|
2008-04-07, 10:29 PM | #26 |
Wheither you think you can or you think you can't, Your right.
|
Am I missing something here, I just realized, seemed the whole deal with setting the htaccess file to 777 was so Wordpress could write the new htaccess file for you? It's always been like that.
Then again, when you set up permalinks, WP gives you the htaccess code, you just copy and paste it into your htaccess file and upload it. Not much need to have a security hole so that WP can write the file instead of just doing it yourself. Just like when I see people changing the file permissions on their theme files, so they can edit them in WP, when it's just as easy to do it with a web page editor. Perfect example, some one hacked one of my blogs this am (partly my fault, left less then secure WP pass as it was), if all my files where editable (777), they could have done much more. They could have done little things that I might not even notice. This was no 2.5 bug or error. Or I missed something? |
2008-04-07, 11:26 PM | #27 |
Progress rarely comes in buckets, it normally comes in teaspoons
Join Date: Jun 2005
Location: Dark Side Of Naboo
Posts: 1,289
|
My copy of 2.5 did not give me any code to put in htaccess (and did not come with a htaccess file). I remember 1.5 did.
|
2008-04-08, 02:12 AM | #28 | |
Oh no, I'm sweating like Roger Ebert
|
Quote:
I haven't upgraded to 2.5 yet but to my knowledge all WP versions will give you the htaccess code in permalinks when you try to set it if it can not write to the file. I agree with ronnie why set anything writable if you don't absolutely have to |
|
2008-04-08, 02:51 AM | #29 | |
Progress rarely comes in buckets, it normally comes in teaspoons
Join Date: Jun 2005
Location: Dark Side Of Naboo
Posts: 1,289
|
Quote:
I haven't installed wordpress in almost 2 years so this was all new to me. |
|
2008-04-08, 08:18 AM | #30 |
That which does not kill us, will try, try again.
|
Since a lot of people seem to be upgrading older (sometimes very old) WordPress installations, here are a couple of links that will help with securing your sites.
Three Tips to Protect Your WordPress Installation - Matt Cutts Hardening WordPress - codex And yes, make sure you change your htaccess permissions back to 644 as soon as possible if you ever need to make it world-writable by setting them to 777 temporarily. And really, if you leave any of your theme files writable by WordPress, or leave the standard 'admin' user with full admin rights, you can count on getting hacked at some point. Also it's a good idea not to run more than one WP installation from one MySQL database. Sure, you can change prefixes for each install and run several from one database, but if you do get hacked at some point you're making it easy to take down all your blogs with one click. Lots of good tips in the comments to Matt's article too, don't miss reading those. HTH
__________________
"If you're happy and you know it, think again." -- Guru Pitka |
2008-04-08, 03:53 PM | #31 |
Progress rarely comes in buckets, it normally comes in teaspoons
Join Date: Jun 2005
Location: Dark Side Of Naboo
Posts: 1,289
|
Excellent info Simon. Thanks for passing that along.
|
2008-04-08, 05:10 PM | #32 |
Wheither you think you can or you think you can't, Your right.
|
Ya, that is true, they don't come with a htaccess file, i was thinking it still gives you the code to write to your htaccess file. My bad.
|
2008-04-08, 10:23 PM | #33 | |
Oh no, I'm sweating like Roger Ebert
|
Quote:
Not very obvious |
|
|
|