WordPress hacked? Stop using CHMOD 777 !
Attention folks getting hacked. I feel horrible every time I read this (a few times a year now!) Let me give you my 2 cents.
If WP or plugins tell you to chmod 777 entire directories (in your web directory) so they can change one file for you instead of you doing it by hand, this is likely why/how you are getting hacked, if you can’t find the reason otherwise. It works hand-in-hand with other exploits.
When I read that mysterious extra files are appearing in folders, there’s only two ways this is happening:
1. You left directories as chmod 777 that are web accessible
2. You stored your FTP password somewhere
SO STOP DOING IT!
Any directory that absolutely must be chmod 777 (ie. attachment uploading) should be stored outside of the web root. It’s unbelievable dangerous to have a web facing directory that is chmod 777.
If you chmod 777 your entire plugins directory, you’re a moron (or at least following very bad advice).
Another big problem both WordPress and even it’s little sister bbPress has, is that the `config.php` files are web readable if PHP is bypassed somehow – no attempt is made to block them via `.htaccess` – your MySQL password is in there in plain text, which is very handy to evil hackers.
Either one of these should help stop that in `.htaccess`
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} config\.php$ [NC]
RewriteRule .* - [F]
or
<Files ~"config\.php">
Order allow,deny
Deny from all
</Files>
You can test before and after by trying to access the config file from the web. Before, you’ll get a PHP message. After, you’ll get a direct message from the server that it’s forbidden. Meanwhile WordPress/bbPress will continue to work fine.
Unfortunately nothing can stop a hacker if they are able to place a file onto your server into a chmod 777 directory, then read your `config.php` file via PHP (htaccess won’t help), gain the mysql password, then use that to directly write to the MySQL table, changing whatever they want. Hence 777 being so important to NOT use.
ps. also a good idea is my mini-plugin to block long GET requests:
http://ckon.wordpress.com/2008/11/11/simple-wordpress-and-bbpress-security-plugin-to-block-long-requests/
Though with the newest WordPress/bbPress you may have to double the allowed query length to 512 bytes instead of 256.
Thanks for the article. This is something that has bugged me for some time. It seems like standard practice on WordPress installs is to use chmod 777 directories for file uploads. I can see how getting a malicious php script into one of these folders would be disastrous, but what is the alternative on a site where logged in users need to upload files?
Does putting the uploads folder outside the web root always help? In the case of image uploads WordPress will presumably remap the folders making them web accessible in order to display the images, right? Or am I missing something?
June 15, 2010 at 8:57 am
Upload directories may have to be chmod 777 but they don’t have to be under the web root, which is the lazy way out most code takes.
For example in my bb-attachment plugin for bbpress I encourage people to make the directory outside the webroot and then the files are served as a passthrough via php.
June 15, 2010 at 9:04 am
No one should be using a hosting service that doesn’t provide suPHP or an equivalent anyway. New files should be created as your user, not as the apache user.
June 15, 2010 at 3:29 pm
Pingback: Optimizing Your Wordpress Blog
Does the hosting server serving returning a 404 page count as adequately protected ?
September 14, 2010 at 10:16 pm
Pingback: The Best Way to Market Your Website!
thanks
February 12, 2012 at 11:50 pm
Pingback: A Better Alternative to the Risky 777 CHMOD!