UNSAFE file permissions set by plugin - [Salt Shaker] Review | WordPress.org

wiredafrican
(@wiredafrican)

5 years, 1 month ago
I’ve been using this plugin for a long time to try help harden WordPress installs against hackers.

I recently noticed that the file permissions on the wp-config.php files kept being changed to 666 and thought that my sites had been hacked.

By pure luck and chance, while looking at a site error log, I found that this file wp-content/plugins/salt-shaker/_inc/core.class.php has this code towards the bottom

//set the recommended permissions to wp-config.php read:

chmod($config_file, 0666);

This changes the permissions on your wp-config.php file to 666 meaning that the whole world can read and write to your wp-config file!!!!! WTF!
Anyone would have total access to server paths, database details as well as password, etc.

Additionally I have noted that while it is changing the SALTS it still allows me to remain logged into the site instead of logging ALL users out as it should be.

UNINSTALLED IMMEDIATELY.

I DO NOT RECOMMEND INSTALLING THIS PLUGIN.
- This topic was modified 5 years, 1 month ago by wiredafrican.

Viewing 1 replies (of 1 total)

Plugin Author Nagdy
(@nagdy)

5 years, 1 month ago

@wiredafrican thanks for the review.

This has been discussed here https://wordpress.org/support/topic/chmod-666-of-wp-config-php/ and as you can see WordPress itself set the same permission when it creates the config file. Please review WordPress files.

I’m also considering adding a filter so that people can set their preferred writable permissions.

I just wanted to clear things out, good luck with your website 😉

Viewing 1 replies (of 1 total)

The topic ‘UNSAFE file permissions set by plugin’ is closed to new replies.

In: Reviews
1 reply
2 participants
Last reply from: Nagdy
Last activity: 5 years, 1 month ago