[wp-hackers] Security in wordpress

Marko Heijnen mailing at markoheijnen.nl
Fri May 7 14:42:03 UTC 2010


It simply doesn't matter who ownes it because most host apache runs  
under his own user.
I think most host don't use suphp because it probably cost extra  
memory since the apache process runs for an specific user.


Op 7 mei 2010, om 16:35 heeft Otto het volgende geschreven:

> I would say that making your files owned by the nobody user is not
> particularly safe.
>
> It'd be better to set your server up to use suphp or setuid on your
> PHP setup, so as to make the PHP process run as the user who owns the
> website files. Then as long as that user is separated from everything
> else on the system, the process can't reach outside the websites own
> directory.
>
> -Otto
>
>
>
> On Fri, May 7, 2010 at 9:27 AM, Ash Goodman <ash at thinkinginvain.com>  
> wrote:
>> Hi everyone,
>>
>> I recently had a 2 different server get hacked. One by way of a  
>> clients
>> letting someone else get hold of their FTP credentials and  
>> following that
>> via folder permissions.
>>
>> I would like to set my server up so that the FTP credentials are not
>> required for wordpress and plugin updates as shown here:
>> http://robspencer.net/auto-update-wordpress-without-ftp/
>>
>> This also seems to eliminate the problem of needing to 777 the  
>> uploads
>> folder in order to upload images.
>>
>> Is this safe to do or is it only going to cause other security  
>> problems
>> and/or cause problems with wordpress?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list