Re: Apache and umask for document root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 8/2/22 8:47 PM, Tim via users wrote:

On Tue, 2022-08-02 at 15:22 +0000, Emmett Culley via users wrote:

So wordpress automaticaly has the ability to write all files in the
root directory.  I suppose we have to trust that wordpress will not
write hacked files to the server's root.


You are aware that it has a bad reputation for security?  You'll need
to keep on top of it being updated all the time.  It's a prime target.


So it behoovs our site webmasters to not unstall untrusted plugins.


This is where you need one or two competent and trustworthy webmasters.
General page authors aren't webmasters.

Thanks for your comments.

All true.  And there is nothing to do but grin and bear it, as many of our clients want to use wordpress.  We keep a watch for "bad" files, and we also survey what plugins are installed and when a new one shows up one of us researches it.  We have found a couple of bad actors, but if a webmaster sticks to wordpress approved plugins, we see no issues our current methods cannot mitigate.

Right now we are dealing with DIVI booster issues.  It wants write access to wp-content anytime you edit the site.  I've contected them, but so for no response.  In the mean time I have to temporarily enable apache write access to wp-content, then reinstect the site' files after disableing that access.  If is isn't fixed by DIVI booster soon I will require that the client uninstall that theme plugin.  They won't be happy, but they will like that better than getting a bill every tiem they need to edit their site.

I am considering changing the name of the wp-content directory, but obfuscation only gives false confidence as hack mitigation.  Besides, that would require hands of from our engineers for each wordpress site.

Emmett
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux