[Cialug] OT Wordpress

Theron Conrey theron at conrey.org
Tue Feb 15 09:55:45 CST 2011


oh and standard file permission rules apply.

On Tue, Feb 15, 2011 at 9:55 AM, Theron Conrey <theron at conrey.org> wrote:

> Not going to lie, I was so tardy in upgrading some of my (just for Kenny)
> wOrDpReSs installs due to time I just switched to http upgrades for my base
> wordpress upgrades.  plugins I tend to do manually, but base
> security vulnerabilities are quickly exploited in the wild.
>
> to use http upgrades to your base wordpress installs just add
> define(’FS_METHOD’,’direct'); to your wp-config.php
>
>
> -Theron
>
>
> On Tue, Feb 15, 2011 at 9:23 AM, Kenneth Younger <kenny at sheerfocus.com>wrote:
>
>> Yes, this *generally* works if you are managing the entire install without
>> allowing user intervention.
>>
>> The other issue you can run into is with certain plugins that have to
>> write to disk. For example, you almost certainly will want to install some
>> sort of caching plugin (W3 Total Cache or SuperCache) - these need access to
>> write to disk in certain places.
>>
>> I'm also going to be a stickler and mention that it's "WordPress" not
>> "Wordpress" :)
>>
>> -Kenny
>>
>>
>> On Tue, Feb 15, 2011 at 8:58 AM, Josh More <
>> MoreJ at alliancetechnologies.net> wrote:
>>
>>>  You can get the best of both worlds by writing a shell script that
>>> applies and removes write capabilities of the entire Wordpress tree to the
>>> Apache user.  Your choice as to whether it's easier to do a recursive chmod
>>> or chown.  There will probably be some directories that you want to keep
>>> writable the whole time.
>>>
>>> You can then launch this script to give your user write access, apply
>>> updates and launch it again to take that write access away.
>>>
>>> No stored credentials anywhere and you can keep things up to date with a
>>> minimum of fuss and bother.
>>>
>>>     Josh More | Senior Security Consultant - CISSP, GIAC-GSLC Gold,
>>> GIAC-GCIH
>>> Alliance Technologies | www.AllianceTechnologies.net
>>> 400 Locust St., Suite 840 | Des Moines, IA 50309
>>> 515.245.7701 | 888.387.5670 x7701
>>>
>>> Blog: Not The Usual Security Predictions: 2011
>>> http://www.alliancetechnologies.net/blogs/morej
>>>
>>> How are we doing? Let us know here:
>>>
>>> http://www.alliancetechnologies.net/forms/alliance-technologies-feedback-survey
>>>      ------------------------------
>>> *From:* cialug-bounces at cialug.org [cialug-bounces at cialug.org] on behalf
>>> of Matthew Nuzum [newz at bearfruit.org]
>>> *Sent:* Tuesday, February 15, 2011 08:29
>>> *To:* Central Iowa Linux Users Group
>>> *Subject:* Re: [Cialug] OT Wordpress
>>>
>>>  Carefully consider Kenneth's answer. Wordpress has a few mechanisms to
>>> make it easy for people to keep it up to date. FTP is only one. And, to be
>>> honest, an out of date wordpress installation is probably less secure than
>>> FTP credentials stored in the database.
>>>
>>> On Tue, Feb 15, 2011 at 7:43 AM, Todd Walton <tdwalton at gmail.com> wrote:
>>>
>>>> On Mon, Feb 14, 2011 at 9:04 PM, kristau <kristau at gmail.com> wrote:
>>>> > If you have shell access to the host, just use scp to upload the
>>>> > files, then manage them through an ssh session. Yes, it isn't as
>>>> > convenient as doing this through the browser, but it is much more
>>>> > secure.
>>>>
>>>>  That's what I've been doing.  I was hoping that there was some way to
>>>> make the convenient method secure.
>>>>
>>>> --
>>>> Todd
>>>> _______________________________________________
>>>> Cialug mailing list
>>>> Cialug at cialug.org
>>>> http://cialug.org/mailman/listinfo/cialug
>>>>
>>>
>>>
>>>
>>> --
>>> Matthew Nuzum
>>> newz2000 on freenode, skype, linkedin, identi.ca and twitter
>>>
>>> "An investment in knowledge pays the best interest." -Benjamin Franklin
>>>
>>>
>>> _______________________________________________
>>> Cialug mailing list
>>> Cialug at cialug.org
>>> http://cialug.org/mailman/listinfo/cialug
>>>
>>>
>>
>>
>> --
>> Kenneth Younger III
>> Founder, Sheer Focus Inc.
>> Organizer, WordCamp Iowa
>> e: kenny at sheerfocus.com
>> p: (515) 367-0001
>> t: @kenny <http://twitter.com/kenny>
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20110215/e06fdf50/attachment.html>


More information about the Cialug mailing list