Quick WP question re Error

[phuckbunny]

I just added two domains, installed WP on both, same version.

One I'm in the process of working on and it's fine.

Taking a break from the first one I opened up the second one and wanted to start modifying the theme.

However, I got an error saying "If this file were writable you could edit it."

Obviously this is a permissions thing but could I have clicked something by accident in the preferences? Just asking before I have to contact the hosting co.

[dellson]

Warning: I'm a total newbie when it comes to WP, but here is my experience with the same problem:


The error you describe I have gotten just about all the times I would edit a theme.

And I don't think it has to do with any preferences.

I just login to my site via FTP, and i make the files writable (777). You could make the single file you edit writable, and that would probably work.
Although for the sake of easiness i usually just have my ftp-program make the entire themes-folder writable.

Sorry for maybe stating the obvious!

[phuckbunny]

Thx for writing. I've never gotten this problem before. I wonder if we're using the same host... They fixed it on their end but I'm still

[odysseus]

Hey phuckbunny. I usually change my permissions to 666 to make them writable. I don't know much about servers, but I think it's safer than 777. Maybe a smart server guy will chime in with their opinion. 666 also has the added benefit of being the number of the beast, so it's, um.... magical or something. Ok, I'm tired and I'll stop now.

[sunfunbill]

Hey PB. On mine I always have to go and change the file setting before I can edit it. You should be able to go into your host account and change the settings on every page.

Once you edit it you should change it back so no one else can write it.

[Mr. Lovepants]

unless its a minor tweak I always haul the file out onto the desktop and make a back-up copy of it in case I really mess things up

[horney]

Permissions, ALWAYS! IMPORTANT!

Directories (folders) 755.

Files (includes images) 644.

Sometimes when installing an application, your Apache "web" user, which could be something like web-data, web, nobody, will need read, write and execute on directories during the installation. So will other (see below). That's 777 but remember to change it back to 755 immediately you have completed the installation process.

Breakdown:

The first number is the owner, then group, then other aka the rest of the world. So 777 means each of owner, group and other all have read, write and execute permissions. The numbers break down like this:

Read 4
Write 2
Execute 1

These add up to 7. So it's easy to see that 4 is read only, 6 is read and write, 5 is read and execute. They simply can't add up to anything not easy to work out when you combine them.

So 666 is giving malefactors who manage to find their way in write permissions without needing a password. Only you, the owner, should have that. The web user only needs read, so it can read stuff to the screen for your visitors and the others (visitors) only need read to see it.

The reason for execute on directories is because they need to be opened to get what's inside, which is why what's inside should only ever have the correct permssions.

[razor]

useful post horney - I never new wtf all these numbers meant. I just merrily changed everything and hoped for the best.

[dellson]

Ups, I guess that was a lesson in not writing tips about "dangerous" stuff one knows "not-so-much"-about.

Thx for the good tips, and now it's time to change all my 777's

[odysseus]

Quote:

Originally posted by horney
Permissions, ALWAYS! IMPORTANT!

Directories (folders) 755.

Files (includes images) 644.

Sometimes when installing an application, your Apache "web" user, which could be something like web-data, web, nobody, will need read, write and execute on directories during the installation. So will other (see below). That's 777 but remember to change it back to 755 immediately you have completed the installation process.

Breakdown:

The first number is the owner, then group, then other aka the rest of the world. So 777 means each of owner, group and other all have read, write and execute permissions. The numbers break down like this:

Read 4
Write 2
Execute 1

These add up to 7. So it's easy to see that 4 is read only, 6 is read and write, 5 is read and execute. They simply can't add up to anything not easy to work out when you combine them.

So 666 is giving malefactors who manage to find their way in write permissions without needing a password. Only you, the owner, should have that. The web user only needs read, so it can read stuff to the screen for your visitors and the others (visitors) only need read to see it.

The reason for execute on directories is because they need to be opened to get what's inside, which is why what's inside should only ever have the correct permssions.

Useful info. What about directories that need to remain writable so that, for instance a site map plugin, can update itself when it needs to? What would be a good setting for that?

[horney]

If the plugin has been added sensibly, it should have a command built in which depends upon the server's distro (particular flavour of Linux or Unix). It is either su or sudo and you have to enable it during installation, although you have no need to know you are doing that. This will give the plugin write commands at the relevant times but not as a general feature. The script "signs out" when it's done.

You're getting into realms you don't need to know and I'm not going to give shit-headed script kiddies access to on a public forum. Suffice it to say you rely on the designers of the apps to get it right. They usually do. *nix is amazingly secure when handled properly. Fortunately for all of us, it is far and away the most popular server platform, in spite of the (relatively and generally insecure) M$'s spin and sales bullshit.

[trulymadly]

Hi

I noticed the first post when you mention you want to ' edit the theme ' , the message you got is not an error message. But you probably already figured that out.

By default, the themes you uploaded into the wp-content folder, all the important files are probably set to 644, server writable but not you nor others. Those are like template and css files for your theme, and to be honest unless you are familiar with the wp template system, I would not just use the wp template editor and start editing it even you changed the file permission to writable.

What I usually do if I need to edit something is, download the file via ftp, make a back up, edit, upload the new copy and overwrite the old one. That way is safer and you don't need to change all your files to user writable.

By the way, just thought I might as well mention this experience of mine here.

One time, I had a whole bunch of index file hacked by the server itself, they were 644 but since it is server writable, a malicious script somewhere in the server has been adding code to almost all index files in the server. Now I have set them index files to 444 just in case.

[sunfunbill]

Hey horney, someone told me on my picture uploader I should make it so nothing can be Executed in that directory. But, I still need it writeable so members can upload a picture.

So how would that look, 666? Or 766?

[horney]

This is very important, folks, so please try to understand it and ask questions if necessary.

Firstly, trulymadly, it's a good tip to download, make changes, then upload. That way you can't screw up the permissions. Also, 444 is safer but you have to change the first digit to 6 before you can download or upload when you leave it like that.

However, the first number, 6 is the owner. You are the owner, not the server. When Apache sets up a new user, that user becomes a member of the web group, i.e. the server's group. If you have anything different, talk to your sysadmin or your host help team and get it put right.

You have also illustrated why these permissions are extremely important. Someone cracking the server (cracking = hacking in illegally) can alter anything which the server has permissions for on that server. So on shared hosting you are running a huge risk of other customers doing something stupid if you give the server write permissions. Keep them to yourself.

Once again:

Owner = you
Group = web / server
Other = rest of world - give it nothing but read on files!!!! Never, ever, give it write, even on directories, except during installation!!!!!

[horney]

Bill, sorry, we must have been typing at the same time. I'd have to see the whole app and read through it. The way it should work is that your members would have restricted "ownership" of a very restricted file set, so they should be able to write with them at 644. But there are some damned insecure apps out there. As WP has a good reputation, I'd be tempted to leave it at its defaults, so that's probably as I originally outlined above, 755 for directories and 644 for files.

[trulymadly]

lol, everyone was typing at the same time. Good thing I took a look before I write this.

Yes, you are right about the 444 setting. I was on 644 before and the files got written with strange codes. Was a nightmare to go through every index file and find the code then delete it. So I will leave it as 444 for now. That site is actually on a virtual server and I still suspect it has something to do with a wp plugin I installed not long before that happen.

I deleted that plugin, and the new index files seems fine. I have no proof so I am not going to point my finger to that plugin author.

And you are also right about the upload folder, mine was left at default 755 but I don't allow anyone but me to upload to my blog lol.

[horney]

Either a faulty script or someone got in with root access. Could even have been a sysadmin making a mistake

With root access anyone would be able to overwrite anything you did anyway using sudo privileges. All they'd need to know is your username, and that can easily be found as root. 644 is fine under normal circumstances.

[phuckbunny]

Well it turns out my host changed everything to 777, and surprise no website left as everything was hacked. Their response: "That was expected".

I'm going to kill someone before Mercury leaves retrograde