WordPress on GoDaddy Server
April 26th, 2010 by OnlinePressPeople don’t set your file/folder permissions to 777!
This morning I received e-mail’s from few of the clients hosted at http://www.godaddy.com in regards to http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/ found on Twitter. People are asking me if they should be concern about this so-called threat. The above article whether was true or not has nothing to do with WordPress platform or your hosting at GoDaddy.
Website owners often do many unreasonable things such as changing their WordPress folder permission (chmod 0777) and that will cause some serious problems and real threats to any website regardless if this was WordPress or not. If you are unsure about something please contact your hosting provider and ask them if what you are trying to do is right thing or not, please don’t just change your file/folder permissions and make your site an easy target to script cracking.
If there is an issue, or even if everything looks normal, get a free plugins such as WP Security http://wordpress.org/extend/plugins/wp-security-scan/ and you are all set. The plugin will tell you what permissions are currently set as well as what they should be on the first place.
So who is to blame, well you. If we open our doors many will come without knocking or saying hello.
Few tips:
NOTE: 04/26/10 @7:05PM CST
I don’t want this to be turned against any site, wpsecuritylock.com or any other, my point was about file/folder permissions, not about the sites that post the article.
my blog is on godaddy as well and there was no issues at all, what crossed my mind is that this was just some kind of marketing fishing by people that sell their services
thank you for your comment
People don’t fall for this! Just simple propaganda against GoDaddy. We have 4 sites on GoDaddy as well and there was nothing. wpsecuritylock.com wants to make money, that’s all!
thanks for commenting
[...] This post was mentioned on Twitter by FireflyBlog, Emil Uzelac. Emil Uzelac said: #WordPress on @GoDaddy Server – What really happened! http://goo.gl/nQnC [...]
My web site shows no signs of (attack) one thing for sure is that people don’t know the difference between site hacking & site cracking. Even if this was true it’s not hack. Set your permission to 777 and you’ll get all kind of problems on any hosting provider.
Cheers,
Milo
Thank you for spreading the awareness about how important it is to take security measures seriously on your websites.
In reviewing your post, I’m a bit concerned that the information you’re given may mislead people. Having incorrect permissions may not be the cause of this attack, but it is true that they are very important.
We have been on the phone with Godaddy’s Security team several times today. We’re providing them information as it becomes available on sites that have been hacked to put a stop to it. Godaddy is getting close to the answer and we will have it very soon.
As for our credentials, feel free to call Godaddy and ask if they recommend WPSecurityLock in helping restore sites. Our passion passion is to help webmasters restore their websites and keep them safe whether, we do it for them or give them the tools to do it themselves.
I appreciate your comment.
So who is to blame, well you.
Well no. Not necessarily.
I got hacked twice last week, once on Wednesday, another on Friday/Saturday. On Wednesday I did have some 777 permissions set, foolish me, but for the Friday attack I had all files at 644 and no folder more open that 755; I also had a number of security plugins installed. No matter, the hack happened anyway.
I know you mean well, and it’s important to have permissions set correctly, but it’s not always the users’ fault when they get hacked. Please don’t patronise us–after losing 5 days of my life to these hacks, I am in no mood for it.
And yes, I’m hosted by GoDaddy.
Miserere,
I had no attention to patronize anyone at all, just like you said I truly mean well when the post like this one are published. It starts with folder permission, it could lead to lousy coded theme and I still don’t believe that this has anything to do with GoDaddy.
Love your reactions guys, please keep them coming.
Thanks,
Emil
@WPSecurityLock I think that GoDaddy can handle their own security just fine. @Miserere WTF are you talking about.
Strave, what I’m saying is that many people who had the appropriate permissions set for their files (myself included) got hacked, so just saying that this hack took place because of loose permissions is simplistic and unreal.
I don’t know that this hack was GoDaddy’s fault, but it certainly wasn’t a hack for the gullible–it was a well coded attack, and the hacker must be quite pleased with him/herself.
I’d like to know if other hosts also got WP blogs hacked too, and in what proportion. GoDaddy is very popular, so it’s natural that we hear about their blogs more than from other smaller hosts.
Miserere,
Vulnerability scan usually does the trick! Few moments ago I scanned 3 different GoDaddy hosting servers of my clients (Shared, VDS and Dedicated as well) none of them report any security issues at all. On one of the three already had McAfee and there was nothing in.
Thanks,
Emil
so I scanned mine as well SNAP nothing in come on people get real this was NOT what you think it was!
Strava,
Although Go Daddy takes their server security very seriously, the fact of the matter is that thousands of websites were hacked. Almost every website that we’ve cleaned so far from these malware attacks had EVERY file and directory permission either set to 777 or 755, including their wp-config.php file. It seems that these attackers are resetting the website permissions leaving the site vulnerable even after clean up.
Many webmaster are not aware what the server permissions should be. Some webmasters just use 755 or 777 because they don’t understand otherwise.
@Miserere, I feel your pain. I know that you’re a very security conscious webmaster and do all you can to make your website safe. These crooks (malicious hackers) have outsmarted the cops (hosting companies) and they’re working on stopping them.
WPSecurityLock,
So we did indeed came back to what I originally posted and that was the folder permissions. I really don’t like to brag about it but WordPress is what I do on daily basis since they released first edition back in 2003. Now I manage several clients who are with GoDaddy and none of them were affected in any way at all, however I very recently got new client whose account was simply a mess due to poorly written plugins and that’s huge security risk as well as giving permissions to folders just so that user can automate plugin updates without FTP credentials too.
Few things to bare in mind:
1. DO NOT reset your folder permissions regardless if the plugin “tells you so” or if you’re “tired” of typing in your FTP logins
2. If the plugin isn’t from recognized author try not to install
3. When installing new themes, please make sure that the theme is secured as well, I’ve seen so many weird codings and they could potentially be the security risk as well
4. Premium themes are always highly suggested, not only that you can get the quality support but also piece of mind knowing that you’ll have proper codes.
5. Update, update not just your WordPress, plugins are important as well.
I am glad that we’re in agreement here and thanks for your comments.
Thanks,
Emil
I very like your site.This post was a really nice read! Thanks.