DOCSLIB.ORG

Fix Wordpress Wp-Config.Php Improper Permissions to Protect Your Sites from Database Password Steal / Website Deface

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Fix Wordpress Wp-Config.Php Improper Permissions to Protect Your Sites from Database Password Steal / Website Deface Walking in Light with Christ - Faith, Computing, Diary Articles & tips and tricks on GNU/Linux, FreeBSD, Windows, mobile phone articles, religious related texts http://www.pc-freak.net/blog Wordpress Security: Fix Wordpress wp-config.php improper permissions to protect your sites from Database password steal / Website deface Author : admin Keeping Wordpress Site / Blog and related installed plugins up-to-date is essential to prevent an attacker to hack into your Site / Database and deface your site, however if you're a company providing shell access from Cpanel / Plesk / Kloxo Panel to customers often customers are messing up permissions leaving important security credential files such as wp-config.php (which is storing user / pass credentials about connection to MySQL / PostgreSQL to have improper permissions and be world readable e.g. have permissions such as 666 or 777 while in reality the Wordpress recommended permissions for wp-config.php is 600. I will skip here to explain in details difference between file permissions on Linux as this is already well described in any Linux book, however I just will recommend for any Share hosting Admin where Wordperss is hosted on Lighttpd / Apache Webserver + Some kind of backend database to be extra cautious. Hence it is very useful to list all your Wordpress sites on server wp-config.php permissions with find like this: find / -iname 'wp-config.php' -print1; 1 / 4 Walking in Light with Christ - Faith, Computing, Diary Articles & tips and tricks on GNU/Linux, FreeBSD, Windows, mobile phone articles, religious related texts http://www.pc-freak.net/blog I find it a generally good practice to also automatically set all wp-config.php permissions to 600 (6= Read / Write permissions only for File Owner user 0 = No permissions for All groups, 0 = No Permissions for all non-owner users) If find command output gives you some file permissions such as: ls -al /var/www/wordpress-bak/wp-config.php -rw-rw-rw- 1 www-data www-data 2654 jul 28 2009 wp-config.php E.g. file permission has 666 permissions (Readable for all users), then it is wise to fix this with: chmod 600 /var/www/wordpress-bak/wp-config.php It is generally a very good practice to run also a chmod 600 to each and every found wp-config.php file on server: find / -iname 'wp-config.php' -print1 -exec chmod 600 '{}' \; 2 / 4 Walking in Light with Christ - Faith, Computing, Diary Articles & tips and tricks on GNU/Linux, FreeBSD, Windows, mobile phone articles, religious related texts http://www.pc-freak.net/blog Above command will also print each file to whcih permission is set to Read / Write for Owner (this si done with -print1 option). It is a good practice for shared hosting server to always configure a root cronjob to run above find chmod command at least once daily (whenever server hosts 50 - 100 wordpress+ more sites). crontab -u root -l | { cat; echo “05 03 * * * find / -iname 'wp-config.php' -print1 -exec chmod 600 '{}' \; } | crontab - If you don't have the 600 permissions set for all wp-config.php files this security "backdoor" can be used by any existing non-root user to be read and to break up (crack) in your database and even when there are Deface bot-nets involved to deface all your hosted server wordpress sites. One of my servers with wordpress has just recently suffered with this little but very important security hole due to a Wordpress site directory backup with improper permissions which allowed anyone to enter MySQL database, so I guess there are plenty of servers with this hidden vulnerability silently living. Many thanks to my dear friend (Dimitar Paskalev) Nomen for sharing with me about this vulnerability! Very important note to make here is admins who are using some security enhancement modules such as SuPHP (which makes Apache webserver to run Separate Website instances with different user), should be careful with his set all wp-config.php modules to Owner, as it is possible the wp-config.php owner change to make customer WP based websites inaccessible. Another good security measure to protect your server Wordpress based sites from malicious theme template injections (for both personal own hosted wordpress based blog / sites or a WordPress hosting 3 / 4 Walking in Light with Christ - Faith, Computing, Diary Articles & tips and tricks on GNU/Linux, FreeBSD, Windows, mobile phone articles, religious related texts http://www.pc-freak.net/blog company) is to install and activate Wordpress Antivirus plugin. 4 / 4 Powered by TCPDF (www.tcpdf.org).
Load more

Recommended publications
  • Bài 12: Quản Trị Từ Xa Với Control Panel Nhắc Lại
    Linux và Phần mềm Mã nguồn mở Bài 12: Quản trị từ xa với control panel Nhắc lại . Khái niệm máy chủ internet và những ưu điểm của máy chạy linux khi dùng làm máy chủ internet . LAMP = Linux + Apache + MySQL + PHP . Cài đặt LAMP trên hệ điều hành CentOS . Cài đặt LAMP trên hệ điều hành Ubuntu . Cách thức làm việc của tường lửa (firewall) . Một số kinh nghiệm khi vận hành máy chủ internet . Gọi quản trị MySQL bằng từ web: phpMyAdmin . Một số gói bổ sung của PHP TRƯƠNG XUÂN NAM 2 Nội dung 1. Giao diện quản trị từ xa (remote control panels) . Quản trị từ xa với internet server . Các kiểu công cụ quản trị từ xa . Quản trị từ xa với giao diện web . Phân cấp người dùng với RCP 2. Một vài RCP thông dụng . VestaCP . Webmin . zPanel . Các RCP khác TRƯƠNG XUÂN NAM 3 Phần 1 Giao diện quản trị từ xa (remote control panels) TRƯƠNG XUÂN NAM 4 Quản trị từ xa với internet server . Thực tế: đa số các internet server đặt ở những địa điểm “xa tầm tay với” của quản trị hệ thống . Do yêu cầu về băng thông: internet server cung cấp dữ liệu chủ yếu cho truy cập qua internet, vì thế kết nối với internet càng cao càng tốt . Do yêu cầu về độ ổn định: internet server cần hoạt động càng ổn định càng tốt để tránh dịch vụ khách hàng bị gián đoạn hoặc chập chờn . Do yêu cầu về an toàn: cần những dịch vụ hỗ trợ để tránh việc bị phá hoại, gây hỏng hóc, mất mát,… TRƯƠNG XUÂN NAM 5 Quản trị từ xa với internet server .
    [Show full text]
  • Host Elevator
    +91-9711257358 Host Elevator https://www.indiamart.com/host-elevator/ we offering the domain name registration, dedicated servers, vps servers, cloud hosting, shared hosting, reseller hosting etc. About Us Host Elevator, a one-stop destination for all your website needs, offers low cost Domain Name Registration, Dedicated servers, VPS Servers, Cloud Hosting, Shared Hosting, Reseller Hosting, SSL Cerificate and E-Mail Services in Noida, India. Host Elevator has a team of advanced system administrators who specialize in every area of server and application management, like Database Administration, Web Sever Administration, Linux Administrator, Windows Administrator, Storage Administration, Security, Mail Server Administrator, Networking and Virtualization as well as interface like cpanel, plesk panel, website panel, webmin, kloxo and ispconfig3. They are certified and experienced, and they are yours whenever you need them. Host Elevator specially provide self- managed and fully managed Linux as well as Windows dedicated server, VPS Server and shared hosting. Our E-mail services are too good for small and big both business provider with low cast and best support 24*7*365 and 99.99% uptime. For more information, please visit https://www.indiamart.com/host-elevator/aboutus.html WEB HOSTING P r o d u c t s & S e r v i c e s Shared Hosting Reseller Hosting Java Hosting P r o OTHER PRODUCTS: d u c t s & S e r v i c e s Domain Name Registration Domain Transfer SEO Website Maintenance F a c t s h e e t Nature of Business :Exporter and IT / Technology Services CONTACT US Host Elevator Contact Person: Ravi 2nd Flr, C-72 Noida - 201301, Uttar Pradesh, India +91-9711257358 https://www.indiamart.com/host-elevator/.
    [Show full text]
  • Curriculum Vitae
    Curriculum Vitae Personal Contact Information Name: Georgi Georgiev Address: Dobrich, Maxim Gorki 5 Dobrich, Bulgaria Mobile: +359889085362 E-mail: [email protected] PROFESSIONAL CERTIFICATION Cisco CCNA2 certificate Management Game Certificate (Arnhem Business School) University education: 2006 - 2008 Studied 2 years in International University College – Dobrich, Bulgaria specialty of "International Business and Management". Currently I am graduating HRQM (Human Resources & Quality Management) student at “Arnhem Business School” The Netherlands. I'm looking for a company to start with my Graduation assignment which has to be in the field of Strategic Human Resources. Secondary School Education: Natural-Mathematics High School "Ivan Vazov", Dobrich Study Profile: Mathematics and Informatics with intensive learning of English Language Form of Education: by day, term of education 3 years Driving License: Category B Mobile: +359889085362 Georgi Dimitrov Georgiev Mail: [email protected] Personal Information Birth Date: 08.10.1983 Place of Birth: Dobrich, Bulgaria Citizenship: Dobrich Merital Status: Single Work Experience 23.05.2001 - 01.09.2002 - Windows and Linux Tech support at Internet Coffee Club in the town of Dobrich, Bulgaria Worked in a small Internet Coffee my task was to support the local Internet Router and Support user desktop stations running Windows 98, Windows XP, Mandrake Linux, Redhat Linux. 20.02.2003 - 25.03.2004 - remote Linux System Administrator at Internet Coffee Club located in the town of Radnevo, Bulgaria My job assignments there were to administrate remotely two Linux servers running different client services, like mail server (exim), linux firewall, samba server, apache 1.x webserver and also to help the IT personnel in the Internet club with maintenance advices.
    [Show full text]
  • Best Free Web Server
    1 / 4 Best Free Web Server FREE SHOUTcast Hosting. The Battle of the VPS Control Panel Titans: cPanel vs. FREE STUFF. Best CCcam Server Provider in Pakistan. Easy Central .... This guide breaks down the best web hosting services. We analyze the pros and cons of each of these to help you pick the one that's right for you.. Our web hosting services are crafted for top speed, unmatched security, 24/7 fast and expert support. Trusted by more than 2000000 domains!. The public 's appetite for free Web-based e-mail has grown serious enough to ... Companies might best protect their networks by isolating public Web servers as .... With Wix, you get reliable, scalable and free web hosting. Get 24/7 security monitoring, hassle-free setup and 99.9% uptime when you host your website.. They also give you a free website migration if you're switching from another web hosting company. Blog Tyrant has partnered up with Bluehost to .... Top 10 Free Open Source Web Hosting Control Panels – Ultimate Comparison · 1) ISPConfig. Features. ISPConfig Demo · 2) Ajenti. Features. Best Free Web Hosting Control Panels · 1. CyberPanel · 2. ISPConfig · 3. Webmin · 4. CentOS · 5. Vesta Control Panel · 6. Kloxo · 7. aaPanel.. The best in the free website hosting industry. We continuously optimize our free servers for speed and reliability. CMS Installer. With .... Easy Hosting Control Panel or EHCP is one of the best free web hosting control panel you can get. The application is full of useful features that .... 26+ Top Web Server Software Free for Windows, Linux · 1.
    [Show full text]
  • Boxbilling Documentation Release 4.21
    BoxBilling Documentation Release 4.21 BoxBilling Oct 31, 2020 Contents 1 IMPORTANT NOTE! 3 2 Getting help 5 3 Contents 7 3.1 Introduction...............................................7 3.2 Installation................................................ 10 3.3 Configure................................................. 13 3.4 Products management.......................................... 15 3.5 Selling hosting services......................................... 18 3.6 Selling domains............................................. 19 3.7 Domain registrars............................................ 19 3.8 Selling licenses.............................................. 20 3.9 Selling SolusVM VPS.......................................... 21 3.10 Currency................................................. 21 3.11 Clients management........................................... 22 3.12 Invoicing................................................. 23 3.13 Support center.............................................. 25 3.14 Extensions................................................ 27 3.15 BoxBilling in Your Language...................................... 35 3.16 Faq.................................................... 37 3.17 API.................................................... 38 3.18 Guest API................................................ 43 3.19 Client API................................................ 79 3.20 Admin API................................................ 119 3.21 Event Hooks............................................... 326 3.22 Updating BoxBilling..........................................
    [Show full text]
  • MODUL PEMBELAJARAN ADMINISTRASI SERVER DAN KEAMANAN JARINGAN Tingkat XII TKJ T.P. 2018/2019
    Modul Administrasi Server dan Keamanan Jaringan – XII TKJ MODUL PEMBELAJARAN ADMINISTRASI SERVER DAN KEAMANAN JARINGAN Tingkat XII TKJ T.P. 2018/2019 A. Control Panel Hosting Kontrol panel hosting menyediakan solusi elegan sebagai host dari beberapa situs website yang berjalan pada Share hosting, VPS (Virtual Private Server) dan Dedicated Server. Kontrol panel hosting semacam ini menawarkan kemudahan untuk mengelola perangkat lunak berbasis web untuk menyederhanakan proses penanganan server, tanpa perlu memiliki pengetahuan akan server administration. Kontrol panel yang paling populer saat ini dan kuat brandingnya adalah cPanel dan Plesk. Kedua kontrol panel ini merupakan aplikasi berbayar yang dibayar setiap bulan bagi sebuah provider hosting untuk di install dalam servernya. Namun untungnya, ada beberapa kontrol panel alternatif yang bersifat open source yang tersedia untuk di download secara gratis dengan fitur hampir sama dengan yang berbayar, yaitu sebagai berikut: 1. Cpanel Cpanel Adalah kontrol panel hosting yang berbasis Unix/Linux. Antarmuka grafisnya membantu Anda untuk mengelola website beserta account hosting Anda dengan sangat mudah dan cepat. Cpanel memberi Anda akses penuh atas berbagai elemen pengaturan dari situs web dan administrasi hostingnya melalui web browser misalnya seperti Membuat database, membuat account email, auto responder, dan mengelola file website. 2. Plesk Plesk adalah control panel hosting yang mirip dengan cPanel. Plesk memungkinkan Anda untuk mengelola account hosting Anda melalui antarmuka berbasis web. Anda dapat menginstall kontrol panel ini didalam VPS atau dedicated server. Plesk juga memungkinkan Anda untuk mengontrol ribuan virtual host dalam satu mesin. Kontrol panel memungkinkan Anda untuk mengotomatisasi banyak tugas yang pada gilirannya mengurangi biaya dan sumber daya. Hal ini juga meningkatkan profitabilitas, efisiensi dan kepuasan pelanggan.
    [Show full text]
  • Prolexic Quarterly Global Ddos Attack Report Q2 2014
    Prolexic Quarterly Global DDoS Attack Report Q2 2014 Malicious actors switch tactics to build, deploy and conceal powerful botnets www.prolexic.com Prolexic Quarterly Global DDoS Attack Report Q2 2014 2 Letter from the editor Prolexic, now part of Akamai, has the world’s largest dedicated DDoS mitigation network, comprised of five scrubbing centers located strategically around the world. This network, together with, our peering techniques and strategic deployment of resources, enables us to effectively monitor and mitigate DDoS attack traffic in the cloud and closest to its source to provide in-depth DDoS intelligence. PLXsert (the Prolexic Security Engineering and Research Team) monitors malicious cyber threats globally and analyzes these attacks using research, digital forensics and post-event analysis to build a global view of security threats, vulnerabilities and trends. The data in this report is gathered from DDoS attack traffic mitigated across the Prolexic DDoS protection platform during Q2 2014. Prolexic Quarterly Global DDoS Attack Report Q2 2014 3 Table of Contents Analysis and emerging trends ..............................................................................................................4 Compared to Q2 2013 ..............................................................................................................................6 Compared to Q1 2014 ..............................................................................................................................6 Total attack vectors ...................................................................................................................................7
    [Show full text]
  • Setup Wordpress on a VPS Hosting
    WordPress On VPS Hosting Tutorial How To Install VPS | Kloxo panel | Centos OS I'll guide you of how to setup a blank VPS hosting for an unmanaged virtual private server. In this tutorial - Setup a VPS Linux Distribution - I'll walk you through those basic steps, based on CentOS os, configuring some options and llustrating a typical unmanaged VPS through Kloxo panel. << This Tutorial divided in 2 parts- Manual Installation And Auto Installation with Kloxo-panel >>>> Custom Control Panel Setup: We offer kloxo with customized options so that it uses just 16 MB of RAM including MYSQL support. You can host blogs, forums and other websites for a quarter of the cost of a normal web host, but have full control over every aspect of your system. You'll also learn how to configure your own Name Servers or hosts in order to use VPS. I will also show you which few of the Top WP plugins that a shared hosting hate too much until they suspend your account. Thank you for visiting this site. I will give you steps by steps to go for it. Your co-operation and patient are much needed in helping this tutorial. (1) Manual Installation If you have a Centos VPS you could use Kloxo or if your on a Debian VPS you could use Open Panel. In this tutorial - I will go for Kloxo Panel + CentOS System. How to order A VPS? See the images below. You can use auto password generator. Wait for email message - Few hours or instant. Your account has been Setup by admin STEP 2: Setup your nameserver at domain registrar Video - Godaddy Nameserver Step 3 Host Name Registration: At Godaddy: To Register Your Own Domain Hosts / Nameservers Your own nameservers 1.
    [Show full text]
  • Kloxo-Mr Pour Centos
    KLOXO-MR POUR CENTOS 1 Published : 2017-06-23 License : GPLv2+ 2 INTRODUCTION Sur Internet en général et le web francophone en particulier, l'on peut distinguer une ligne de démarcation assez nette entre, d'une part, des applications standards très bien documentées, avec une forte communauté d'utilisateurs, et d'autre part des applications tout aussi utiles mais moins connues et de ce fait, sous-documentées. Par exemple, le moteur de blog WordPress jouit d'une documentation abondante fournie par une importante communauté de contributeurs, auprès desquels le nouvel utilisateur pourra facilement trouver de l'assistance en cas de besoin. De même pour le système d'exploitation Ubuntu, qui dispose d'une communauté francophone très active. En revanche, CentOS, un cousin d'Ubuntu dans la grande famille des systèmes d'exploitation Linux, demeure à ce jour assez peu documenté en français. Ce n'est pourtant pas pour rien si CentOS tient la troisième place mondiale des systèmes d'exploitation Linux les plus utilisés en tant que serveurs web, après Debian et Ubuntu (source : W3Techs, décembre 2013). Depuis plusieurs années, ses performances lui ont valu d'être la plateforme de développement d'un panneau de configuration de sites et d'applications web – encore moins connu du grand public – du nom de Kloxo. J'ai commencé à utiliser Kloxo il y a un peu moins d'un an, parce qu'avec un budget serré, je ne pouvais pas recourir à une solution payante comme CPanel pour mon serveur VPS et mes essais furent concluants, malgré le peu d'informations disponibles. A défaut de trouver un bon manuel sur Kloxo, l'idée m'est alors venue d'en créer un.
    [Show full text]
  • Openvz Forum
    Subject: loopback problem on some container Posted by chut on Fri, 19 Apr 2013 12:48:06 GMT View Forum Message <> Reply to Message Can somebody help me. On my VPS Host HP ProLiant 165G7 2x AMD Opteron 6128 ECC DDR3 4x 4GB Transcend UDIMM 2x WD 2TB Black with RAID SW (OS and SWAP) 1x IBM HBA, 2 Dual SAS Port IBM DS3512 with Dual Controller 6x IBM SAS NL 2TB with RAID Level 10 (VPS Container Data) All my vps running on SolusVM 1.13.03 License (VPS Control Panel) but some Container is issue with telnet i try to rebuild new os 1. centos 5 x86_64 - not working on test telnet 127.0.0.1 80 2. centos 6 x86_64 - not working on test telnet 127.0.0.1 80 on my VPS Host i test with nmap [root@vpsserver3 ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/md1 1.7T 2.1G 1.6T 1% / tmpfs 7.8G 0 7.8G 0% /dev/shm /dev/mapper/mpathbp1 493G 132G 337G 29% /backup_SAN /dev/mapper/mpathbp2 20G 1.1G 18G 6% /var /dev/mapper/mpathap1 2.0T 278G 1.6T 15% /vz /dev/mapper/mpathcp1 2.0T 199M 1.9T 1% /vz2 /dev/mapper/mpathbp3 957G 200M 908G 1% /vz3 [root@vpsserver3 ~]# [root@vpsserver3 ~]# uname -a Linux vpsserver3.dlthhost.com 2.6.32-042stab076.5 #1 SMP Mon Mar 18 20:41:34 MSK 2013 x86_64 x86_64 x86_64 GNU/Linux [root@vpsserver3 ~]# nmap -p2086,2087 203.151.45.x6 Starting Nmap 5.51 at 2013-04-19 19:26 ICT Failed to find device venet0 which was referenced in /proc/net/route Failed to find device venet0 which was referenced in /proc/net/route Failed to find device venet0 which was referenced in /proc/net/route Failed to find device venet0 which was referenced in
    [Show full text]
  • Remedying Security Concerns at an Internet Scale
    Remedying Security Concerns at an Internet Scale by Frank Li A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor Vern Paxson, Chair Professor David Wagner Professor Deirdre Mulligan Fall 2019 Remedying Security Concerns at an Internet Scale Copyright 2019 by Frank Li 1 Abstract Remedying Security Concerns at an Internet Scale by Frank Li Doctor of Philosophy in Computer Science University of California, Berkeley Professor Vern Paxson, Chair The state of security across the Internet is poor, and it has been so since the advent of the modern Internet. While the research community has made tremendous progress over the years in learning how to design and build secure computer systems, network protocols, and algorithms, we are far from a world where we can truly trust the security of deployed Internet systems. In reality, we may never reach such a world. Security concerns continue to be identified at scale through- out the software ecosystem, with thousands of vulnerabilities discovered each year. Meanwhile, attacks have become ever more frequent and consequential. As Internet systems will continue to be inevitably affected by newly found security concerns, the research community must develop more effective ways to remedy these issues. To that end, in this dissertation, we conduct extensive empirical measurements to understand how remediation occurs in practice for Internet systems, and explore methods for spurring improved remediation be- havior. This dissertation provides a treatment of the complete remediation life cycle, investigating the creation, dissemination, and deployment of remedies.
    [Show full text]
  • A Reusable Web Hosting Control Panel with Billing System
    A reusable web hosting control panel with billing system Marc Aymerich Gubern Universitat Politecnica de Catalunya A thesis submitted for the degree of Diploma in Computer Systems Fall semester 2011-2012 Contents 1 Introduction 1 1.1 Project overview . .1 1.2 Context . .3 1.2.1 What is Pangea? . .4 1.2.2 Pangea members description . .4 1.2.3 Pangea staff description . .5 1.2.4 Pangea software stack . .5 1.3 Requirements analysis . .7 1.3.1 Contacts management . .8 1.3.2 Services . .8 1.3.3 Advanced pricing configurations . 10 1.3.3.1 Calculate the metric of the service . 11 1.3.3.2 How to calculate the price . 12 1.3.4 Billing System . 13 1.3.5 Payment gateway . 15 1.3.6 Resource limiting and accounting . 15 1.3.7 Internationalization . 16 1.3.8 Target software to support . 16 1.3.9 Multi server support . 17 1.3.10 Easy to use for unskilled users . 17 1.3.11 Easy to add new functionalities . 17 1.3.12 Reusable . 17 1.3.13 Open source friendly . 17 2 State of the art 19 2.1 Current related software at Pangea . 19 2.1.1 Members and billing management . 19 2.1.2 User control panel . 20 i 2.1.3 Administration scripts . 21 2.2 Outstanding existing solution . 21 2.2.1 SysCP . 23 2.2.1.1 Requirements fit . 23 2.2.2 Domain Technologie Control (DTC) . 25 2.2.2.1 Requirements fit . 25 2.2.3 ISPConfig 2 .
    [Show full text]