My blog was reinfected today (this time it was mainnetsoll.com/grep/), but I was able to restore it within minutes. I’ve changed all passwords and followed all the good advice, but I’m a writer and not a programmer or a security specialist, so forgive me if I appear dense.
Having done some research I understand the concept of 750 vs. 755, but the directory info when I use my FTP program shows wp-config.php permissions as rw- rw- r–.
I don’t want to screw around with something I know little about, so do I change the last “read,” the middle “write,” or is it OK?
@dugbug
Thanks for the referral to sucuri.net, they totally rebuilt my site within hours. Unfortunately, it got hacked again! I sent them to this forum to see if they could gain some further knowledge on how to prevent this from happening again. I would have been lost without these guys.
Disregard my previous post, I found the chmod command and took care of it. I’ve now successfully implemented every bit of advice, so we’ll just see in the morning. Thanks, everyone! Would have been completely at sea without you.
@running Is Funny
There could be some confusion as to file -vs- folder permissions. the wp-config.php is a file that should most likely receive a permission of 644 as should most other WordPress files. The reference to 750 permissions, was in regard to your public_html folder-or directory-, provided by your host to house your web accessible content.
With little exception, WordPress directories: 755 WordPress files, 644. and there may be an occasional exception, but that’s a given.
The 750 permissions being refered to by network solutions, is NOT a WordPress directory. It is the directory given to you by your host, into which you place your wordpress files.
“5. Please ensure all sites public_html (or your www) directory have 750 permissions, not the less secure 755;”
I think if one were to look at that carefully, it may imply the permissions on the folder where you put your wordpress files, are potentially too permissive if they are 755 by default.
Do not chmod wp-config.php to 750.
public_html – 750
folders – 755
files – 644
I would welcome feedback from others that might point out the error of my thinking.
Thread Starter
dugbug
(@dugbug)
If your file is 644 and not 640 then he can read your account info, can he not?
If your public folder is 750, then your website cannot be accessed by others.
This is at least what happened to me when trying to set my web folder (the www folder) at 750. Further, 640 works fine for wp-config.php. Can you explain why you would want it to be readable by other?
Thanks @runningisfunny for posting the news about mainnetsoll.com/grep/. We are working with a lot of customers and others in the community to compare notes and working to resolve this. Information posted here has been very helpful.
@claytonjames I will get back to you with specifics.
Thanks,
Shashi
I asked sucuri specifically about wp-config.php and he wrote, “You have to change it to be rw-rw—- (meaning no permission to the others).”
But the question may be moot. I unchecked all permissions for others, but it reverts to “read” when I check it again later.
So it may be good advice to change public_html permissions to 750, but it leads me to the obvious question: How do I do that?
I am also a Network Solutions user, and my site was hacked. I went in the wp_options and changed the “siteurl” to point to the correct place. However, now my blog no long has any formatting and I still cannot access the admin panel, as it attempts to redirect me everytime I do. Any suggestsions.
640 works fine for wp-config.php. Can you explain why you would want it to be readable by other?
dugbug, that seems just a statement of semantics at this point, but to clarify, I think, on occasion it may be possible for 640 permissions to throw a 403 error because the web server can’t read the file. It happens. Might not happen to you. Who can tell. 🙂
755 and 644 are the recommended folder and file permissions for wordpress. if less works for you, that’s great. I think your interpretation of the phrase “reading the files” is a bit broad in it’s attempt to conjure up the image of masked hacker peering into your config files with a flashlight, but that’s okay too. 🙂
Good luck y’all.
On a whim, I just chmod’d the wp-config.php file on one of my sites to 640. [edit] – not a network solutions site, just to be clear.
It left me with nothing. Nada. Zip. Not even a 403. Just a blank, white page. chmod’d back to 644 and all is well again.
I don’t know if that’s useful information or not, so I’ll leave you to draw your own conclusion.
@running Is Funny
So it may be good advice to change public_html permissions to 750, but it leads me to the obvious question: How do I do that?
It should be pretty easy by using the file manager provided by your host, or by using your ftp client. Here is some reference material on file permissions.
Changing File Permissions
Hi Clayton,
Our support folks recommend 640 and that seems to work for Network Solutions . of course if you see this post at WordPress http://codex.wordpress.org/Hardening_WordPress the recommendation is 644. We will update our post as well.
Shashi
644 is appropriate, for anything that doesn’t require write access, ie. you don’t need to write changes to that file..
Theme files, plugins files, anything you want to modify from the editor, you’ll need write access(and the uploads folder to), nothing else should require write access.
Just a thought: If insufficiently restrictive permissions codes were to blame, wouldn’t a lot more blogs be infected? The vast majority use the default values. Today was the first time I’ve even looked at a permissions code.
We’ve made a lot of progress since dugbug’s original post two days ago, but I’m still not confident we’ve plugged the hole completely.
