I have moved my wordpress website from a shared hosting to a new vps. After moving, I had issues regarding timthumb and uploading images, these issues were resolved only by chmoding 777 uploads and subdirectories, and cache directory inside the theme dir.
My questions is: Isn't that a security hole? Is it a wordpress problem, or I am missing something here?
Thanks
Yes, 777 is a security hole and the WordPress Codex specifically addresses this and gives suggestions on how to set permissions.
Yes, 777 is very insecure. WordPress does not require 777 for any directory, and no correctly developed plugin should, either. WordPress needs no more than 755 on most directories.
On shared hosting, permission schemes are managed by the host. On a VPS, you will need to do some management or owners and groups and permissions yourself.
See Changing File Permissions « WordPress Codex and Hardening WordPress « WordPress Codex for correct permissions and owner/groups for WordPress.
Related
I have installed Xenforo in my public_html in my Cpanel which means my forum is available in site.com
Now I want to add another folder contains my web app and want to access it in site.com/myapp. I created a folder "myapp" in public_htmll beside Xenforo files and now when I enter the URL site.com/myapp it goes to a 404 page of the forum. I need to Xenforo exclude this folder and let the app lunch in this address. How can I do that?
You should move your XenForo installation to a subdirectory - many people use site.com/community as the forum root and either have a separate home page at site.com/ or just redirect the domain root to the /community URL.
This then allows you to have other apps running in other subdirectories like site.com/myapp without issue.
In XenForo 2.x this works fine, If you have enabled full Seo friendly urls from admin panel, Make sure you have proper .htaccess file in place. In you case, I believe you did not upload .htaccess file in public_html folder
Have created a .htaccess file from root with chmod permissons of 400. It is placed in the user ftp directory with all the details I have entered in plesk for it. However when I log in to the ftp as the user ie (ftp://www.ftpname.co.uk with username and password) and it goes to that directory and shows me that the .htaccess file is already there and uploaded by the root I can still delete it as the user.
This is very frustrating. Any idea what I am doing wrong and to stop the .htaccess file being deleted by the ftp user?
Thanks
CP
It's in proftpd FAQ http://www.proftpd.org/docs/faq/linked/faq-ch6.html#AEN677
Docs advice to use this directives as workaround:
http://www.proftpd.org/docs/directives/linked/config_ref_IgnoreHidden.html
http://www.proftpd.org/docs/directives/linked/config_ref_HideNoAccess.html
Another workaround it's immutable bit, but I definitely don't recommend to using it.
I'm a programmer with very little knowledge of website administration. I've inherited the task of uploading our new pages and data to our website. I have a sandbox site that works great, and I've transferred everything for that site to the live site. Now I get 403 in the browser, and the only clue I've been able to find so far is in one of the error logs: Permission denied: .htaccess pcfg_openfile. But both the old and new .htaccess files have 0644 permissions, and both parent directories have 0750 permissions. I don't know where to go from here. Help!
Change the parent from 750 to 755.
Update. Then try this from a shell prompt.
chmod -R 755 /path/to/siteroot/
PHP programmer here. Boss wants me to create multiple wordpress websites that are symlink'ed back to a single parent wordpress directory. Each website resides in a separate Linux user account. In other words, one parent, many children copies, all residing in different /home/ accounts. I need help with my symlink strategy...
So far, for each new linux web account,
install the database
sed replace config values into a temp config file
mysql insert some config data
symlink????
a. every wordpress file ??
b. the entire public_html directory ??
If I alter the parent wordpress PHP code, I can place a "real" copy of the config file in the child user directory, above the symlinked public_html. So, I need only use one child symlink to the parent's public_html directory. BUT, apache returns a 500 error. How do I set up the permissions?
Permissions are the issue. Would chgrp work? Which group? What file mode? Or would I need to create a special group to accommodate the apache user, nobody?
Any help would be greatly appreciated. Code samples welcome :)
Problem's Cause (paranoid security, "switch-user" blocking):
PHP 5 Handler suphp
Suexec on
Problem's solution (DSO):
PHP 5 Handler dso
Suexec off
Performance optimization, added +FollowSymLinks at httpd.conf LINE 75:
<Directory "/">
Options All +FollowSymLinks
AllowOverride All
</Directory>
Each linux user must have a wp-content directory and a wp-config.php file. Don't forget to set writing permissions to the wp-content directory.
You can symlink the rest of the wordpress files to the global wordpress ones.
The global wordpress files must not be writable by the linux users.
This is very possible to do. I have actually written a detailed post explaining the process of symlinking the WordPress directory.
Basically the idea is to replace the wp-config.php file.
Download the repo for WordPress from github with this you can switch to newer or older version of WordPress with a simple command. "git checkout 3.7-branch"
Here is the complete set of instructions:
http://www.htmlgraphic.com/symlinking-wordpress-core-files-wordpress-skeleton/
My internet sites are at the folder
public_html
I noted that www/ seems to have a symbolic link to public_html.
I do not know why we need the www/ -folder, when we have public_html.
Perhaps, it is a security reason. Perhaps, the name of the folder where websites are should be hidden.
Why does www/ -folder point to the folder public_html by default?
$HOME/public_html is convention for user dirs, while $HOME/www/domain is typical convention for user domains in shared hosting. Having symlink you don't have to worry which one you use.