Guess certain people even with up-to-date blogs are getting hacked, just came through my feed a little bit ago:
http://threatpost.com/en_us/blogs/wordpress-hack-linked-database-password-hijack-041210
Guess certain people even with up-to-date blogs are getting hacked, just came through my feed a little bit ago:
http://threatpost.com/en_us/blogs/wordpress-hack-linked-database-password-hijack-041210
Every software I know stored database information as plain text within a file somewhere. (That's covered in the comments of the original report to some extent.)
You have to remember though that for a "hacker" to be able to read what's in the wp-config.php, they're going to have to gain access to the server the file sits on. If they have that access, well they pretty much have access period no matter what you do.
Gotta wonder though why this is coming out of Network Solutions. Did someone get ticked off at them for discovering that while they charge $35 a year for a domain, every body else changes less than $10?
Yes, I've read a few articles detailing this same breach. please note that other CMSs use the same technique to store passowrds.
I kinda hate that the media is saying "flat text files" that implies a .txt. It's stored in a php file.
if you read closely, other articles have stated that it was the users who had changed permissions on wp-config.php to be something other than 644.
note that the install process in MU reminds you to change this back after the install.
but, if the hacker gets into the box itself, which this one did, they can do what they like.
From my understanding, 644 may be vulnerable.
The problem appears to be shared hosting where there are multiple user accounts on the server. With the world read bit set (the last 4), any user on the server can theoretically read the file. Setting it to 640 would allow the owner's account to read it, but prevents other non-admin users reading it.
I cringe every time someone mentions setting their wp-content (edit: And wp-config.php come to think about it) to 777 instead of looking at the ownership.
... and if they are cpanel accounts and you have the username/password of other users on the box, you can get in to their databases.
because of a flaw in cpanel.
One of the (many) reasons why we're a Direct Admin shop. :)
Wait, you consider knowing someone's username/password a flaw in cpanel? Or am I misunderstanding you?
You're misunderstanding. :) If you & I have accounts on the same host, with cpanel, if I know your database username & password, I can log in to your database. In your web account.
Done it on my own vps.
Also, NetSol owns up:
http://blog.networksolutions.com/2010/wordpress-is-not-the-issue/
I can log in to your database
We can do that in Direct Admin actually. Never discussed it with the DA people. CPanel says it's not a security issue though.
I seem to recall even suggesting to folks to place wpmu's databases in their own account. Makes for easier (and smaller) backups.
edit: Just to add, I do note that NetworkSolutions doesn't state what the actual problem was not even hint at it. I guess their "learning experience" isn;t something they want to make public.
Yeah, it's kind of a moot point, because if you're at the place where you can get those passwords anyway, you've already been breached, you know?
So what should I set my wp-config.php and wp-content files to for best security? I am sorry to say that my client is using Network Solutions as a host, but I still need to secure my Wordpress MU. Thank you
1. The most secure permissions that will still let your site function. This will vary by host, but if possible try to set them to 640.
2. Get your client off Network Solutions. Part of securing WordPress is making sure the server its on is adequately secured and unless you run your own servers, the only action to take is to change hosts.
1) And if the files are owned by username:username, you just killed your site. They need to be owned by username:webserver where webserver is the group that the webserver (which ever one you;re using of course) is in. For most *NIX's that I've seen, that would be username:apache. The problem being though that's not something you can set in CPanel.
2) I don;t think any host that uses CPanel is that secure. Considering that you also have to deal with broken and unsecure Fantastico installs, it;s a problem. Plus you have to upgrade Fantastico as well as you go and seems like many hosts don;t realize that.
NetSol got hacked again, this time they targeted other platforms & not WP.