Opened 9 months ago
Last modified 9 months ago
#60718 new enhancement
Awareness of permission after updating cores, themes and plugins
Reported by: | Girishpanchal | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.5 |
Component: | Upgrade/Install | Keywords: | needs-patch |
Focuses: | Cc: |
Description
This is the major security concern now a day when people install/update plugins or themes on DEV/STAG/PROD after changing respective directory permission from 755 (7=rwx 5=r-x 5=r-x) to 777 (7=rwx 7=rwx 7=rwx)
Once installation/updation is complete, people forget to restore directory permission, and due to this, hackers might inject scripts into those directories.
To prevent this, we have to check directories and file permissions for it and give the notice on top of the admin section.
It will help to reduce security threats.
Change History (1)
Note: See
TracTickets for help on using
tickets.
If someone is changing permissions to allow installation of plugins/themes, and then changing back afterwards, I'd say they're managing the infrastructure improperly, that's not something that WordPress expects an end-user to do.
To further complicate it, it's incredibly common for some hosting environments which are secured through ACLs or suphp to have files writable permanently by the running code, even though it might only have 600 style permissions.
IMHO; this is outside the scope of WordPess. Anyone having to change permissions to install plugins, should probably either a) configure PHP to have writable access b) not use WordPress to manage the plugins/themes (I'd suggest they should be looking at
wp-cli
) or c) use the FTP/SSH access methods instead.