Security question about server root access by wordpress admin - wordpress

I have a security question. I gave the WordPress admin access to someone for a series of changes. Could he use the shell or any other way to infiltrate the server and access other hosts on server?

By default, any user that logs in with administrative permissions can access the WordPress plugin and theme editors, and change any theme or plugin file on your site in real-time.
– From https://wordpress.org/support/article/editing-files/
That, in theory, leaves your server open to arbitrary code execution. You might consider mitigating this default vulnerability by reviewing trellis's approach of locking down the root user, and bedrock's must-use-plugin-autoloader.
(It's very cool, you define your plugins in a composer.json file. Here's the magic sauce of that.)
"installer-paths": {
"web/app/mu-plugins/{$name}/": ["type:wordpress-muplugin", "roots/wp-stage-switcher"],
"web/app/plugins/{$name}/": ["type:wordpress-plugin"],
"web/app/themes/{$name}/": ["type:wordpress-theme"]
},
That prevents "writing" new code to the theme/plugin folders outside the context of a theme deploy, and so elides the concern of WP admins writing whatever code they like.
(However, if you're assuming a malicious admin, you might be in need of social as much as technologica approaches.)

Short Answer:
No
Long Answer:
This kind of credentials can be used only from wordpress instance.
He can modify some lines of code by using a custom plugin but he cant go outside the theme folder.
Some plugin can modify the wp-config.php but no more.
By settings you can negate the GUI Plugin installation, so only the server administrator via FTP can install them.
In general, this credentials can modify only file of that wordpress installation because there are present on that Wordpress-DB
None can access via ftp/ssh because he needs user/password and IP of that server.

Related

Cpanel wordpress file directory hide for client

Good day, im a freelance developer and quick question is how do i hide or disable a client from seeing wp content wp config files of WordPress, they supplied me with cPanel logins and have sensitive files i don't want touched or viewed. Thanks
First of all, very important to know you that WordPress Administrator can able to see the wp_content, wp_config files and so on (if you have no restriction from your host). Why not there are some plugins (ex: Wp File Manager) to direct access on this kind of files.
To prevent it you can change the role Administrator to Editor or you can restricted the file permission from server.
Thank you

Server ftp write errors

We have a linux based server through which we offer a hosting service. We have a problem with WordPress and other platforms. each wordpress site asks FTP accounts every time you install WordPress, themes, add ons or to try to upgrade it .
We need to get write access to the wordpress , joomla , drupal , etc. platforms automatically when its installed to customers server space via softaculus .
I have no experience of the hosting service, im just make websites, and I've tried to make the ftp accounts wp -config file, but it does not fix the other customer sites and when added to the wp -config file, it is not the best solution (Still asks for a password when install theme, add ons or update anything)
Sorry for bad english. can anyone help me to get this problem fixed?
We need write acces for: Joomla, Wordpress, Drupal, Magent ETC bases. We have c-panel acces for every customer and softaculus installer for wordpress etc platforms
When you get the error message, web server needs to get write access to the WordPress files. So you can add write access to the files, I think the problem will resolved.
If you couldn't add write access to the files, you would contact your hosting service center.
It's most likely the permissions problems here.
You need to be sure that your webserver can read all files and folders in the web root folder and you need to make every user the owner of each folder and files.
Using cPanel it should be done automatically when you create FTP user and providing it's home directory. If you have a mess with permissions already you may need to edit them manually. You can try to set 644 permission for all files and folders and then change owner to the actual user.
Look here for more information about file permissions on Linux, it should help.
Its been fixed, I set on apache write access different so its now working probably!
Link for details:
https://wordpress.org/support/topic/folder-permission-on-linux-ubuntu

WordPress on MAMP wants WebFTP for updates. Where can I find this?

I've installed WordPress on my local machine with MAMP.
If I want to updates the system or plugins, WordPress asks for WebFTP credentials every time. I've tried root/root on localhost and localost:8888. Both are wrong?
Where can I find/set these credentials?
Or is there a way to prevent WP from asking?
The issue is new for me. In the past there was no need for WebFTP credentials?!
I've always told WordPress to edit files directly for updating WordPress instead of using FTP. To do that add define('FS_METHOD', 'direct'); to your wp-config.php file and then make sure that the files are owned by the user that runs Apache. I think that by default the free version of MAMP runs as you so you shouldn't need to do anything different with file permissions.
Below is the documentation from WP's Editing wp-config.php documentation page for FS_METHOD constant.
FS_METHOD forces the filesystem method. It should only be "direct",
"ssh2", "ftpext", or "ftpsockets". Generally, you should only change
this if you are experiencing update problems. If you change it and it
doesn't help, change it back/remove it. Under most circumstances,
setting it to 'ftpsockets' will work if the automatically chosen
method does not. Note that your selection here has serious security
implications. If you are not familiar with them, you should seek help
before making a change.
**(Primary Preference) "direct"** forces it to use Direct File I/O requests from within PHP. It is the option chosen by default.
**(Secondary Preference) "ssh2"** is to force the usage of the SSH PHP Extension if installed
**(3rd Preference) "ftpext"** is to force the usage of the FTP PHP Extension for FTP Access, and finally
**(4th Preference) "ftpsockets"** utilises the PHP Sockets Class for FTP Access.

Mirroring a Wordpress *configuration* between local and remote

Ok, so I'm familiar with creating local Wordpress builds, and have been chugging along happily with the technique outlined in Smashing's MAMP-based article. My question goes a step beyond this.
The article is great for developing generic themes, but when developing sites (not necessarily blogs) based in Wordpress, for me at least, it's a little painful come launch day.
I have to go back in and reconfigure the server's Wordpress to match what I've already done locally. Settings have to be entered again, plugins need be installed again, menus recreated, and css will have to be altered to reference the unique classes/id's Wordpress generates for posts/pages/custom taxonomies…sometimes things are missed in the process. What I want to know is this:
Is there an easy way to automate cloning or mirroring the build on my local machine to the remote server?
Even if you have to just LMGTFY me, that would help. I don't exactly know what I should be searching for. Searches dealing with 'mirroring wordpress configuration' and 'cloning wordpress configuration' returns tutorials on moving content, which I know how to do.
If it helps, I'm running OSX 10.6.8 with xcode dev tools, git, ruby, node, and homebrew. All of my live servers have ssh access as well as ftp, and I build with the most current versions of Wordpress.
Here are some easy steps to follow:
Download and install the WP Migrate DB plugin.
Go to Tools > WP Migrate DB and fill-in the blank fields(New address (URL), New file path and optionally check/uncheck the other options). Click on Export Database and save the export file to your computer.
Make a .zip archive with ALL of your files(the /wp-admin, /wp-content, /wp-includes directories and all files in the root directory).
Upload that file to your production server, where you want your WordPress site to reside.
Go to your cPanel(or use the unzip command through SSH) File Manager(or any other alternative that you might have) and unzip the file that you just uploaded.
If you don't already have a Database set-up on your production server - create one through the hosting control panel(for cPanel, it would be Creating a mySQL database in cPanel, for plesk it would be Plesk 7 Tutorial: Creating a database, for anything else, just google it up, or try your hosting's FAQ). Remember/write-down your Database Name, Database User and Password.
Edit the wp-config.php file and change the values for the DB_NAME, DB_USER, DB_PASSWORD and optionally DB_HOST - but this is usually localhost - if that doesn't work try asking your web host, or if you have phpMyAdmin, log-in to it and look at the very top of the page - in this case the DB_HOST would be localhost.
After you've done all of that, log-in to your DB administration tool(most of the time this would be phpMyAdmin, but it could be something else as well) and upload the database export file that you save to your computer in step 2. Note: If your hosting hasn't provided you with a DB administration tool, I would suggest that you upload the phpMiniAdmin(click on the "Download latest version" link and save the file to your computer) script to your production server. Then go to that script(if your website is located at http://example.com/, go to http://example.com/phpminiadmin.php) and enter your DB details. On top of that page, you will see an import link. Click on it and upload your DB export file. Note 2: phpMiniAdmin doesn't support gzip-compressed files, so if you did check the Compress file with gzip option in step 2, you will have to re-do that step with this option unchecked.
Log-in to your site and go to Settings > Permalinks in order to update your permalink structure.
Check the permissions of the /wp-content/uploads and /wp-content/plugins directories - make sure that you will be able to upload images and plugins without any problems.
That's pretty much it. It might seem like a lot, but I follow this process for almost every site that I upload to production servers and it can take me as less as a bit under 10 minutes to do all of that(considering that I usually use custom MySQL commands, instead of the WP Migrate DB plugin - I should probably start using it :) ). Once you get used to the process and you don't encounter any low-quality web hostings, you should be perfectly fine with these steps.
Note: Since you used ssh as one of your tags, I assume that you usually have ssh access to the production server. If you don't I'm still assuming that you have a cPanel access(if that's not true and you can't unzip files on the server, then upload all files manually via FTP client, instead of doing steps 3 and 4).
I guess the only way is to copy the database or part of it.
What I do is to copy the relevant tables and modify manually the site URLs in table options. There are only 2. There is also a nice plugin velvet-blues-update-urls to modify all links, after the site URLs are set manually to be able to access the backend, in case posts are also copied.
Next, copy all theme directory files to the same directory in the site, assuming you are using the same theme.
Both processes can be automated with a PHP script.
I am not sure this is what you want, but hope this helps.
Not sure that this is exactly what you need, but to move a site you can use the built in Wordpress "export" and "import" options. As far as I remember there was an option when importing to change URL's and the import would change a few things for you.
Even if this does not answer your exact question, hope it helps.

Move wordpress from home web server to web server hosting account

I've installed and tested Wordpress configurations on my home server which I use as my test server.
Is it possible to upload everything, including Wordpress, from my home web server to my hosting account so it will work instantly there?
Of course I need to change the database name, password, but that's about it.
thanks!
http://codex.wordpress.org/Moving_WordPress
Nike's link is good, but also be aware they you may need to take extra steps when moving certain plugins, like CformsII, you will have to resetup your Widgets if you use any, and be sure to check your .htaccess file for any changes that you may have to make if you are using permalinks.
For files, you should be able to upload your themes and plugins to the web host.
For the database, you can go into your local setup, Admin->Tools->Export. This will export your local WP settings, posts, pages, etc to a file.
Install WP on your host, then go to Admin->Tools->Import. Select the file from the previous step. Your hosted WP should now be the same as your local copy.

Resources