[wp-hackers] Security in wordpress
Mark E
mark at simplercomputing.net
Fri May 7 23:10:44 UTC 2010
Ash Goodman wrote:
> I would like to set my server up so that the FTP credentials are not
> required for wordpress and plugin updates as shown here:
> http://robspencer.net/auto-update-wordpress-without-ftp/
>
> This also seems to eliminate the problem of needing to 777 the uploads
> folder in order to upload images.
>
> Is this safe to do or is it only going to cause other security problems
> and/or cause problems with wordpress?
Could cause security problems. Setting write to permission like that
(777 means any user can write to it) leaves the door wide open,
particularly on shared hosts. I cannot even count how many hacked WP
sites I've fixed that were hacked only because someone broke into some
other site on the server, then ran a script that went bonkers looking at
every dir in the tree for anything it could write to, and the installed
backdoors, malware, unwanted downloadable files, and so on.
Ideally, handle WP updates *manually* via SFTP or FTPS or SCP and don't
give the login out to anybody that cannot absolutely trusted. And
anytime you have a change in personnel (contract or hired) change the
psws immediately, if not before someone leaves (assuming you know
they're gonna be let go).
Mark
More information about the wp-hackers
mailing list