| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 122699 | 2012-01-08 00:07:00 | Hijacked wordpress site | Chilling_Silence (9) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1252846 | 2012-01-12 20:16:00 | As regards permissions, WP, on my server is 755 and that applies to the major folders such as admin, content and includes but drops to 644 on index.phpand 666 on config.php. So, it appears it's more secure than the example of 777 that Steve was using. I just wonder if I should tighten it up a bit more with making it's group root, instead of www-data. Mind you I wouldn't want to muck up anything I can do with Filezilla (sftp); I can always change it back I guess - Webmin is pretty cool:thumbs:The problem there is that www-data (the user that apache is running as) has read and write access to it all, so someone exploiting a "feature" of your WP can then alter ANY of the config files in your webroot. So YES change the owner to root (or at least not www-data) and I would change the permissions on config.php to remove write access from 'group' & 'world". You WILL need to have some area's writeable but I don't know what they are for WP. Another question, yet again (I hope I'm not too tedious here), Chill, have you done anything with Apache rewrite rules? I want to simplify the web address for the Wordpress site and Steve reckons I can do it using the above i.e. simpler web address for the whole world (well family members I chose anyway) and I know what the real address is.As per what Chill said, change your_vhost_label.conf to point '/' at the actual WP dir instead of /var/www/ edit: And yes Webmin is pretty cool, until you discover how shitty it is ... :) |
fred_fish (15241) | ||
| 1252847 | 2012-01-12 21:28:00 | Permissions are not the issue though, the point is the web server daemon user has to have access to the files / folders in order to edit the configs etc, it's that software has allowed a malicious user to write to it and edit things that should be checked and validated but they weren't. Changing permissions to remove group and world only means that a non-www user on the server can't access it, but some of the hackings occured on my own private servers where I'm the only user account, with no passwords allowed via SSH, so it's *not* a permissions issue. | Chilling_Silence (9) | ||
| 1252848 | 2012-01-12 21:50:00 | Yeah that's my point. You should be able to set it up, get the config sorted, then lock the files. All the dynamic content should be stored in the db (with appropriate validation). If WP needs constant write access to everything, that would explain why it is such a big target. |
fred_fish (15241) | ||
| 1252849 | 2012-01-12 21:55:00 | It doesn't need it to everything, but the ability to modify certain files is crucial, things like themes and whatnot. If I wanna add in something to the HTML Header for flowplayer, I need to be able to do-so. Same for Google Analytics which likes to be in the footer. | Chilling_Silence (9) | ||
| 1252850 | 2012-01-12 22:09:00 | Yes, but the HTML is generated 'on the fly' by PHP no? Therefore, the headers, footers & anything else sent to the client browser could be pulled from the db. In any case, write access should be restricted to specific dirs. I still fail to see why the web server process needs write access to the likes of the .htaccess files. |
fred_fish (15241) | ||
| 1252851 | 2012-01-12 22:20:00 | No, it's not, there's a 'template'. It needs to be able to write the likes of .htaccess files so that you can rewrite the way that URLs are presented. If you don't like /blog/id=1425 but would prefer /blog/how-to-configure-esx-windows7/ then it can do that for you. |
Chilling_Silence (9) | ||
| 1252852 | 2012-01-12 22:23:00 | Ah, OK - so, 'broken by design' then ... :) | fred_fish (15241) | ||
| 1252853 | 2012-01-12 22:49:00 | ;) potato / potatoe :D |
Chilling_Silence (9) | ||
| 1252854 | 2012-01-13 03:41:00 | Thanks for posting about this Chill :), I have just come back from holiday so I better check out all the wordpress sites I have worked on to see if any of them have been Hijacked! | stu161204 (123) | ||
| 1252855 | 2012-01-13 18:10:00 | Apparently the vulnerability was introduced in 3.3.0, and earlier versions aren't affected. | Chilling_Silence (9) | ||
| 1 2 3 4 5 6 | |||||