Make WordPress Core

Opened 3 months ago

Last modified 3 months ago

#60718 new enhancement

Awareness of permission after updating cores, themes and plugins

Reported by: girishpanchal's profile Girishpanchal Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.5
Component: Upgrade/Install Keywords: needs-patch
Focuses: Cc:

Description

This is the major security concern now a day when people install/update plugins or themes on DEV/STAG/PROD after changing respective directory permission from 755 (7=rwx 5=r-x 5=r-x) to 777 (7=rwx 7=rwx 7=rwx)

Once installation/updation is complete, people forget to restore directory permission, and due to this, hackers might inject scripts into those directories.

To prevent this, we have to check directories and file permissions for it and give the notice on top of the admin section.

It will help to reduce security threats.

Change History (1)

#1 @dd32
3 months ago

  • Component changed from Security to Upgrade/Install
  • Focuses accessibility performance privacy removed

This is the major security concern now a day when people install/update plugins or themes on DEV/STAG/PROD after changing respective directory permission from 755 (7=rwx 5=r-x 5=r-x) to 777 (7=rwx 7=rwx 7=rwx)

If someone is changing permissions to allow installation of plugins/themes, and then changing back afterwards, I'd say they're managing the infrastructure improperly, that's not something that WordPress expects an end-user to do.

To further complicate it, it's incredibly common for some hosting environments which are secured through ACLs or suphp to have files writable permanently by the running code, even though it might only have 600 style permissions.

IMHO; this is outside the scope of WordPess. Anyone having to change permissions to install plugins, should probably either a) configure PHP to have writable access b) not use WordPress to manage the plugins/themes (I'd suggest they should be looking at wp-cli) or c) use the FTP/SSH access methods instead.

Note: See TracTickets for help on using tickets.