Hack

Website and WordPress Security

Unfortunately this post has been prompted by my own security scare! The problem, which surfaced yesterday seemed to center around the .htaccess file in the root directory of client WordPress powered sites. A hacker managed to exploit a file permissions vulnerability in this file in a pile of sites which basically allowed him/her/it to inject some code in there, redirecting any site visitor to http://r1estudio.com/cabanas with the following slightly pointless message:

Hack

I had a habit of setting the permissions on the .htaccess file to 666 which is the lowest permission I could give it and still enable WordPress to write things like Permalink, Cache & Mobile configuration to the file. Trouble is I never changed back once I had WordPress configured. The ideal permission for that file seems to be 644 which should stop anything editing it.

The .htaccess and wp-config files happen to be quite important in WordPress so make sure yours can’t be written to. As usual, you learn the hard way.

The same goes for all sites, whether WordPress powered or not. Watch your file permissions and passwords!

Leon.

Advertisements

Published by

Leon Quinn

Multimedia Design company in Leitrim, Ireland specializing in WordPress Website Design, Photoshop and Graphics. www.reverbstudios.ie

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s