Bizarre happenings with our WordPress sites (that are all on one server). Does anyone here have any idea why, suddenly, all permissions on folders suddenly would not work and had to be shifted to 777?

Also, one of our sites seems to be sending spam out of the mail server – though CaveCreek tells us ‘nothing unusual has been detected.’

Speaking of which: CaveCreek, who hosts our sites, are handling this with the most incoherent, confused method of support that I’ve ever experienced in 15 years of running sites. I’m drop-jaw at this point. :help:

Bec, any ideas about this – oddly it happened right around the time of your notice last week of massive attacks on WP sites?

Thanks much,

David K.

Re: Weird server shit and WP

Leaving any file or folder open at 777 is inviting hackers. What, exactly, isn’t working that you needed to resort to 777?

Can you get your host to check your logs for any unusual activity around the time you suspect something happened?

What security measures do you have in place, and what does your host provide as far as securing your server?

Also, read over this article about hacked sites and see if any of that relates to you, or are things you can implement.

Re: Weird server shit and WP

edited - removed - link

Re: Weird server shit and WP

Hi Bec

Suddenly we could not upload to WP’s media folder without changing the permissions on ALL of our sites to 777. I told CaveCreek this wasn’t safe but their support staff is the equivalent of a carnival in Rio. Just horrid. I’m still reeling at the ineptitude.

My code and developer guy is looking into this from his end. And CC is supposed to get back to us today, but still crickets over there after endless tickets. He claims everyone now is scrambling with WP, like its targeted for take down by maniacs or something. (LOL!)

CC claim they checked logs and saw nothing unusual.

I have no security measures in place on my own, I thought fucking CC was supposed to watch the boxes we pay them to manage.

UGH.

Thank you very much for the info. I appreciate your taking the time to respond.

DK

PS: I’ll keep this thread posted, should it help others.

Re: Weird server shit and WP

What permissions have you tried for the upload folder ?? What was the permission that you were using before the problem began? Did you try to use 755 or 775 before jumping to 777?

Has anything new happened, especially with hardware or software? New drive on the server, etc ? Are your sites on a dedicated managed server, or on shared hosting? (given your time in adult and the popularity of your sites I’m guessing it’s a managed server, but don’t want to assume that.) Has the HOST upgraded anything, linux version, etc etc ? How about site wp versions or plugin upgrades? Did you have to restore a backup recently?

Permissions will be different from host to host but typically, all files should be owned by your user (ftp) account on your web server, and should be writable by that account. Tell the host “make the files writable by the web user.” This has to happen for EACH site as it is setup, it can’t be globally done to all sites on the server at one time.

Grant whatever is needing updating full web server permissions. The locations you’ll want to note are:

wp-content
wp-content/themes
wp-content/plugins
wp-content/upgrade
Sometimes wp-admin

Within those, depending on what is needing updating/upgrading, you may need to fine tune the permissions on the levels deeper within those directories, but those generally suffice if the setup is kept in tact the entire time. If something is set up/changed differently as it is being updated, or if something was restored from backups and permissions were mass set this will not apply and everything will likely need more granular permissions in the above mentioned locations.

For example I recently had an issue with the ShareThis plugin – it had a file some layers deep that it wanted to write to but only had rx permission instead of rw/rwx.

Any file that needs write access from WordPress should be owned or group-owned by the user account used by the WordPress installation (which may be different than the server account). For example, you may have a user account that lets you FTP files back and forth to your server, but your server itself may run using a separate user, in a separate usergroup, such as dhapache or nobody. If WordPress is running as the FTP account, that account needs to have write access, i.e., be the owner of the files, or belong to a group that has write access. In the latter case, that would mean permissions are set more permissively than default (for example, 775 rather than 755 for folders, and 664 instead of 644).

Re: Weird server shit and WP

Here are some other sites that you can put in your urls to have them checked for problems. http://www.unmaskparasites.com/security-report/

At the bottom of that page you will see other links for other types of deeper searches.

Install these plugins on each blog and activate them to check your themes and to check your plugins for malicious code injections

Re: Weird server shit and WP

What? 777? Hmmm. It’s a hosting issue. Poor deployment. Do they have you on cPanel?

Re: Weird server shit and WP

It looks like a security issue, perhaps a malware infection but doesn’t have to be. There are virus/malware scanners for WP that can be run on the server where your WP blogs are hosted, but that type of scan can last for days literally. Your hosting techies should know that, though.

If I were you I would change the hosting, if nothing else because of such poor tech support. Experience has taught me that whenever I am too lenient or show excessive tolerance regarding issues that need to be resolved (some) people tend to abuse this. So I choose not to be so lenient anymore.

Re: Weird server shit and WP

Turns out it was related to a plugin that allowed for contact form generation. Hackers got through via that opening to the mailserver and then laid a bunch of code in place that was using the mail server to spam.

What’s so frustrating is that we kept telling the support people that something was fucked up, and would get emails back saying: ‘We’ve checked everything and it’s fine. Thank you for contacting us.’

And then ironically the next day I get a missive from CaveCreek’s spam prevention division telling us that we are in violation of their terms because one of our sites is spamming.

Utterly ridiculous.

On another note:

I wonder about these plugins to monitor plugins though – how are these vetted? What’s to say those aren’t allowing hacks?

We’re paranoid now, especially as all of our sites are on WordPress, and there seems to be a concerted effort to keep harassing and cracking those sites.

Thank you for the feedback and suggestions here.

David

Re: Weird server shit and WP

Install Wordfence at the same time you add the two other plugins I mentioned. Under Wordfence->Options … scroll down towards bottom and check the two boxes for it to also scan your theme and plugin files. It emails you if there is a change in any file from the one on record with WordPress.

And just because you get a change notice, don’t panic. Login, go to Wordfence-Scan and move down the page to see what it’s notifying you about. Select the compare text and you can see right away if it’s just a simple update to the file and the creator didn’t change the version (it’s comparing apples to apples, hence the warning), OR you made edits to your theme, and it’s letting you know about it (just tell it to only notify you the next time that file changes, so you are alerted when YOU don’t make an edit!) … or there is a hack code added to the file.

And now you have a way to cross-monitor the authenticity plugins, plus all the other plugins and your themes

Re: Weird server shit and WP

Unfortunately, WordPress, by default is very exploitable. WordPress is the most used website builder on the internet so it’s easy for hackers to find and exploit them if they are not set up properly. The default install is usually very exploitable.

Here are some suggestions to keep it secure.

1. First and foremost is the folder security. All folders should be 755 and all files should be 644 (in fact, a file should NEVER be 755/775/777 unless it’s an older cgi-bin file that has be executed from the command line, and it’s rare that php files are run at the command line) and owned by your FTP username. Use FTP for WP and plugin/tempate updates as well as for adding any image type content. Any folder that is writable by the web server user is a folder waiting to have an exploit dropped into it.

2. Make sure your WP updates are ALWAYS updated. We will update any WP install as part of our support and in fact, we have scripts that can do an update in about 30 seconds, including creating a full backup (of course, this time varies based on the amount of content in the WP wp-content folder). When we see a WP install exploited, 99% of the time, it’s an older version.

3. Any forms should have a captcha installed so that spammer bots cannot use them to spam.

4. Your wp-admin.php or wp-login.php is just waiting to be brute-forced. Add an extra layer of protection by password protecting the wp-admin folder, and for even better security, lock it down by your desktop IP address. If possible, lock down your entire server by your IP as well so only your IP has FTP or SSH access to it. This is pretty easy using IPtables.

5. Try to use plugins and templates that are trusted. Google them for known exploits. While it’s no guarantee, you’re usually safer using plugins/templates from wordpress.org.

6. If you have multiple servers, keep your WP installs on a server of its own. This prevents your other important sites (NATS, etc) from being exploited via a back door.

Hope this helps.

– Bill

Re: Weird server shit and WP

Thank you Bill (and Bec) for taking the time and energy to create this extremely helpful thread. Really appreciate it and hope other WP users will benefit too.

David