Support » Plugins » CHMOD Security Issue

  • Resolved leMaxim


    This deals with my concerns in this thread:

    (According to Yosemite, in the above thread) My hosting environment needs a plugin directory (image-headlines) to be CHMODED to 777 in order to function.

    Is this, or is this not a security vulnerability?
    -If so, what are possible consequences?
    -Can somebody modify/delete my files?
    -Exploit my php?

    -If so how can I prevent it while maintaining 777?

    Thanks in advance!

Viewing 15 replies - 1 through 15 (of 15 total)
  • Maybe this Codex article might help:

    Codex seems down right this second so if needed, check the cache copy at Google

    It doesn’t exactly address my issue…


    yes it is. I’d talk to your host. 755 should suffice with a secure and tight server setup.

    And if the host doesn’t change, I’d change the host. Bound to eventually be in trouble you are. And there are quite many good hosts with an eye on security out there.

    Yeah…my host is their PHP is in safemode and setup is a pain. But it gets the job done. Grr. So if I have the dir on 777, what’s the worst that can happen?

    Then change your host. There are quite a few really good ones out there.

    I know, but im asking, whats the worst that can happen? What kind of exploits?

    Someone else could read/explore the directory. Beyond that you have to look at the permissions on the files inside, as well as their owner/group.

    The quick answer is don’t worry. Between Safe Mode and your host’s security the only salient concern is that someone could read the files in that directory. Long as there’s no seekrit, sensitive info in those files you’ll be ok.

    That’s interesting. Well I can’t even explore the directory when I type it in. But nobody can delete/modify those files?

    exploring the directory can be separately disabled.

    the real risk comes from someone else who has access to your server. perhaps another web account on the same server. or a poorly written php script that allows a program to be uploaded that pretends to be a picture. let’s say you let people upload pics without any checks, and a hacker uses it to upload a program. If you have execute access to the directory, he might be able to use that space to install *and run* his program.

    now, these days, a chmod of 777 is not as risky as it sounds, at least not on a server wide level. it’s just one layer of security. each virtual account is usually chrooted (actually, i don’t think cpanel accounts do that, unless that’s changed from the last time I used cpanel). you are running your own sort of virtual server environment. in other words, someone who hacks another persons account generally won’t be able to even see your account space.

    to hack into your space, it really needs insecurely written scripts in order to do it. so one thing to be concerned about is any plugin that uploads something. it simply must check the data it’s plomping into your account space is actually what it’s supposed to be.

    the topic is too large to discuss here, and i’m not an expert. I’ve had encounters with some of these issues though. php, mysql etc. can have their own security flaws. be sure your webhost is on top of that end. for your end, be careful what you install into wordpress, and keep wordpress up to date. if a hole is discovered plug it. worry about these things more than a directory that has permission of 777. but still, change it to 755 if you can.

    Thank you! I’ve finally got my answer.

    Some additional: I had my directory set at 777. A few months later I found a number of .php files in the directory that were spewing out spam onto Google. I’ve had to remove access to this directory… 777 is NOT safe on all servers. 755 didn’t work for me. Talk to your host.




    “these days, a chmod of 777 is not as risky as it sounds”

    as opposed to the what? the olden days when boxes ran on LINUX and Apache? oh wait, that would be the these days one.

    thats some very flawed advice you gave above.

    In another thread Macbrink provided this excellent link

    He said,
    If you have to use 777 you could try to secure your folders with .htaccess




    i love it when my suggestions end up in the codex. Apparently I am good for something. 🙂


Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘CHMOD Security Issue’ is closed to new replies.