Problems with hosting and 777 permissions

[diegonella]

Hi all

The hosting provider says I have folders with 777 permissions is a security hole and for that reason have installed hosted malicious files in the folder public_html/site/assets which were denounced by phishing hotmail.

This is so?

[ryan]

I don't understand what you mean about "denounced by phishing hotmail", so might need more explanation there, but understand the rest. Whether it's a security hole depends on your hosting environment. If you are in a shared hosting environment and accounts are not fully jailed or virtualized from one another, then a directory set to 777 will be writable by other users that also have accounts on the same server. But in this environment, just changing to a different permission doesn't totally solve the problem either, because the other users can still write to your directory so long as Apache is running as a shared user. Still, the user would have to be on the same server and have an account just like yours, so the culprit will be easy to spot for your web host. Given that they haven't identified a "who", I think it's more likely that you have another software installed on your account (WordPress compromised?) and that any writable directories are being taken advantage of from your own account. Either that, or someone guessed the password for your PW admin account. So check into these possibilities. Either way, inquire with your host what permissions they recommend to make files writable to your CMS. Then update the relevant settings in your /site/config.php. You'll also want to adjust the permissions for files already on the system. I'll be happy to tell you what to do, but we need to know what permissions your host says to use, as what applies to one system may not to another. Best case scenario is that Apache is running as your own user account and that we can remove all write permissions except to you. But even that won't solve a hacked WordPress or compromised password.