Hi Security Safe plugin team!
First of all, awesome plugin that you have here where it has a feature to detect the file permission of the files to check the security.
Would it be ok if we can have a feature request to have host specific exemptions for container-based web host like Pantheon where the default wp-content/uploads folder has 770 permissions?
Thanks in advance!
- This topic was modified 1 year, 3 months ago by Carl Alberto.
The page I need help with: [log in to see the link]
Absolutely. Is there a reliable way that I can detect that a site is hosted on Pantheon? If you use any PHP constant variables, then I can check for that and allow an exception.
Also, if there are other aspects of making WP Security Safe more compatible with Pantheon hosting, please let me know.
Thank you for reaching out.
Thanks for the quick reply @stevenayers63 and for accommodating our request.
You can use
$_ENV['PANTHEON_ENVIRONMENT']to check if you are hosted in the platform, there are sample codes in here https://pantheon.io/docs/environment-specific-config#define-wp_debug-to-perform-actions-based-on-environment
Also, you can sign up for free https://pantheon.io/register in the platform and spin up a sandbox site to test out your code and plugin
@carl-alberto I will roll out this feature on my next release and notify you about it.
I just released version 2.4 of WP Security Safe and it accommodates the Pantheon permissions 770 for the directory “uploads” and all of its children directories.
It was my understanding that the directories only needed 770 permissions. Based on your screenshot, you also need files to be 770? Please confirm.
I can release an updated version fairly quick to resolve this issue.
I just made some adjustments and tested using the Pantheon WordPress sandbox. I apologize as I assumed your were only referring to the directories permissions. Version 2.4.1 has been released and accommodates both the directories and files to have 770 in the uploads directory.
Hi @stevenayers63, sorry for the delayed response.
It seems it is not erroring anymore on the WP core folders, few things that we have noticed:
– core files in the root are flagged as error
– symlinks that are 770 are reported as warnings
Can those be also hosting specific exempted? It may not be relevant since the live site’s core files will always be read-only in Pantheon even if the permissions are being overridden to be lower than 755
Here are the recommended file permissions in a shared hosting environment per WordPress’s documentation:
- All files should be owned by the actual user’s account, not the user account used for the httpd process.
- Group ownership is irrelevant, unless there’s specific group requirements for the web-server process permissions checking. This is not usually the case.
- All directories should be 755 or 750.
- All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
- No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.
Having said that, I understand that Pantheon is different than the typical shared hosting server, thus your file/directory permissions are different. Could you provide me the list of the ideal permissions for the files / directories listed below?
- All directories (default) – ???
- All files (default) – ???
- wp-config.php – ???
- symlinks – 770
- Uploads Directories – 770
- Uploads Directory files – ???
- (any other specific files that need specific perms) – ???
Once I have that list, I will roll out an update to accommodate them specifically for Pantheon.
I am following up on this. Can you confirm with your dev team the needed file permissions requested above? Once I have that list, I will go ahead and release a new version to accommodate them for Pantheon.
Sorry for the delay and thanks for following up.
Just to explain further the platform, has 2 filesystem modes, Read-only & Writable.
Multidevs & Development environment that is in SFTP mode is writable by default.
Read-only environments are environments in Git mode, Test and Live environments
In this mode, regardless of the permissions, even if you override it with any permissions, the only path that will be writable is wp-content/uploads
All environments and mode should have these permissions by default:
All directories (default) – 755
All files (default) – 644
wp-config.php – 644
symlinks – 777
Uploads Directories – 770
Uploads Directory files – 770
(any other specific files that need specific perms) – none so far as we can check
Hope that clears up but I think your latest plugin seems to flag files and folders safely correctly now, I might have flagged it incorrectly since I have used an older installation, upon checking on a freshly installed site, everything seems to look good:
- The topic ‘Feature request to have exemption in the file permission check in Pantheon’ is closed to new replies.