WordPress.org

Forums

BulletProof Security
[resolved] File and folder permissions (15 posts)

  1. adicerni
    Member
    Posted 2 years ago #

    I've updated to the latest version today and find that the permissions have changed.

    root folder ../ 750 705.

    750 is recommended and I'm set at 705. I believe this is what was set from previous versions.

    If I change to 750 as recommended, I don't have permission to access the website.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    705 permissions on the root folder causes a lot of folks not to be able to access their website root folder and causes 500 Internal Server errors. 705 permissions are more restrictive than 750 permissions. If you cannot access the site then change the root folder permissions to the standard 755 permissions. Folder permissions are really no longer that important to change.

    The trend for hackers/hacking methods is this:

    1. They target the FTP password first and try to crack it with automated FTP password cracking tools - there are tons of free FTP password cracking tools/apps available online.
    2. They target the WordPress login next and attempt to crack WordPress login passwords.
    3. A wide range of various attack methods targeting the /plugins and /uploads folder.
    4. All the other standard types of hacking methods.

    BPS already protects against Directory traversal attacks so changing folder permissions is not really that important.

    http://en.wikipedia.org/wiki/Directory_traversal_attack

  3. WayneM1
    Member
    Posted 2 years ago #

    I'd just like to chime in for a clarification:

    BPS version .48 (and earlier) recommended 705 for the root folder.

    BPS version .48.2 now recommends 750 for the root folder.

    Is that a changed recommendation, or just a typo?

  4. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    It was a mistake on my part. It never should have been 705 permissions and should have always been 750 permissions. I CAN use 705 permissions, but most folks CANNOT. In any case, the ONLY file permissions that make a significant difference are changing the root .htaccess file to 404 and wp-config.php, index.php and wp-blog-header.php to 400.

  5. WayneM1
    Member
    Posted 2 years ago #

    Thanks.

    As always - great support :-)

  6. WayneM1
    Member
    Posted 2 years ago #

    OOOOPS!!

    For me, changing my root folder to the recommended 750, results in a 403 permission denied when trying to view my website (I guess that's the same problem the first poster in this thread has).

    Seems weird if 750 is "less" restrictive, that 705 would have been working fine right along...

    I know you said these permissions are not all that important. But, it seems getting them right, or not, does have some consequences and could lead users to having issues they did not expect.

    I think I'll stick with 705, as that's what my 25+ sites are presently set up with.

  7. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    hmm I wonder if some Hosts are now doing 705 permissions as a new standard. If so, then this could explain what is going on here. Example: The Host creates a rule somewhere in the Server config file that requires that root folder permissions are 705. This would be a really good thing so maybe it is now becoming a new standard. 705 is obviously much safer than 750. Out of curiousity which Host do you have?

  8. adicerni
    Member
    Posted 2 years ago #

    I am with Canadian Web Hosting in Vancouver BC. http://www.canadianwebhosting.com/

  9. WayneM1
    Member
    Posted 2 years ago #

    I'm using HostGator.com for all my sites.

  10. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Ok I have a HostGator hosting account as well as some others so I will fiddle around and see what is up. Thanks.

  11. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    big oops. LOL 745 does work - 750 is a NO GO. 705 works and is the optimum setting. Guess I'll change the recommendation back to 705 in the next BPS release. ha ha ha.

  12. WayneM1
    Member
    Posted 2 years ago #

    Thanks for always doing your best to support and improve this great FREE plugin :-)

  13. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    @adicerni - didn't see that you posted a reply. Sorry about that. Anyway I screwed up by changing the recommendation from 705 to 750. 750 would not work on any host that I can think of. DOH! If I was going to recommend a decreased permission setting then I should have stated 745. 705 is the optimum permission setting so stick with that.

  14. adicerni
    Member
    Posted 2 years ago #

    No problem, glad I brought it up in the first place now.

    Anyway I've changed all my sites to 705 again and they're working fine.

    Thanks for your support and great plugin.

  15. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    And if I release another BPS version this soon just for this issue/problem people are going to get pissed off. I have a couple of new things that I want to add to BPS so I will get those done in a week and release another update with the permission correction.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic