WPTavern Forum Admin
I was reading the following post and he mention anyone could be blamed in this instance
http://blog.sucuri.net/2010/04/detai...wordpress.html
Gee, it's everyone's fault lol.So, at the end anyone can be blamed. At Wordpress for requiring that the database credentials be stored in clear-text. At Wordpress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.
WordPress Legend
Does anyone know of any other PHP based CMS's which don't do it this way?
Hello World
WP Security Scan Plugin not checking permissions on wp-config.php
After reading all this I ran a test using the WP Security Scan Plugin to see if it would protect you from having the wrong file permissions. I changed the Chmod on wp-config.php to 755 then ran the scanner and it didn't alert to change it or even notice it.
I also discovered another another huge potential problem that is not a WordPress issue. If Chip one of the other experts on here could pm me, I will give you the details.
WordPress Rockstar
MovableType use cgi, but stores it as a text cgi file.
http://www.movabletype.org/documenta...mt-config.html
Haven't installed it lately, but from what I remember if you're in the server you can read this file. MT is written in Perl and can use other non-MySQL dbs, like Berkely for example.
And Expression Engine another rather common MySQL/php based CMS:
Again, if someone can get into the box itself and access other user accounts, the point of how secure or unsecure the software is has been rendered moot.
4. Set File Permissions EngineHosting clients: Due to the secure Apache process used on EngineHosting's servers, you do not need to change the default permissions and can skip this step.
Windows Servers: The files and directories that need to be set to 666 or 777 on Unix servers need to be set as writeable on Windows servers. You may need to contact your Host or server admin for this.
If you are using a Unix server (or Unix variant, like Linux, OS X, FreeBSD, etc.) you must set the following files to 666:
You must set the following directories to 777:
- path.php
- system/config.php
- system/config_bak.php
WordPress Rockstar
If you found issues with the plugin, then it'd be best to contact the plugin devs ASAP.Originally Posted by C3MDigital
Feel free to pm me on the other issue.
Here For The Peanuts
If you want to find out whether suExec is running on your hosting account, create a .php file in your web account with the following in it:
Load that page in your browser. If you scroll down about 1/4 of the length of the page and there is a section called apache2handler. In the bottom row of that table is the loaded modules. If mod_suexec is not listed, you are not running under suExec.PHP Code:<?php phpinfo();
If it is listed that does not guarantee that it's running on your account, but in a shared environment, I would guess the probability is pretty high that it's being used. To further test you can set the permissions to 640 on wp-admin/index.php. If you can still load the dashboard of your site, then you probably will be ok to proceed with changing the permissions on your wp-config.php. Do test after you change them though ;-)
Hello World
That techsomething site that some of us went to the other day that was infected, the popup I got was from the mainnetsol.com domain mentioned in that blog post above.
So yeah, seems the blog post about the hack was on a blog that had also been hacked.
I went and checked my wp-config.php files this morning for the permissions. I really need to go back through and do a full audit of my blog's for security in general. And re-test my backups... hmmmm.
On The Rocks
If it's not listed, that's no guarantee either. A shared server I know runs PHP under FastCGI with suexec. Works fine, but you can't tell it from a phpinfo scan.
Big Tipper
... from page 9 ...
Yes, my anti-virus software, Kapersky, immediately popped a warning when I clicked that link. Sorry you got caught by it, I didn't think much of it at the time when I saw the next two posts did not acknowledge mine, although I see why.
Hope you got your computer sorted out.
... back to the thread at hand ...
Here For The Peanuts
WordPress is not the issue.
http://blog.networksolutions.com/201...not-the-issue/We wanted to respond to the debate and conversations about the recent incident affecting Network Solutions’ WordPress customers. Recently, our customers have complained about malicious code on certain of their blogs hosted by Network Solutions. This was not an issue with WordPress. Sorry to the WordPress community and customers for any misunderstanding. This issue resulted from a complex combination of factors and we own it. We have taken steps to address this issue and we continue to work to protect our customers. Also we wanted to let you know that no personal or sensitive financial information was taken as a result of this issue.
We are learning from this experience. By the way, we like WordPress and continue to use it for a lot of Network Solutions properties such as this blog. Network Solutions customers that need any assistance feel free to email us at listen @ networksolutions.com
Premium WordPress Hosting - Zero Click WordPress Installation on Hosting Signups!
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote