Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
If you are on a shared web host, meaning other people are running code on the same server and your just paying for web hosting, then yes, that’s not a safe thing to do.
Well it isn’t hosted anywhere yet. I’m just trying to get it working locally, but ran into a chmod issue (see this thread: http://wordpress.org/support/topic/how-to-chmod-0777-local-folders?replies=1), which got me thinking about the security issue.
I plan on hosting through HostGator (business plan), which is shared hosting.
What makes 777 such a bad way to go? Thanks for your help!
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I don’t know anything about that hosting service, and wouldn’t comment here about it if I did. 🙂
Ask any hosting company about directories being made 777 and see what they say.
What makes 777 such a bad way to go? Thanks for your help!
If you are running on a host, and I’m an unscrupulous person on the same host (perish the thought) and the hosting company is not doing something extra, then I could find your directory and deposit files there.
Those files could redirect your traffic to MY website. Or send harmful files to your readers such as exploit code.
That’s what 777 does for directories. That’s rwxrwxrws or everyone on that server can read the files in that directory, can write files to that directory, and can look (change directory) into that directory.
There are many hosts who know how to isolate users from each other, and that makes 777 less evil. Some will even pick up a 777 directory and tell you that’s a no-no. It’s not really that hard to secure a server as long as the host knows what they are doing.
But there are also many clueless shared host providers, so try to avoid 777 if you can.
Bummer. This theme has everything I need but now I’m hesitant to use it…
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
*GAH! TOO MUCH DISCOURAGEMENT JAN!*
It’s good to be forewarned, BUT give your potential hosting company a call and get information. Often hosting companies host a wiki with a FAQ for these type of questions.
That theme doesn’t need 777, it needs to be able to write to those directories listed. Using chmod 777 is an quick and easy way to accomplish that.
If your hosting runs your web server instance as separate user ID (yours) then you don’t need 777 and can get by with the normal 755 or even more restrictive. That way not all the users on your shared host can write to those directories.
There are other ways to secure a web server, so ask them and see what they say.
Thanks, Jan. I contacted HostGator and already received a reply. Here’s what they had to say:
Generally speaking, it is not a good idea to give any file or folder 777 permissions. 777 permissions grant read, write, and execute access to everyone. On Shared and Reseller servers, 777 permissions are not only discouraged, they also are not compatible with the way in which PHP functions on our servers. For more information, please see http://support.hostgator.com/articles/specialized-help/technical/my-script-needs-to-use-777-permissions
It’s not … Eeeeh.
Without knowing the details of the plugin, the best we can say is it MIGHT be dangerous.
