What security concerns should I have when setting FS_METHOD to “direct” in wp-config?

This is just, how I understood the idea of the WordPress File API. If it is wrong, please downvote 🙂

Okay. If you upload a file, this file has an owner. If you upload your file with FTP, you login and the file will be owned by the FTP user. Since you have the credentials, you can alter these files through FTP. The owner can usually execute, delete, alter etc. the file. Of course, you can change this by changing the file permissions.

If you upload a file using PHP, the linux user, which is executing PHP is owning the file. This user can now edit, delete, execute etc. the file. This is okay as long as only you are the user, who is executing PHP on your system.

Lets assume, you are on a “poorly” configured shared host. A lot of people run their PHP websites on this system. Lets say only one linux user is executing PHP for all these people. One of the webmasters on this shared host has bad intentions. He sees your page and he figures out the path to your WordPress installation. For example, WP_DEBUG is set to true and there is an error message like

[warning] /var/www/vhosts/userxyz/wp-content/plugins/bad-plugin/doesnt-execute-correctly.php on line 1

“Ha!” the bad boy says. Lets see, if this guy has set FS_METHOD to direct and he writes a script like

<?php
unlink( '/var/www/vhosts/userxyz/wp-content/plugins/bad-plugin/doesnt-execute-correctly.php' );
?>

Since only one user is running PHP and this user is also used by the bad boy he can alter/delete/execute the files on your system if you have uploaded them via PHP and by this attached the PHP user as the owner.

Your site is hacked.

Or, as it says in the Codex:

Many hosting systems have the webserver running as a different user
than the owner of the WordPress files. When this is the case, a
process writing files from the webserver user will have the resulting
files owned by the webserver’s user account instead of the actual
user’s account. This can lead to a security problem in shared hosting
situations, where multiple users are sharing the same webserver for
different sites.

Related Posts:

  1. What could a hacker do with my wp-config.php
  2. WP Config for FTP credentials
  3. Upgrading WordPress 4.0 asks for FTP password
  4. Best way to include wp-config.php
  5. How can I stop WordPress from prompting me to enter FTP information when doing updates?
  6. Are WordPress Plugins essential?
  7. What are the common security flaws I need to look for? [closed]
  8. Disabled plugins are they security holes – rumor or reality?
  9. How Can I Securely Implement a Password-less Login Feature?
  10. Security and .htaccess
  11. Are there procedures to prevent malicious plugin updates?
  12. How to stop wordpress from changing default .htaccess permissions to 444
  13. Secure WordPress paid plugin
  14. Why does WordPress still not support SFTP?
  15. Why does WordPress require a ftp server to be running on the webserver to transfer plugins?
  16. How to make media upload private? [duplicate]
  17. Should we use plugins that aren’t available from the official WordPress site?
  18. How to check plugins for malicious code?
  19. How to properly secure my WordPress installation?
  20. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  21. Where should my plugin POST to?
  22. Security error WP 4.0 + WP phpBB Bridge [closed]
  23. Some plugins adding full server path after url (with custom wp-content folder)
  24. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  25. Prevent Brute Force Attack
  26. Why would WordPress request FTP information when it can write to the file server?
  27. Why users disable the WordPress update?
  28. Is revealing just the AUTH_KEY a security issue?
  29. register_theme_directory somehow “fails” when folder is outside of WP-Folder
  30. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  31. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  32. How to expire all wordpress user passwords instantly?
  33. plugings request url is the old url
  34. How to import 55k images (uploaded via FTP) into WordPress Media libary? [closed]
  35. Can I upgrade plugins via FTP?
  36. Weird problems after recovery from security breach
  37. Should you escape hardcoded URLs?
  38. Preventing BFA in WordPress without using a plugin
  39. Enable Full SSL for WordPress
  40. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  41. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  42. WordPress filter that hook after each action/filter hook
  43. How to delete Passwrd Protected posts cookies when a user logged out from the site
  44. Prevent WordPress installing plugins and themes via Admin
  45. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  46. How to block plugin activations with no known user or coming from unknown IP address range?
  47. Check for security updates
  48. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  49. Install (enable) plugins on multisite, on localhost
  50. Linux Permissions and Ownership for WordPress
  51. Enabling WP_USE_EXT_MYSQL to support old plugin
  52. Why can’t I access my Intranet LDAPS with NADI?
  53. Malicious File Upload [closed]
  54. Stop Plugin Enumeration [closed]
  55. Malware installation during plugin update?
  56. Install and Update plugins on a VPS WordPress installation
  57. I should enable automatic updates?
  58. Security and Must Use Plugins
  59. Is it safe to use admin-ajax.php in the frontend?
  60. How to protect WordPress from security scanner [closed]
  61. Editing wp-config.php
  62. Website show Google Ads when we have no Google Ads linked to our website
  63. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  64. disabling ftp on wordpress
  65. To perform the requested action, WordPress needs to access your web > server
  66. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  67. WordPress unable to write files in the server
  68. Regarding plugin security
  69. How do I determine if the user who registered is not spam?
  70. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  71. 404 errors when updating options in admin dashboard
  72. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  73. In a local wordpress installation, when I install a plugin it only offers me installation via FTP
  74. Can I disable xml-rpc by setting it to false?
  75. How can I disable new plugin and theme install, but allow updates?
  76. Help to Create a Simple Plugin to make a post
  77. Validating ajax search
  78. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  79. How to get database connection details without longing to cpanel in WordPress?
  80. WordPress disable direct access of files in WordPress installation path
  81. Asking help regarding potential malware
  82. why is sportspress asking for FTP credentials on a local installation?
  83. FTP access to NAS drive files/folders from WordPress site
  84. WordPress FTP/media directory permissions problem?
  85. WP-admin plugin installation via FTP silently fails on shared hosting
  86. Redux framework somehow added to my site, can’t locate in plugins
  87. Being hacked. Is there a list of WordPress security holes I can check against?
  88. wp_verify_nonce fails always
  89. Plugins upload to wordpress in wampserver via filezilla
  90. Validating values using Settings API?
  91. Plugin (smart archives reloaded) crashed site / no access on admin panel
  92. Unwanted Links and Spam WordPress Pages and Posts
  93. Problem with permissions in wp-content/plugins
  94. No plugin updates after moving wp-config.php above root map
  95. File permissions for wp-minify plugin
  96. What is the recommended way to be notified of security updates to my plugins? [closed]
  97. My WP site and password was hacked, what to do? [closed]
  98. How to resolve these findings from security audit
  99. ERROR: Cookies are blocked due to unexpected output – no access to FTP
  100. Stop the user if login from the cookies

Leave a Comment