Support » Fixing WordPress » How did someone add files to my wp-content folder?

  • Resolved K3200


    A strange thing happened today as I checked my web stats. Some of my more popular pages that are being visited are in my wp-content folder. What’s even stranger is that I didn’t put them there. Some of the files are:


    How does someone place these files in my wp-content folder without me knowing or giving permission?


Viewing 7 replies - 1 through 7 (of 7 total)
  • Probably because you did “give permission” by leaving your wp-content folder world-writeable (777).

    That’s the case. What should permission be set at, 644? Is this the only folder I should worry about or are all folders at risk to something like this?

    Thanks so much for quickly getting to this issue and solving it!!

    Files at 644, folders at 755 is generally sufficient. Any folder will be at risk if set at 777. If you need to have a folder set at 777 for a short time for whatever reason, fine, just be SURE that you return it to 755 when you’ve finished.

    This was relatively harmless in your case; there are far far worse things that can happen!

    Thanks so very much. I appreciate the help!!!

    Edit: Post Updated -not necessary.

    “How does someone place these files in my wp-content folder without me knowing or giving permission?”

    Once you’ve granted “writable permission” to your content directory, anyone with the even the basic scripting skills can pretty much put anything they bloody well like there.

    This is unfortunately quite a problem for most installations. If you’re in a SHARED environment, you should check that your hosting provider (if they use Apache) is using the PHP directive “open_basedir” for ALL their virtual domains, assuming your website is running in a shared environment.

    If your ARE in a shared environment, and your hosting people ARE using Apache but they’re NOT implementing the “open_basedir” directive (usually via vhosts.conf), then you’re asking for trouble because your 755 mask will NOT save you.

    EDIT: I forgot to say that the reason I mentioned the “open_basedir” directive is because I STILL encounter hosting providers who don’t bother to set it.

    If your host is good about things, good to you, and is good in general, you can ask them to make your folder and file permissions set to the following default settings:

    Folders = 755
    Files = 644

    So from then on, they should already get those above two settings automatically.. I’ve asked my host to do that, and it’s setup like that now.. Good luck! 😉 =)


Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘How did someone add files to my wp-content folder?’ is closed to new replies.