[wp-hackers] Security in wordpress
Otto
otto at ottodestruct.com
Fri May 7 14:35:50 UTC 2010
I would say that making your files owned by the nobody user is not
particularly safe.
It'd be better to set your server up to use suphp or setuid on your
PHP setup, so as to make the PHP process run as the user who owns the
website files. Then as long as that user is separated from everything
else on the system, the process can't reach outside the websites own
directory.
-Otto
On Fri, May 7, 2010 at 9:27 AM, Ash Goodman <ash at thinkinginvain.com> wrote:
> Hi everyone,
>
> I recently had a 2 different server get hacked. One by way of a clients
> letting someone else get hold of their FTP credentials and following that
> via folder permissions.
>
> I would like to set my server up so that the FTP credentials are not
> required for wordpress and plugin updates as shown here:
> http://robspencer.net/auto-update-wordpress-without-ftp/
>
> This also seems to eliminate the problem of needing to 777 the uploads
> folder in order to upload images.
>
> Is this safe to do or is it only going to cause other security problems
> and/or cause problems with wordpress?
More information about the wp-hackers
mailing list