To avoid infections maybe we could have an option in the panel to toggle (activate/deactivate) write permissions on files and directories
#set read only
find /home/bob/web/mysite.com/public_html -type d -exec chmod -w {} ;
find /home/bob/web/mysite.com/public_html -type f -exec chmod -w {} ;
#normal permissions
find /home/bob/web/mysite.com/public_html -type d -exec chmod +w {} ;
find /home/bob/web/mysite.com/public_html -type f -exec chmod +w {} ;
We could exclude cache folders and wordpress uploads maybe or only change permissions for php files. #read-only permissions find /home/bob/web/mysite.com/public_html -type f -name "*.php" -exec chmod -w {} \;
99,99999999% Off hack / security issues with Wordpress are poorly writen plugins. Maybe we should ban the use of plugins?
Changing the permissions to read mode will also make it impossible for unattended upgrade and make sure you Wordpress is at least up to date and the possibility to update the plugins.
It make more sense to block direct execution of *.php. It has been allready done in nginx for 1.4
Thank you for your sarcasm. Was it really necessary?
That’s true, I understand that and maybe other sysadmins would prefer to have permissions changed and sacrifice the autoupdate feature that by de way can break the page.
True but If I have 50 clients that don’t know to update Wordpress and every they enable this “option” and ask why update doesn’t work it doesn’t make sense.
Most hacks I have seen are with outdated software or just bad written plugins. The first one is just simple keep your website up to date and the second option it harder to solve as it requires basic knowledge of php / wordpress.
Is currently only for Nginx+PHP-FPM for Nginx+Apache2 it makes probally sense to use modrewrite or we have to use an new proxy template or make a new apache2 template that blocks them.