I’ve been using this plugin for a long time to try help harden WordPress installs against hackers.
I recently noticed that the file permissions on the wp-config.php files kept being changed to 666 and thought that my sites had been hacked.
By pure luck and chance, while looking at a site error log, I found that this file wp-content/plugins/salt-shaker/_inc/core.class.php has this code towards the bottom
//set the recommended permissions to wp-config.php read:
This changes the permissions on your wp-config.php file to 666 meaning that the whole world can read and write to your wp-config file!!!!! WTF!
Anyone would have total access to server paths, database details as well as password, etc.
Additionally I have noted that while it is changing the SALTS it still allows me to remain logged into the site instead of logging ALL users out as it should be.
I DO NOT RECOMMEND INSTALLING THIS PLUGIN.
- The topic ‘UNSAFE file permissions set by plugin’ is closed to new replies.