Yesterday, we tweeted about a mass WordPress hack that took place on WordPress users that hosted their site with Network Solutions. It’s been reported in a number of places, with the most comprehensive overview in the KrebsonSecurity blog, as well as the Sucuri Security Labs blog.
Brian Krebs states:
It seems there are multiple culprits here. According to an update to Dede’s blog, a number of security weaknesses contributed to this attack, including the fact that WordPress stores the database credentials in plain-text at the wp-config file, which a lot of WordPress users allow to be readable by anyone. Dede also said a malicious user at Network Solutions created a script to find those configuration files that were incorrectly configured.
In order to understand what they mean by “readable by anyone”, we first have to understand Unix permissions, and there’s a very simple overview in Wikipedia:
There are three specific permissions on Unix-like systems that apply to each class:
- The read permission, which grants the ability to read a file. When set for a directory, this permission grants the ability to read the names of files in the directory (but not to find out any further information about them such as contents, file type, size, ownership, permissions, etc.)
- The write permission, which grants the ability to modify a file. When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.
- The execute permission, which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled c++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unless read is set).
When viewing a directory, you have no doubt seen things that make no sense to you at the beginning that look like this:
Well, this is telling you the permissions of the files. There are actually three groups of three designations in that gobbley gook, with the extra at the front to be ignored (for the moment). While that link to Wikipedia goes much more in depth, if the above permissions were designated for a file:
On the Hardening WordPress page, WordPress recommends:
Note that if you are on a shared-server the permissions of your wp-config.php should be 750. It means that no other user will be able to read your database username and password. If you have FTP or shell access, do the following:
chmod 750 wp-config.php
OK, so what the heck is that 750? Click around below, and you’ll make different numbers in the bottom. The numbers are what you type in to a Unix command line to change the mode of a file, and to get the above, I would type in “chmod 755 filename.php”. Feel free to use the calculator below and see if you can come up with 755 at the bottom.
OOPS! The calculator worked in the draft! Try this one here! Sorry!
So, we want wp-config.php to look like– click around above and see if you can get that. (We would even suggest going as low as 640.
So, you installed this in Fantastico, or someone did it for you, and you have no idea how to check, much less change, permissions. So far, everything we have said up until now assuming you’ve seen anything we’re talking about has been utter bunk because, in fact, you have never seen anything we’ve talked about, don’t know what we’re talking about, but you love your blog and would love to figure it out.
No problem – just log into your cPanel and go to your File Manager. You can check the file, and then click “Change Permissions” at the top.
and then you’ll get a calculator very much like the one you just played with above:
Simply change the file permissions to the recommended file permissions for security, and click to change permissions.
Simple, but definitely your first and simplest source of defense for your WordPress Blog.
Over the coming weeks, we’ll go over simple steps, step by step, to securing WordPress on our servers so that your blog is as protected as it can be from hackers and exploiters.