wp-config File is being unlocked

Home Forums BulletProof Security Pro wp-config File is being unlocked

Viewing 10 posts - 16 through 25 (of 25 total)
  • Author
    Posts
  • #30474
    Jeff
    Participant

    Well, there’s always a first time for everything!  I submitted a ticket to A Small Orange asking why their automatic file permission script on that server sets the .php file permissions to 0640 – all of them, not just the three that F-Lock can lock.  It may be just this server because the other two websites that I have on a different server at ASO are happy with 0400 for the three files in question and all the other .php files are 0644 on that server.

    I’ll let you know if ASO agrees that they ought to join the other 350,000 webhosts worldwide … 😉

    Jeff

    #30503
    Tina Dubinsky
    Participant

    I’ve a feeling it’s my host as well (even though they said they don’t).  A few days ago it took over 12 hours for the unlock message to appear (I just noticed it today so it may have been longer than 12 hours, I had thought it would stop). Right now, I’m testing my main site and I’ve just left Bullet Proof and Askimet running to see if it happens again. It uses the 2014 (customised) theme. I tried following the steps you have here for string / function finder. A lot of results for 640 but I think this was to do with image settings, but I didn’t see anything that alarmed me.  The other search string returned zero results. From memory running the tools script triggered the message. I tried looking through my host’s documents (Site5) but didn’t find anything about preferred settings.

    #30505
    AITpro Admin
    Keymaster

    @ Tina – Yep, most likely your particular host server is changing file permissions automatically.  If you read Jeff’s responses then you see that this issue was only occurring on one of his host servers and that was probably because that particular server had some old leftover server script that automatically changes file permissions or due to some other issue/problem with that particular server.  The important thing to check are these things:  What file permission is the wp-config.php file permission being changed to.  What is the file permissions settings for all of your other WP Core files in your WordPress installation folder. You can check file permissions on the BPS System Info page and using FTP or your web host control panel file manager.  The general idea is that you want to find a logical reason for why file permissions are what they are currently and why they would logically be changed to some other file permission. Your frontline host support techs may or may not be able to answer that question for you so figuring out logically what might be occurring is important in figuring out what is causing the actual problem.

    #30521
    Tina Dubinsky
    Participant

    @AIT

    Hi-

    After slimming my plugins down to the BPS and Akismet, it only took half an hour before they changed again.  I contacted my host again and after a few back and forward emails, they realised it was them.

    Thank you for your message. To begin with, I’d like to apologize for a mistake in my previous reply. After checking this is a little further, and checking your first reply today and inspecting the active cronjobs on the server, there are changes that are done to the files (the clue was with the permissions that you mentioned – 640) – this is done by the means of a cron job that changes the permissions on all PHP files – all PHP files under: /home/*/public_html/ will be changed to 640 while folders will be switched to 755.

    So how does this affect what BPS does? Is it okay to just ignore these messages and turn off messages for the file locks? Should I be overly concerned at all? I’m not paying a lot of money for this host so I don’t feel like I can ask for too much special attention.

    #30522
    AITpro Admin
    Keymaster

    @ Tina – Since 640 file permissions are a secure file permission for these files then the solution is to turn off the F-Lock File Lock file permission checks for these files:  wp-config.php, index.php and wp-blog-header.php.  This does not affect BPS in any way.

    #30837
    Jeff
    Participant

    [Topic has been merged into this relevant Topic]
    In my attempt to find a hosting company that doesn’t over-ride BPS Pro preferences and does everything else well (a very tall order, indeed!), I settled on InMotion.  They do not run an automatic script which changes the 4 core file settings like A Small Orange does on some of their servers but I do have an issue with the file permission for wp-config.php being changed from 0400 (BPS Pro recommendation) to 0640 every morning between 6:15 and 6:30.  That is the only file being changed – the rest stay at 0404 or 0400.

    I’ve gone back and forth with InMotion tech support and this is their latest:

    “Furthermore, in my investigation, I found a scheduled WordPress task ( using the wp-cron feature built in to WordPress) associated with the Bulletproof plugin. To see this yourself you can use phpmyadmin to execute the following query:
    select * from wp7y_options where option_name like ‘%cron%’

    “This task is almost certainly the cause of your issues and this is corroborated by the Bulletproof support team documenting that there is a “htaccess auto-lock” feature built in to Bulletproof, and explaining how to find it in your Bulletproof configuration pages: https://wordpress.org/support/topic/htaccess-file-resets-itself-to-default-wp-one-and-file-permissions-444/#post-6668003″

    I followed the link, but that case was about .htaccess and involved a hack.  I doubt very much that this is the case in my situation as the identical site runs on SiteGround and I have no issues with file permission changes at that hosting company.

    I don’t have the expertise to refute the above assertion.  I did click on Cron jobs in cPanel and see no cron jobs scheduled.  I also went into BPS Pro-Tools and looked at the scheduled cron jobs there and see nothing that has anything to do with a file permission issue with wp-config.php.

    I have moved my website to InMotion and it is ready to go live if and when I point the nameservers to InMotion and away from SiteGround.  The site at SiteGround has no issues with file permissions, so that is why I tend to think that the issue is with InMotion and not with any plugin.  I’ve disabled all of the plugins on the site at InMotion and it makes no difference.  Is InMotion blowing smoke?

    If you have any ideas on how to proceed, I surely would appreciate it.  If you could explain how to run the query using phpAdmin or give me a link to an explanation, I would appreciate that, too.

    Jeff

    #30839
    AITpro Admin
    Keymaster

    @ Jeff – If the same wp-config.php file permissions problem was happening on 2 different web hosts then whatever is unlocking the wp-config.php file is not a host server setting.  That means something installed on your site is changing the wp-config.php file permissions.  Yes, you are correct that BPS does not do that.  Send a WordPress Administrator login to this site to:  info at ait-pro dot com so I can find what is unlocking the wp-config.php file.

    #30843
    AITpro Admin
    Keymaster

    @ Jeff – I received your email, but since your site is not Live yet then I cannot login to the site due to restrictions on our in-house servers.  I previously posted an alternative way to try and figure out what is changing the file permissions for the wp-config.php file to 640 in this forum topic.  See my reply here:  http://forum.ait-pro.com/forums/topic/wp-config-file-wont-stay-locked/#post-30450  The BPS Pro String|Function Finder Pro-Tool can search all of your plugin/theme and other files for the code that is causing this problem.  Of course the simpler solution would just be to turn Off the F-Lock wp-config.php file check.  640 file permissions are OK so you really do not need to worry about whatever is causing this problem.  It is not an important or critical problem.

    #30844
    Jeff
    Participant

    It may not be “an important or critical problem” but what angers me most is that the hosting company denies that they have any role at all in the issue.  It’s my fault, pure and simple.  That’s what gets me – the arrogance of their attitude.

    I repeated the steps you took in the link you provided and found the string “wp-config” 249 times in /home/xxxx/public_html/wp-content/plugins.  For the other three searches: 0.

    I guess you can add at least two hosting companies that require 0640 for wp-config.php:  A Small Orange (on at least one of their servers) and InMotion (on at least one of their servers).  Now, you only have 19,998 hosts that don’t use 0640 🙁

    Jeff

    #30845
    AITpro Admin
    Keymaster

    @ Jeff – You are going somewhere that you don’t need to go.  First, the issue is not important whatsoever.  Next, generalizing faults with any web host is really not productive and just ends up costing you as far as your own personal productivity goes (moving forward).   I think there are probably more like 350,000+ web hosts worldwide, but that is not really the point.  Simply put, this issue is not important whatsoever.  So just let it go. 😉

Viewing 10 posts - 16 through 25 (of 25 total)
  • You must be logged in to reply to this topic.