Find all WordPress folders with 777 permissions

How to find all folders with 777 permissions


As the owner of a dedicated server provided shared hosting services, you will find that many of your clients will install applications such as WordPress. So far so good. However, once they start getting stuck with file and folder permissions, they generally go crazy and set everything to 777 in order to fix the problems. Great, they get their site working! Now begin your problems.

With these liberal file and folder permissions together with some not-so-well written plugins, it is only a matter of time before the hackers and crackers target these weak WordPress sites and start injecting all manner of redirects and mail spammers on your server.

Using ‘find’ to locate those weaknesses

So, here is a nifty solution to find all those weak WordPress installations. The following find will list all WordPress installations that contain folders with 777 permissions:

find /var/www/vhosts/*/httpdocs/wp-content -perm 0777 -type d | grep -v "wp-content/"

Give this a whirl on your Plesk server and take a look at the list, navigate to each folder and tighten up the permissions as below:

cd /var/www/vhosts/dodgydomain.co.uk/httpdocs
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 750 ../httpdocs

These permission changes eliminate all unnecessary 777 permissions.

Ok, let’s automate the whole process

What? You have lots of these? Then here is a nifty script to automate the process for you:

df=`find /var/www/vhosts/*/httpdocs/wp-content -perm 0777 -type d | grep -v "wp-content/" \
| sed "s/wp-content//g"`

for line in $df;
  do
    echo $line
    cd $line
    find $line -type d -exec chmod 755 {} \;
    find $line -type f -exec chmod 644 {} \;
    chmod 750 $line
  done

This makes things a little more difficult for any would-be injection attempts. If your directory structure is different to the standard Plesk structure simply modify the find command as required.

WordPress File and Folder Permissions

Tighten Up WordPress File and Folder permissions

If you used an auto installer for WordPress you may find that many of your files and folders have 777 attributes, this can be a risk and this permissions can be abused by compromised plugins.

To tighten up your folder, use SSH and locate your /httpdocs folder:

# find . -type d -exec chmod 755 {} \;
# find . -type f -exec chmod 644 {} \;
# chmod 750 ../httpdocs

At the same time, you might want to execute maldet to ensure there is no malware present:

# maldet -a ../httpdocs

Always ensure you are using the latest revision of WordPress. This is the single most important rule for ensuring maximum security of your WordPress site.

How to Disable WordPress Comments Block

Re: Disable and Remove Comments from ALL pages without Deleting them

If you are suffering from comment spam but don’t want to delete the comments and just want to disable the comments block from all of you pages in one go, simply do the following.

Locate the file page.php fore your active theme

Find this line:

<?php comments_template(); ?>

Change it to this:

<?php // comments_template(); ?>

The comment block will no longer display and neither can any new comments be posted.

WordPress Permissions: Secure your WordPress Files and Directories

Wordpress LogoRe: How to secure WordPress, WordPress Directory and file permissions

WordPress can be a secure blog however an altering from the recommended file permission settings can leave your site open to getting hacked. It will happen, you will get hacked if you have directories set to 777.

To change file and directory permissions you can use any FTP application or even the Plesk File Manager.

By default all WordPress folders should have a chmod of 755 to help with accessing and executing the sub folder files. Most of the time, the installers mark all folders 755 which is the right setting but it is worth checking.

WordPress Files

All files starting with ‘wp-‘ (apart from the exceptions below) should be set to 644.

WordPress Directories

All directories starting with ‘wp-‘ (apart from the exceptions below) should be set to 755.

wp-config.php

The wp-config.php file is very important, the best setting for this file is 640.

.htaccess

The .htaccess file should be set to 644 as 640 would be too restrictive.

robots.txt

This file is important and should be set to 755 in order to allow search engines full access.

Hardening /wp-includes scripts

For additional protection, prevent scripts from running where they should not be for any user by adding the following entry to your WordPress .htaccess file:

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

Update your Plugins

The majority of vulnerabilities are a result of insecure and outdated plugins. It is absolutely essential that you ensure you are running the latest versions of all plugins. Many plugin updates are released to close known vulnerabilities.

Further securing your WordPress blog

You can further secure your WordPress blog by reading 7 easy ways to secure WordPress

WordPress Upgrade: Download failed.: Could not create Temporary file

Re: WordPress Upgrade Failed, Download Failed, Could not create Temporary file

This problem can be caused by over-securing your WordPress installation – not a bad thing! Here is a quick way to get the upgrade working.

  1. CHMOD 777 the /wp-content folder
  2. Perform the WordPress Upgrade
  3. CHMOD 755 the /wp-content folder

If this fails, make sure you have the folder /wp-content/upgrade created.

Your WordPress should now upgrade successfully.