WordPress.org

Support

Support » Plugins and Hacks » Duplicator » [Resolved] Potential Security Issue?

[Resolved] Potential Security Issue?

  • I recently had a website hacked that had been launched only in the past month. I had the typical securities installed on it, including Better WP Security plugin, secure passwords, etc.

    My webhost was the one who contacted me about it, and he explained because the files were created by the Apache server, and not uploaded via FTP (thus being created by the FTP account), that they “were write-able by the whole world and anyone who accesses the website.” I’m not 100% certain this is the cause because the log shows the issues are coming AFTER the hackers log in via the WP login page, indicating maybe our passwords weren’t as secure as we thought.

    Thoughts? I have 20+ websites that I’ve installed using Duplicator, and this makes me extremely nervous. Today I’ll be deleting the whole site and re-uploading it via FTP, but this isn’t necessarily a feasible way to go for all of my 20 sites.

    Thanks for any help,
    – CW

    http://wordpress.org/extend/plugins/duplicator/

Viewing 12 replies - 1 through 12 (of 12 total)
  • esmi

    @esmi

    Forum Moderator

    because the files were created by the Apache server, and not uploaded via FTP (thus being created by the FTP account), that they “were writeable by the whole world and anyone who accesses the website.”

    That’s a server issue – not a plugin or WordPress one.

    So if I understand correctly, it’s the way the webhost is configured, not the way the plugin works?

    Or rather, Duplicator may work this way only on this webhost, but potentially not on my others?

    Thanks for your super fast response, Esmi!
    – CW

    esmi

    @esmi

    Forum Moderator

    I can’t answer for this specific plugin as I am not its developer but the permissions for files created via the server (as opposed to a manual upload via FTP) are controlled by the server itself. Every server that I’ve used sets file permissions in this situation to 644 (which is pretty much standard) – not 666 (which would appear to be the permissions set on this particular server).

    Plugin Author Cory Lamle

    @corylamleorg

    Hey Cwendt01,

    Just to double check on the last step of the installer you are asked to delete all install files, under the important final steps section. Did you make sure the installer files where deleted and removed from your server? Leaving them on your server can leave your server open for issues…

    Also keep in mind with a security break it can be many things. Is all your software up-to-date such as PHP, Apache, MySQL, WordPress, this plugin and all other plugins and your OS or similar software stacks? Are all you ports secure?

    I get requests all the time for users to make the plugin work with older versions of PHP which I have to tell them that I can’t as that version has security holes, I know several hosts that run older versions with know holes and have yet to update…

    Have your ran through these items on your site?
    http://codex.wordpress.org/Hardening_WordPress

    Directly after you have duplicated a site have you tried running any of various plugins that will recursively run through your file system looking for the correct permissions and alerting you of any open holes?

    Simply having the security plugins installed may not be enough. I would validate all their settings. Also if the Apache user that PHP is running under automatically sets the files to world readable that would need to be updated on the Apache server.

    I use several different hosts and when I duplicate the site all the files are setup correctly as 644 and directories as 755 also the proper group/owner are assigned correctly…

    In short the plugin doesn’t perform any actions internally that would open your site up to being hacked, however at the same time it doesn’t perform any analysis to see if the current environment is secure. I’ll add these items to the todo list to at least do some minor security checks as I think that would help the end user. However with that said it is still up to each application to double check its security stack…

    @esmi — All of the permissions were set correctly to 644, so I’m confused as to why my webhost is indicating it’s “open to the whole world to write to” just because Apache is the user that created them. But I’m not a MySQL expert, so it’s hard to argue!

    @LifeInTheGrid —
    Thank you SO much for replying with such a detailed answer! I feel a lot better about having used your plugin and continue to do so.

    The site was updated to WordPress 3.5.1, but there were a handful of out-of-date plugins (can’t go one day without something needing updating…), so that’s a possibility. All the permissions appear to have been set to the correct 755 (folders) and 644 (files) settings. I had a lot of stuff setup right, but it must not have been strong enough.

    The link to WordPress’ codex about hardening WP looks like a fantastic resource. I’ll make sure to incorporate all of those techniques into future updates. I just have that feeling in this case, it was a user account’s medium-strength password that did me in. But we’ll never know for sure, of course. 🙁

    I’ll keep plugging at it. Thanks so much for both of your help!

    – C.

    esmi

    @esmi

    Forum Moderator

    All of the permissions were set correctly to 644, so I’m confused as to why my webhost is indicating it’s “open to the whole world to write to”

    No idea. Sounds like someone just read out a “script answer” to me. And this has nothing to do with MySQL. It’s pure Apache server stuff, so your gut instincts were all correct. There was no real issue.

    There was no real issue.

    After I went through the entire re-install and got everything up, I also had a gut feeling telling me the same thing you just said… Jeez. Sometimes being a web programmer is the pits!!

    Plugin Author Cory Lamle

    @corylamleorg

    Glad you got things going and back in order!

    Thank you! 🙂 Almost there… just one last bug to fix!

    Plugin Author Cory Lamle

    @corylamleorg

    Marking ticket as resolved unless you have anything else to add…

    This portion of my problem is resolved I believe, yes. Thank you!

    Plugin Author Cory Lamle

    @corylamleorg

    Sounds good! Marking ticket as resolved…

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘[Resolved] Potential Security Issue?’ is closed to new replies.
Skip to toolbar