Support » How-To and Troubleshooting » Site hijacked, permissions wrong? Should be what?

Site hijacked, permissions wrong? Should be what?

  • I had 2 sites hijacked today, one accessed thru wp-includes/update.php and the other thru wp-includes/canonical.php

    The help desk at my server datacenter said the permissions were wrong on the folders and the files.

    What are the suggested correct permissions for wp folders and files? (Permissions are something I don’t totally understand except to know how to chmod them and I know if they aren’t right, a lot od stuff doesn’t work)

    Right now, it seems like most of my sites have folders at 755 and files at 644; is this correct or should they be something different?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Start here, though there are many plugins that will not work without setting the folder and all files to 777


    Everyone on here will tell you that 777 is suicide though…


    I use ftp to chmod folders and files, so that part I get. I had the wp-includes folder at 755 and the files within it set to 644 and with those settings the sites were still hacked. So I’m trying to figure out what level they should be set?




    youve already gotten the answer.

    directories ought be 755
    files @ 644

    as to what happened, if In fact, you know it was through these files, then what tells you, besides your host saying it, that it was a permission issue?

    Unless a file was a changed server-side I hardly think that would be the case.

    I’m seeing something similar. 3 times in the past week something changed in my wp_includes folder; and my site was just presenting a blank page.

    I resolved the issue by re-uploading the latest wp_includes folder.

    At first I thought it was a webhosting issue, but now that it has happened three times, and only to my WordPress application, I think it is much more malicious. I don’t know if it is a permissions thing.

    I’ve put some measures in place to see what changes if/when this happens again.

    755 => content viewable and downloadable to anyone

    755 => content viewable and downloadable to anyone

    755 on a directory allows world-readable access to THAT directory.

    File permissions inside a directory that is 755, specifically affect those files. So, if a file, for instance, is NOT world-readable, than the directory permissions of world-readable are moot when it comes to that file.

    Not to mention that 755 is NOT world-writable. There is no risk associated with directory permissions of 755.

    Assume that you have a directory that is chmod 777, and within that directory you have a file that is 600. While the directory is world-writable, the file is not. Consequently, while someone could write to that directory, ie, create a file within it, they could not write to that file that is chmod 600.

    if you REALLY want to look at cause and effect, then you have to examine much more than just file permissions.

    50% of the people that browse these forums havent a clue what PHP is or what its capable of .. some of those dont even know that their posts are stored in a database, hell they dont even know what a database is. They set up sites, they throw a theme on there, and a bunch of plugins, none of which they have actually cracked open and looked at, and even if they did, they wouldnt know what to look for, and then they leave those sites up for months on end.


    Thats a root shell script. It’s harmless in your browser, but can be the cause of much grief, if successfully included into an insecure PHP file that exists on your web server.

    It’s not just permissions, it never has been. The web is much more complicated than that.

    Here’s some more:


    lastly, to kill a dead horse, you have this:


    Here is someone that comes here, wondering why their feed doesnt work. Theyre told why and told that they need to upgrade.

    What do they do? The remove the offending code, (the symptom) but dont upgrade (presumed to be the problem).

    Far toooo many WordPress users have misplaced priorities, they worry about SEO, they worry about finding that perfect plugin, or counting their visitors, or putting up that paypal link, and they dont worry about security. They cant even be bothered to worry about it AFTER they have seen it’s effect.

    That’s the worst enemy of ANY responsible web master — an equally irresponsible one.

    (and the irony, the feed is now broke again, for seemingly another reason, so no doubt, this person will be back for another round)

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Site hijacked, permissions wrong? Should be what?’ is closed to new replies.
Skip to toolbar