Just a few comments/questions and a little quick background:
On Christmas Eve, somebody actually hacked my WP site. No, it wasn’t a security hole in WP which did it but my own stupid operator error. I had left some WP-Content directories 777 writable so that I could edit files on the fly and also upload pictures. Well, somebody went in there and wrote their own code in my template files and also added files such as a commands.php file and the like so that they could probably spam or track things from my site.
Stupidly, they fucked up and broke my template, which led me to track down the problem and discover what they had done. They had installed files in every single images directory (all 777) and in my theme directory (also 777). Thankfully, it wasn’t in there for long and I managed to go in there, erase all their code and lock down my site (back to 755).
I don’t know if this has happened to you, but if it has, I’d love to hear about it sometime.
My question to podz and others (fortune and blessings be upon them for their tireless work) are the following:
1) How can I avoid this in the future? Aside from keeping everything in 755 permissions, is there any way at all? I can’t think of one.
2) If not, isn’t having a directory (such as wp-content) at 777 a huge security risk? And if it means I have to chmod back to 777 from 755 every time I want to upload a picture, doesn’t that get a tad counterproductive?
3) I’m using ecto to blog from my mac mostly. I happen to like being able to just drag-drop and upload pictures. If it isn’t 777, I can’t do that. Any suggestions on keeping my site safe and still able to blog to it easily enough? Again: I can’t think of anything. BTW, I realize that this really has nothing to do with WP coding because it’s the way the permissions work, and I am not blaming anyone for this. I’m just trying to find out if anyone has thought of some solutions/advice/tips?
4) Trackbacks work in ecto with WP now – on some sites and not on some others. I tried it this morning and it worked fine for 2 sites. 2 others gave me problems. Might that just be a problem with their site/system? I’m not sure. I’m happy that trackbacks do finally work again with outside clients with WP now, however, and I would like to thank the people who fixed that. At least as far as it works right now. 🙂 Good job and thank you very much.
5) I’d also like to say that my site was upgraded with no fuss and no muss just by following the directions. All of the plugins still worked except for the tiger admin CSS, but I simply downloaded the updated beta version and now that works fine. It just goes to show what an awesome job was done on the 2.0 version and how simple and great the instructions were. Thanks to everyone who contributed to that.
That’s all. Hopefully some people have some tips/insight/advice on security with what I mentioned above. Other than that, I haven’t had any problems with WP in general. I’d love to hear feedback to my questions, and if I find anything which needs fixing, I’ll try to post it here.
Once again, thank you guys for everything. Wonderful job and wonderful product.
- The topic ‘Hacked WP Files, Trackbacks, and Questions’ is closed to new replies.