0777 Permissions Security Risk - What You Need To Know...
This is a just a quick article to alert webmasters about the security risks associated with 0777 CHMOD Permissions. Not all webmasters are aware of the risk, or may even know if they have 0777 permissions already enabled on files or folders, and certainly not many new webmasters or bloggers will be aware of the risks, or what to do about it....
What's worse is that some software developers still actually advise setting permissions to 0777, and even more worrying is that some software developers will dismiss the issue even when alerted to it (....such as one I'm currently dealing with concerning a COMMERCIAL WordPress plugin - upon installation the program not only AUTOMATICALLY set its own folders to 0777, but also changed MULTIPLE OTHER (CORE) FILES on the server to 0777! plus also changed all the sub-folders to 0777, and furthermore the files within those folders were also all changed to less secure permissions! Geez, you'd think they'd have been concerned right?. You'd think that they'd put out a warning to other users, right? Nope. Instead they were - in my opinion - rude & dismissive (...their response was actually "whatever...." and then they went on to tell me that I didn't really understand.... I'm still fuming. Rude, Dismissive AND patronizing!). Amusingly, an update was released the next day & the problem fixed... but I'm still fuming at their reply & their attitude, though.
I actually DO understand about the (very real) risk of using 0777, so do experts such as Brian Teeman (...search his blog - brian.teeman.net - for the topic of 0777 & you'll find a number of articles on 0777, all advising how dangerous it is and how it should NEVER be used, & articles describing his anger with ignorant or carefree developers such as the one I highlighted here).
0777 permissions are such a security risk that any Joomla CMS extension found to be using or creating 0777 files is added to the "Joomla Vulnerable Extensions" list. Joomla users are also advised to remove any extension on the JVE list until the problem is fixed.....
In short, using 0777 permissions is a sure-fire way to make your site easier to hack.
So anyway, I thought I'd just warn our readers and new webmasters about the danger of 0777, how to find out whether any files on their server is using 0777, and more importantly - what to do about it.
CHMOD Permissions Explained
CHMOD permissions, for non-technical users, simply means the permissions given to the files or folders on your server. The permissions are represented by numbers, such as 0755, 0777 etc. Each of the numbers will determine how secure / unsecure the particular file or folder is - that is to say, they determine WHO you are allowing the right to access, modify or execute the folder/files concerned.
Some permissions are less secure than others.....
0777 is the LEAST secure of all. In layman's terms, it basically gives ANYONE the right to access, modify or execute the file or folder. It is therefore a favourite of hackers. It is the view of many experts that 0777 should NEVER be used. Ever.
If a developer advises using 0777 permissions, all the experts I've studied all recommended that you look for another product..... (...another option is to ignore the developers unsafe advice & use a safer permission instead, such as 0755 - I have found, without exception, that the product concerned will still work as expected - however if for some reason it didn't work, then I would find something else....).
How To Know Whether You Have 0777 Permissions Enabled On Your Server
Go to your web server & go into the root folder of your site (.....that's the folder where all of your website files & folders are located / stored) and you will notice that each folder, sub-folder and file will have a number listed with it, such as 0755, 0744, 0644, 0655, etc. (.......the numbers are usually listed on the right-hand side of the list of files) These numbers are the CHMOD permissions for each file / folder, and they tell you who can do what with them. If you see any with the number 0777 then your website is potentially at risk. You need to secure those files / folders by giving them a more secure CHMOD permission level (number).
If you are in doubt about which CHMOD number to change the files for a particular program to then you could either try different permission levels & then test everything is still working or try contacting the software developer for advice (and at the same time alert them and other users about the security problem caused by the program, if it was 0777 and to blame - sometimes there could be other reasons, such as your site is already hacked......).
Some products, such as download managers, video / photo sharing applications etc, may need slightly more permission (less secure) CHMOD settings that allow the website visitors /members the permission to upload to the server or to download etc, so they may require less-secure permission levels than for some other folders (....however, they still do not need 0777 Permissions - usually 0755 will still suffice)
How To know What CHMOD Permissions To Use
The best way I have found to decide which CHMOD permission to use is to use a CHMOD permissions tool, they can help you select the best permission number for your needs - we have one available on this site, see here:
https://business-in-site.com/chmod-calculators - (2012/02/19 - NOTE: Sorry, but this tool is not working at present due to our recent website conversion / overhaul, therefore the page has been un-published - sorry - but I hope to have it back working ASAP. Regards, Admin.)
I put that CHMOD tool on the site because I personally found it so useful. Being visual, these CHMOD tools can also help you to easily learn / understand about CHMOD permissions, and after a while you probably won't even need to use the tool.
Once you decide on which permission / number you wish to use, you can then go to your server and manually change each file / folder to the permission number you have selected. You do this by clicking on the CHMOD number displayed next to each file/folder & then a drop-down box will open, allowing you to change the current number - enter the new number & press save. Done!
Generally speaking, 0755 is good for most folders, (such as folders for images, templates etc) and 0644 is often used for files within those folders (such as the image files). If you want to tighten down your site even further, you can try using 0705 on your folders and 604 on the files.
Lock Down Your Sensitive or Vital Files and Folders
Additionally, it's a good idea to really lock down a few key files and folders. The following CHMOD settings are as per currently suggested (Feb. 2012) by BPS Security (WordPress plugin). If you are using WordPress, then perhaps consider giving BPS Security plugin a try, as it helps to further secures the site by creating a secure htaccess file for the root folder, plus other sensitive folders.
- Website Root Folder: 0705 (if possible - however I've found that sometimes it is not possible to use 0705, such as with the root folder of multi-site installations)
- wp-admin folder (or the equivalent in your type of CMS): 0705
- wp content folder (or the equivalent in your type of CMS): 0705
- wp-includes folder (or the equivalent in your type of CMS): 0705
- .htaccess file: 0404 (note: some plugins may prevent using 0404 CHMOD - in which case, maybe try 0604 or stronger if possible. Note too that you will need to temporarily revert to the default 0644 permission whenever you need to write to the htaccess file (...such as when installing some cache plugins, etc)
- Index.php: 0400
- wp-config file (or the equivalent in your type of CMS): 0400
- wp-header.php (or the equivalent in your type of CMS): 0400
IMPORTANT - please note: The above settings are only suggestions, and you should ensure that they are suitable for your particular website and server environment, and we take no responsibility for any problems that may arise if you should use these settings. You will also need to revert back to the default (less secure) CHMOD permissions when you upgrade your WordPress website using the auto-upgrade tool, otherwise it won't be able to upgrade properly, but once you've done it a couple of times it's very easy & quick to do (and if you forget to revert the settings before auto-upgrading, don't worry - you can simply re-upgrade your WordPress again & it will be fine - speaking from experience here....!!).
Hope this helps!