• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk 12 Wordpress using mod_php installs are insecure [resolved]

IJUSTWANTTOGOHOME

New Pleskian
We recently had several customers running wordpress have their sites violated and used to send out spam. It looks like this was possible because their sites were filled with globally writable/executable directories and the spammer was using php code to send mail using the system mail command. I manually changed the directory permissions to stop it and had one customer who had manually installed an old version of wordpress install a new one through the Plesk control panel. He reported to me that when he created a new wordpress 3.9.1 install using the Plesk control panel it's creating a bunch of globally writable/executable directories by default. I verified this by installing wordpress on another site as well. Has anyone else seen this? I have manually changed the permissions on all the sites and removed customer access to the application install portion of the control panel for the time being, but that isn't a very good long-term solution. Is there any way to change the default permissions used on the Plesk install of wordpress to something that won't lead to future hacks almost the instant the site goes live?
 
What edition of Plesk 12 are you using? Or is it an upgrade from Plesk 11?

Also, are you using the WordPress Toolkit to harden the WordPress installations which applies all of the security settings you mentioned in your post?
 
Plesk version is 12.0.18 Update #7 running on Centos 6.5. When my customer mentioned that new Wordpress installs were creating unsecure directories I reactivated an old account that was no longer in use, created a wordpress instance through the Plesk Application Manager and saw the same thing. I then ran the security check that's available as part of the Wordpress module in plesk and it listed "Security of the wp-content folder" and "Security of the wp-includes folder" as two items that could be fixed. I ran that fix but as far as I could see there were still a bunch of globally writable/executable directories afterwards.
 
Ok. Thanks for the additional info. The WordPress toolkit will not change all file permissions of every file in a WordPress distribution, but it should cover the ones that would be compromised in the event that a WordPress install is attacked. I'll connect you with an engineer to dig deeper and provide more specifics. (IM me your email.)

Thanks.
 
Hi,

This can happen if you are using mod_php. We do not change file permissions for WordPress if mod_php is used because such changes prevent WordPress users from updating WordPress, installing plugins and themes, etc. We do not want to break the user experience, especially when other alternatives for maintaining security are present. We strongly suggest to use mod_fastcgi if you want a secure environment, as mod_php is inherently insecure. Plesk uses mod_fastcgi by default for the last couple of years because we want everyone to work in a secure environment.
 
Last edited:
That did it, thank you - I switched the PHP Support type to FastCGI and created a new wordpress instance and it did not have the globally writable directories. Thank you very much. Out of curiosity, why have the default choice be something that leads to security issues? When I create a new hosting plan it seems to default to mod_php - I can understand leaving the option in there for people who want it, but shouldn't the default choice be the more secure option?
 
Hi,

Actually, all new installations of Plesk 12 have mod_fastcgi by default when you create a service plan (I've checked it right now, just in case). It's possible to have mod_php as default if your installation of Plesk was upgraded several times from an old version of Plesk where mod_php was the default choice for service plans. Try changing this value to mod_fastcgi in Default Plesk plans (if you haven't removed them) and let me know if this makes mod_fastcgi a default for your new service plans.

Anyway, glad to hear everything's secure on your side now. If you have any feedback on WordPress Toolkit, I'd love to hear it. Thanks!
 
Back
Top