Jump to content

go hard with wp

pwired

By pwired,
in Dev Talk

 Share

Recommended Posts

adrian Hero Member

adrian

Posted
Posted
IMHO making things like .htaccess writable for Apache is not such a good idea, but perhaps that's just me being paranoid.

Not paranoid at all. This is paranoid - I have actually gone as far as renaming my .htaccess file to something else so if some script did manage to get access to the server, it would be trying to edit a file that doesn't exist :)

BTW - Not suggesting people need to do this - it is a bit of a pain to maintain. I started doing it a long time ago after a server got hacked and I went a little overboard :)

  • Like 2
Link to comment
Share on other sites
pwired Hero Member

pwired

Posted
  • Author
Posted

about point 10 in my list, post what would be better than 777 and I upgrade my list.

I have actually gone as far as renaming my .htaccess file to something else so if some script did manage to get access to the server, it would be trying to edit a file that doesn't exist

Very good, I like it.

There is also that you can move important files and directories one level above your site root on the server

so the bad guys will have a much harder time to access it. Edited and added this to the list in point 14.

  • Like 2
Link to comment
Share on other sites
teppo Hero Member

teppo

Posted
Posted

There is also that you can move important files and directories one level above your site root on the server

so the bad guys will have a much harder time to access it. Edited and added this to the list in point 14.

This is one thing that Zend Framework nailed perfectly; in typical setup your entire application lives one level beyond what's directly accessible from the web. I liked it, and it's also something that the security chapter of Programming PHP and the OWASP PHP Security Cheat Sheet suggest.

  • Like 2
Link to comment
Share on other sites
Pete Hero Member

Pete

Posted
Posted

CHMOD 777 (on shared hosting at least) could be very bad pwired. If the server is configured badly, like a lot of cheap ones out there probably are, 777 gives everyone on the server the ability to affect your files.

There are plenty of posts about this on the internet if you do a quick search - here's one: http://stackoverflow.com/questions/11271596/how-will-a-server-become-vulnerable-with-chmod-777

If you're not on shared hosting then you're safer, but 777 is about the most open permission you can apply to a file or folder.

You would need to read up on CHMOD really (I think I need to as well as it's been a while) as what permission you can realistically tighten it up to depends on how PHP is installed (mod_php etc) and I honestly don't know enough about the subject.

Your recommendation of 777 just rang alarm bells with me because that's basically "anyone can read, write or execute this file" whereas something like 755 means "owner" can read, write and execute, but "group" and "others" (others being everyone else I believe) can only read and execute the file.

Other folks here might be able to tell us if it's even an issue nowadays, but I just remember a lot of scripts a few years back that told you to set certain permissions on certain folders.

  • Like 2
Link to comment
Share on other sites
  • 5 weeks later...
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...