WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] .htaccess could be chmodded more secure by default (4 posts)

  1. Daedalon
    Member
    Posted 2 years ago #

    Currently BulletProof Security 0.46.9 creates .htaccess files with a chmod of 644. In the status screen it recommends making them 404. Is there a reason for not making it chmod 404 automatically?

    Apart from this and the UI that could be streamlined, BulletProof Security is an excellent plugin. I've been its happy user for a long time. Thanks for the great work!

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    The majority of people have Hosting Servers that are running PHP as a CGI, but for folks who are running PHP as an Apache Module / DSO their file permissions cannot be any lower than 644. Automatic chmod to 404 on a Website / Server using a DSO configuration would cause the website to crash.

    Some Web Hosts using a CGI configuration have restrictions on file permissions and these folks would also have problems ranging from 403 errors to 500 errors if an automatic chmod was being done.

    And my personal reasons for doing things the way i do them is that i prefer control of a plugin with options, rather than being forced to use presets or having to recode an overly automated plugin to give me some control of it. So i personally think it is better to have control of your options even if it means you have to make additional choices or do some additional steps.

  3. Daedalon
    Member
    Posted 2 years ago #

    It's a good thing to have control, but in this case, it works both ways. Whichever the automatic chmod is, it can be changed to more or less restrictive manually.

    Is it possible to make the automatic chmod either conditional, or use a trial and error mechanism to finding out what works? The trial and error testing wouldn't need to be done with the .htaccess file. It could use a file that has no explanations to the functionality of the website to repeatedly chmod and try to access it to find the strictest settings that would be safe for chmodding the file itself. This could be used to secure all files, not just .htaccess one.

    If this would work, it would make BulletProof Security closer to being the definitive WordPress security measure. And if making the default settings more secure without breaking anything is possible, there's no reason not to. Everything the plugin does, could be done manually, but the reason to use the plugin is to not have to. Like you said, there's always the liberty of adjusting things after the default settings have taken place, if someone wants to make the website less secure for some purpose.

    If you need help with beta testing I'll be glad to give a hand.

  4. AITpro
    Member
    Plugin Author

    Posted 2 years ago #

    Yep this could be done conditionally based on SAPI detection and i have considered doing this, but felt it was not a priority security issue and it fell into a convenience issue category so yep it is on a list of low priority convenience things that will probably be added in the future.

    My coding / design priorities are:
    #1 security
    #2 providing both automated and full control options
    #3 convenience

    I guess when it comes down to manual vs automated it is a personal preference thing. Personally I do not use plugins that do not offer manual control. If everything is completely automated in a plugin then i delete it and do not use it. If i can quickly recode that plugin then sometimes I add my own manual control options coding to it and keep using it.

    The next few version releases of BPS will be focusing on i18n language translation. i18n coding has been added to BPS .47.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic