WordPress.org

Forums

Duplicator
[resolved] Potential Security Issue? (13 posts)

  1. cwendt01
    Member
    Posted 2 years ago #

    I recently had a website hacked that had been launched only in the past month. I had the typical securities installed on it, including Better WP Security plugin, secure passwords, etc.

    My webhost was the one who contacted me about it, and he explained because the files were created by the Apache server, and not uploaded via FTP (thus being created by the FTP account), that they "were write-able by the whole world and anyone who accesses the website." I'm not 100% certain this is the cause because the log shows the issues are coming AFTER the hackers log in via the WP login page, indicating maybe our passwords weren't as secure as we thought.

    Thoughts? I have 20+ websites that I've installed using Duplicator, and this makes me extremely nervous. Today I'll be deleting the whole site and re-uploading it via FTP, but this isn't necessarily a feasible way to go for all of my 20 sites.

    Thanks for any help,
    - CW

    http://wordpress.org/extend/plugins/duplicator/

  2. esmi
    Forum Moderator
    Posted 2 years ago #

    because the files were created by the Apache server, and not uploaded via FTP (thus being created by the FTP account), that they "were writeable by the whole world and anyone who accesses the website."

    That's a server issue - not a plugin or WordPress one.

  3. cwendt01
    Member
    Posted 2 years ago #

    So if I understand correctly, it's the way the webhost is configured, not the way the plugin works?

    Or rather, Duplicator may work this way only on this webhost, but potentially not on my others?

    Thanks for your super fast response, Esmi!
    - CW

  4. esmi
    Forum Moderator
    Posted 2 years ago #

    I can't answer for this specific plugin as I am not its developer but the permissions for files created via the server (as opposed to a manual upload via FTP) are controlled by the server itself. Every server that I've used sets file permissions in this situation to 644 (which is pretty much standard) - not 666 (which would appear to be the permissions set on this particular server).

  5. Cory Lamle
    Member
    Plugin Author

    Posted 2 years ago #

    Hey Cwendt01,

    Just to double check on the last step of the installer you are asked to delete all install files, under the important final steps section. Did you make sure the installer files where deleted and removed from your server? Leaving them on your server can leave your server open for issues...

    Also keep in mind with a security break it can be many things. Is all your software up-to-date such as PHP, Apache, MySQL, WordPress, this plugin and all other plugins and your OS or similar software stacks? Are all you ports secure?

    I get requests all the time for users to make the plugin work with older versions of PHP which I have to tell them that I can't as that version has security holes, I know several hosts that run older versions with know holes and have yet to update...

    Have your ran through these items on your site?
    http://codex.wordpress.org/Hardening_WordPress

    Directly after you have duplicated a site have you tried running any of various plugins that will recursively run through your file system looking for the correct permissions and alerting you of any open holes?

    Simply having the security plugins installed may not be enough. I would validate all their settings. Also if the Apache user that PHP is running under automatically sets the files to world readable that would need to be updated on the Apache server.

    I use several different hosts and when I duplicate the site all the files are setup correctly as 644 and directories as 755 also the proper group/owner are assigned correctly...

    In short the plugin doesn't perform any actions internally that would open your site up to being hacked, however at the same time it doesn't perform any analysis to see if the current environment is secure. I'll add these items to the todo list to at least do some minor security checks as I think that would help the end user. However with that said it is still up to each application to double check its security stack...

  6. cwendt01
    Member
    Posted 2 years ago #

    @Esmi -- All of the permissions were set correctly to 644, so I'm confused as to why my webhost is indicating it's "open to the whole world to write to" just because Apache is the user that created them. But I'm not a MySQL expert, so it's hard to argue!

    @LifeInTheGrid --
    Thank you SO much for replying with such a detailed answer! I feel a lot better about having used your plugin and continue to do so.

    The site was updated to WordPress 3.5.1, but there were a handful of out-of-date plugins (can't go one day without something needing updating...), so that's a possibility. All the permissions appear to have been set to the correct 755 (folders) and 644 (files) settings. I had a lot of stuff setup right, but it must not have been strong enough.

    The link to WordPress' codex about hardening WP looks like a fantastic resource. I'll make sure to incorporate all of those techniques into future updates. I just have that feeling in this case, it was a user account's medium-strength password that did me in. But we'll never know for sure, of course. :(

    I'll keep plugging at it. Thanks so much for both of your help!

    - C.

  7. esmi
    Forum Moderator
    Posted 2 years ago #

    All of the permissions were set correctly to 644, so I'm confused as to why my webhost is indicating it's "open to the whole world to write to"

    No idea. Sounds like someone just read out a "script answer" to me. And this has nothing to do with MySQL. It's pure Apache server stuff, so your gut instincts were all correct. There was no real issue.

  8. cwendt01
    Member
    Posted 2 years ago #

    There was no real issue.

    After I went through the entire re-install and got everything up, I also had a gut feeling telling me the same thing you just said... Jeez. Sometimes being a web programmer is the pits!!

  9. Cory Lamle
    Member
    Plugin Author

    Posted 2 years ago #

    Glad you got things going and back in order!

  10. cwendt01
    Member
    Posted 2 years ago #

    Thank you! :) Almost there... just one last bug to fix!

  11. Cory Lamle
    Member
    Plugin Author

    Posted 2 years ago #

    Marking ticket as resolved unless you have anything else to add...

  12. cwendt01
    Member
    Posted 2 years ago #

    This portion of my problem is resolved I believe, yes. Thank you!

  13. Cory Lamle
    Member
    Plugin Author

    Posted 2 years ago #

    Sounds good! Marking ticket as resolved...

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Duplicator
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.