to write into this file then — technically speaking — it’s impossible to save the changes that you are trying to apply from the settings page. * > I didn’t think it was considered proper to put a PHP file into your uploads > folder, isn’t that a security risk? * Write permission is different than execution permission. * In Unix-like systems, there are three basic permissions that you can set to a file: read, write, execution. Allow the execution of a random file (no matter the programming language) is a bad idea in itself, but again, the plugin is asking for write permissions rather than execution, since none of the files in the “ uploads/sucuri” directory need to be publicly accessible, they just need to be writable inside the server so the plugin can insert/delete data into/from them. * > At least from what I have read; a quick search shows that most people recommend > locking down the /uploads folder so you’re not executing php code there. * Locking down any directory with content that you don’t want to be publicly accessible from the Internet is a good idea. However, you are seeing this procedure incorrectly; in the context of WordPress websites, “locking down” a directory basically means that you are blocking access to it and/or any of its files _from_ the web, but the server and any internal software still has access to it _(unless you change the permissions, which is what is happening in your website)_. * You can keep your uploads directory locked down and grant write permissions to these files so the plugin can use them, this without affecting the security of the website. In fact, one of the features offered by the plugin — the Hardening— has an option that adds restrictions to the uploads directory to prevent the unwanted execution of publicly accessibly PHP files. * > This must be a new thing, because there was no such message when I arrived > on the settings page on a site where the plugin has been running for years. * The message is new, but the permission check is old. * The plugin used to fallback to the database to store the settings, that’s why people didn’t experience this problem with the file permissions before. However, this changed when it was decided that relying on WordPress’ would cause more problems than not, so we went full “flat files” and added the error message just in case something unexpected happens. * > Sucuri is sort of vague about who gets notified. I would prefer to have an > email address that is NOT an admin of the website, but some other address for > a person whose job is just to monitor the notices. That person doesn’t need > to be a registered user. It seems like maybe I could do this, in that there > is a setting * Indeed! This is something that I need to change. I will include this as a feature request into our internal issue tracker. Once a priority is assigned to this task by the project manager, I will work on it and include it among the changes for a future update of the code. * **SOLUTION:** The solution to the issue mentioned in this thread is fixed by granting write permissions to the file linked below. Feel free to lock down the uploads directory to prevent the execution of PHP files, this lock down will not affect the reads/writes from the plugin. In fact, even if you grant them execution permission nothing bad will happen because these PHP files have no relevant PHP code, they just contain a call to the built-in `exit()` function and then JSON-formatted data. * [1] `/wp-content/uploads/sucuri/sucuri-settings.php` Viewing 1 replies (of 1 total) The topic ‘Cannot shut off notifications’ is closed to new replies. * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755) * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/) * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq) * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/) * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/) * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/) * 1 reply * 2 participants * Last reply from: [yorman](https://wordpress.org/support/users/yorman/) * Last activity: [8 years, 6 months ago](https://wordpress.org/support/topic/cannot-shut-off-notifications/#post-9722159) * Status: resolved