Secure File Permissions Matter
Summary: A web host had a crappy server configuration that allowed people on the same box to read each other’s configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.
WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?
A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.
I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.
If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.
Search
Recent Posts
- Google launches Google Drive, upgrades Gmail to 10 GB for all users
- Google’s Dropbox competitor ‘Drive’ to launch today?
- 8.7 quake hits Indonesia, India issues tsunami warning for Andaman and Nicobar Islands
- Email more popular than social networking in India
- Advantage of jQuery over JavaScript Tools
Categories
Archives
Blog Stats
- 2,344 hits
MalarVizhi
- Unlock Your Digital Potential with Ziga Infotech!
- Hire Top Android App Developer | Best Android App Developers from RentIndianCoders
- Hire flutter developers for hybrid mobile app development (iOS/Android/ Windows)
- Data Entry and Data Conversion services company in India
- Hire Indian Programmers and Developers
- Coronavirus
- Looking to hire a programmer or developer from India?
- 2012 in review
- The easiest, most effective way to secure WordPress Sites
- Automatically Backup Your WordPress Site to Google Drive – Version 2