wp-config File is being unlocked

Home Forums BulletProof Security Pro wp-config File is being unlocked

This topic contains 24 replies, has 3 voices, and was last updated by  AITpro Admin 1 year, 9 months ago.

Viewing 15 posts - 1 through 15 (of 25 total)
  • Author
    Posts
  • #30124

    Jeff
    Participant

    I have BPS Pro installed on two different domains but on one domain, which has two websites on different servers on that domain, the wp-config file refuses to stay locked.  Every time I log into the backend of the WP site, I see three warning messages that wp-config, root-index and wp-blog-header folders are not locked.  All I have to do to get those messages to go away is to click on one of them, which takes me to the part of BPS Pro and shows me that the files are, indeed, locked.  Interestingly enough, I don’t get a warning message about the Root .htaccess file.  I only get it on the three files that I mentioned.

    How do I get these annoying messages to go away and stay away?  Out of the three sites, I only have the problem on one of two websites hosted on one domain.  No problem on the other website on that domain or on the website hosted on a different domain with another hosting company.

    Jeff

    #30125

    AITpro Admin
    Keymaster

    Most likely that host is automatically unlocking the wp-config.php file and the other files.  Check with that particular web host and see if they allow 400 file permissions to be used. Some web hosts do not allow locking files with 400 file permissions.

    #30128

    Jeff
    Participant

    I read the answer that “most likely that host is automatically unlocking the wp-config.php file …” before I posted my query.  It doesn’t apply to my situation, I don’t think, because I have three websites on two different servers at this hosting company, A Small Orange.  Two sites are on the “rory” server and the third site is on the “draenor” server.  I do not have BPS installed on one of the two sites on the “rory” server because it is a password-protected website that is not viewable by the public.  Unless the host has a different policy for each of its servers (one site is on a server called “rory” and the other site is on a server called “draenor”), then I don’t see how this could be a hosting issue. The two sites on “rory” are one domain and the site on “draenor” is a different domain.

    If I click on one of the warnings, I’m taken to the F-Lock display, which shows that all four files are locked.  You may be right about the 400 file permission issue, because the .htaccess file has a permission of 404, not 400, and I never get a warning message about that file.

    On June 26, I tried to solve this issue by unlocking and re-locking the files.  That had no effect, because the issue continues.

    Once I’m on the F-Lock page, if I click the warning message again, all three messages disappear.  If I then log out and log back in, I get no F-Lock warning messages but I’m sure that if I log in again in a couple of hours, the messages will return.  F-Lock never shows that the files are unlocked – they are always green and locked.  This is annoying, to say the least!

    I’ll contact the hosting company, but I doubt that I’ll get a straight answer.  At A Small Orange, the customer is always wrong and ASO is always right.

    #30133

    AITpro Admin
    Keymaster

    Oh ok I thought you said the site where this problem was occurring was on a different host, but yep different servers on the same host can be configured differently.  If you want me to login and check things out to make sure this is not some sort of BPS plugin problem then send a WordPress Administrator login to:  info at ait-pro dot com and I’ll see if I can figure out what is causing this problem or confirm that this particular server is configured to automatically check and change file permissions at regular intervals.

    #30305

    Tina Dubinsky
    Participant

    Hi

    Just curious if there was a solution to this problem. Was it the host? I’ve been having the same issue now for a few months. It started after my host did a server migration, and I thought it might be related. Sometimes the message goes away without me doing anything, though most times just saving the file lock options seems to work until next time it appears (usually next time when I log in which is not that frequent at present).

    Cheers

    -Tina

    #30306

    AITpro Admin
    Keymaster

    @ Tina – Check with your web host first and ask them if they automatically change file permissions for any files.  Locking the wp-config.php means changing the file permissions to 400.  So you would ask your host if they allow 400 file permissions and if the server automatically changes file permissions.

    #30327

    Tina Dubinsky
    Participant

    Hi,

    This was their response.

    Thank you for your updates. However, we do not change permissions in any way on our server, especially without notifying our customers. Or as per request but at that point only with ownership verification. If you have any questions, please feel free to ask.

    Since I saved the permissions again last night (about 12 hours ago) they’ve actually stayed locked.  I’m going to check again in 12 hours and see how they’re going.  Generally, when I notice they’re unlocked, there are plugins to be updated as well.  No plugin updates this morning either this morning.  Will keep you informed.

    Cheers,

    -Tina

    #30328

    AITpro Admin
    Keymaster

    @ Tina – Ok good you have ruled out that your host is automatically changing file permissions.  Another possibility is that you have another plugin installed that unlocks and writes to the wp-config.php file when saving plugin settings or doing something else in that plugin.  Or this could have just been some sort of random fluke.  So just keep on eye on this and if it happens again let me know and I will dig a little deeper to figure what might be causing this.

    #30433

    Tina Dubinsky
    Participant

    Hi,

    This is still happening.  I have three domains on shared hosting that run BPS.  They don’t all have the same plugins, but the issue is occurring across all three.  I’ve been testing the plugins by deactivating and then waiting to see if it does it again. (Sometimes  can take +24 hours before it happens again). It’s not a big priority for me at the moment, but I’ll let you know how it goes (assignment due at uni in a week!) .

    Thanks

    -Tina

    #30434

    Jeff
    Participant

    I’ve not had the time to deal with this issue, but it is still happening.  I sent you an administrator login so that you can take a look at it.  It is annoying, but doesn’t seem to affect the website in any way.  If you can figure out what is going on, it might help you to answer others’ questions about the same issue.

    #30435

    AITpro Admin
    Keymaster

    Hmm ok I’ll take a look and see if I can figure out what is causing this problem.  Since you 2 are the only 2 people out of 30,000+ people who have BPS Pro installed that are having this problem then it is some sort of isolated problem. I’ll see what I can find.

    @ Jeff – Send me your CAPTCHA so I can login.

    #30450

    AITpro Admin
    Keymaster

    @ Jeff – Your web host: A Small Orange is automatically changing the file permissions for these files:  wp-config.php, index.php and wp-blog-header.php to:  640 file permissions.

    Logical evidence:
    System Info page file|folder permissions show the file permissions for these files are:  640 file permissions.
    ../wp-config.php 0640
    ../index.php 0640
    ../wp-blog-header.php 0640

    Used the BPS Pro String|Function Finder Tool and did these searches:
    Searched “/home/xxxxx/public_html/wp-content/plugins/” for string “640”:
    Searched “/home/xxxxx/public_html/wp-content/plugins/” for string “wp-config”:
    Searched “/home/xxxxx/public_html/wp-content/themes/weaver-xtreme/” for string “640”:
    Searched “/home/xxxxx/public_html/wp-content/themes/weaver-xtreme/” for string “wp-config”:
    String|Function Finder Search Results:  None of your plugins or your theme is changing the file permissions for these files to:  640 file permissions.

    Did this Google Search:  A small orange wp-config.php file permissions
    Search Results:  https://blog.asmallorange.com/2010/04/securing-wordpress-part-one-your-wp-config/

    OOPS! The calculator worked in the draft! Try this one here! Sorry!
    So, we want wp-config.php to look like -rwxr-x— – click around above and see if you can get that. (We would even suggest going as low as 640.

    Summary|Conclusion:  The logical evidence is overwhelming that your host: A Small Orange is automatically changing the file permissions for the wp-config.php, index.php and wp-blog-header.php files to: 640 file permissions.  640 file permissions for these files is very unusual. Typical file permissions for these files are:  644, 604 or 400.  So since 640 file permissions are unusual and your host recommends using 640 file permissions then it is pretty obvious that your host server is automatically changing file permissions for these files to: 640 file permissions.

    Solution:  Since 640 file permissions are a secure file permission for these files then the solution is to turn off the F-Lock File Lock file permission checks for these files.

    #30461

    Jeff
    Participant

    Well, now, I beg to differ.  You turned off F-Lock for the wp-config.php, WP-index.php, and wp-blog-header.php, which is fine.  Before turning F-Lock back on, I went into cPanel and noted that the file permissions for those three files are set to 0400, not 0644 as you apparently found.  The effect of turning on F-Lock for those three files is to set the file permissions to 0400 and make them read only.  Apparently, they already are read only.

    I’ll wait a few hours to see what happens now that F-Lock is turned back on again.  I’ll bet I get an error message.

    Yes, I can eliminate the error message by turning F-Lock off, but A Small Orange has set the file permissions for those three files to 0400, not 0644.

    Jeff

    #30462

    AITpro Admin
    Keymaster

    @ Jeff – I did not include this additional information because it is not really relevant to the issue that is occuring.  I locked the files with 400 permissions before turning off the F-Lock File checks.  It is a moot point whether or not your host automatically changes the file permissions to: 640 file permissions.  640 file permissions are secure, but just not as secure as 400 file permissions.  You posted 644 file permissions above and I assume that was a typo and you meant to post 640 and not 644.  Nope you will not get an error message when your host automatically changes the file permissions to: 640 because I turned Off the F-Lock file lock checks, which means – do not display a message.  Nope I set the permissions to 400 before turning Off the F-Lock file checks and not ASO.

    I believe the most relevant fact is this one:  I have never seen 640 file permissions used before on any web host for these WP files. So I think it is safe to assume this is an ASO thing based on the ASO help documentation on their website help pages that recommends using 640 file permissions for the wp-config.php file.  Also note the way ASO phrased their help text: “We would even suggest going as low as 640.”. Sounds to me like that means 640 file permissions are the most restrictive file permissions allowed that you can use for the wp-config.php file on ASO hosting. Why wouldn’t ASO suggest 400 file permissions since 400 file permissions are the most secure file permissions possible?  I think this case can be closed.

    Also it is not an unusual thing for a web host server to automatically change file permissions.  I have seen this on dozens of web host’s worldwide.  The server runs an automated script that checks file permissions and if those file permissions are not allowed or there is a flaw in the logic of the automated server script then the file permissions will be automatically changed by your host server to whatever your host allows for file permissions.  The flaw I have seen with these automated server scripts is this:  the script checks the file permissions, but does not take into consideration that a particular file permission setting is even more secure than what the server script is checking for/against.  Example:  if file X does not have permissions Y (640) then change the file permissions to Y (640). The flaw is there should be more conditions.  Example:  if file X does not have permissions A (640), B (604) or C (400) then change the file permissions to A (640).

    #30469

    AITpro Admin
    Keymaster

    @ Jeff – Oh I just noticed that you said you turned the F-Lock file checks back on so yep you will see displayed messages when your web host automatically changes the file permissions to 640 again. 😉  Like I said, it is a moot point since 640 file permissions are more secure than 644 file permissions and because your host appears to only allow 640 file permissions and nothing more restrictive like: 604 or 400 file permissions.

    Also it is important to note that permissions are based on file type.  Your host is allowing 404 file permissions for .htaccess files, which is standard on all web hosts.  .php file permissions are typically either 644 or 604 as a standard. And once again I have never seen 640 file permissions used for .php files ever.  Not in 10 years and not on 350,000+ web hosts worldwide. 😉

Viewing 15 posts - 1 through 15 (of 25 total)

You must be logged in to reply to this topic.