[wp-hackers] Security in wordpress

Mark E mark at simplercomputing.net
Fri May 7 23:10:44 UTC 2010



Ash Goodman wrote:

> I would like to set my server up so that the FTP credentials are not
> required for wordpress and plugin updates as shown here:
> http://robspencer.net/auto-update-wordpress-without-ftp/
> 
> This also seems to eliminate the problem of needing to 777 the uploads
> folder in order to upload images.
> 
> Is this safe to do or is it only going to cause other security problems
> and/or cause problems with wordpress?

Could cause security problems. Setting write to permission like that 
(777 means any user can write to it) leaves the door wide open, 
particularly on shared hosts. I cannot even count how many hacked WP 
sites I've fixed that were hacked only because someone broke into some 
other site on the server, then ran a script that went bonkers looking at 
every dir in the tree for anything it could write to, and the installed 
backdoors, malware, unwanted downloadable files, and so on.

Ideally, handle WP updates *manually* via SFTP or FTPS or SCP and don't 
give the login out to anybody that cannot absolutely trusted. And 
anytime you have a change in personnel (contract or hired) change the 
psws immediately, if not before someone leaves (assuming you know 
they're gonna be let go).

Mark


More information about the wp-hackers mailing list