Lock folder for upload/edit

Discussion in 'General' started by itstudio7777, Feb 25, 2022.

  1. itstudio7777

    itstudio7777 Member

    Hello !

    I need help with locking of folders to stop hackers uploading files and editing files which are existing on it.

    My server is Apache2, ISPconfig 3 built on Debian10.

    I have website on Wordpress , but when I change with chown -R to root, Wordpress is not working correct.

    Is there any way to lock folders and files to stop uploading and editing them, without root permission from console ?
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    How are the files being uploaded? For FTP or SFTP, start with changing account passwords and removing any ssh keys. If via the wordpress site itself, is it via a user account and legitimate file upload function, or exploiting a vulnerability? Or some other avenue?

    Changing file/directory ownership correctly should be able to stop files from uploading, but as you note also breaks other functionality, so is not a solution to the actual problem you are dealing with.
  3. itstudio7777

    itstudio7777 Member

    My server is with FTP but I have deactivated all ftp accounts for websites and they are not accessible.

    Main problem is with editing the existing files - index.php, settings.php and wp-config.php.
    I have changed them to 600 but they can edit them again.

    I don’t have ssh keys.
    I have locked wp-admin with htacess file.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You'll have to identify how they are changing. I would look for cron jobs and watch web server logs to see what you find.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    One way might be to temporarily change the files to www-data user and group, that way, apache can read them but the website users can't alter them. And regarding the automatic changes, check cronjobs as @jesse mentioned, to list cronjobs for a website user:

    crontab -l -u webXX

    where XX is the ID of the website.
  6. itstudio7777

    itstudio7777 Member

    Problem is coming from cronjob, with wget command.

    Cron problem is fixed now, but I want to lock the folders and files like @till wrote.
    I dont know how to change them.
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    wp-config.php can be moved outside web, into private, and given a random filename.
    it contains details giving full access to the database, in my opinion, this file should never be in the website root folder.

    then just have a wp-config.php in /web which contains just:
    include __DIR__ . '../../private/<filename>;
    replacing <filename> with whatever random name you gave the file.

    part of the problem is that certain files, wp-config.php, .htaccess etc. that you want to protect, wordpress wants to be able to edit.
    wordfence will also complain if it can't edit some of those files.

    perhaps an option would be to have a script that monitors the website folders and sends an email warning when a file changes.
    remember to exclude monitoring cache folders though.
    actually if such a script could be standardised, it might be a good thing to have included in ispconfig, with an option to enable it in the website tab, with fields there to specify excluded folders, or files, and maybe an option to specify the email address to alert (if you want a different address to the account owner)
    itstudio7777 likes this.
  8. itstudio7777

    itstudio7777 Member

    Thank you for your advice !

    Am I understanding it correctly?
    You want to move wp-config.php to different folder and in main folder to add file with name wp-config.php which contains the code you provide me ?

  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    well, you don't have to... i'm not gonna force you to do it. ;)

    it's just there's certain files you don't want to be accessible by site visitors, and one containing the database username and password is certainly one of them. you can make it not world-readable, but it's possible wordpress may change the file and change the permissions when doing so... you can block access to it from .htaccess, but you can't really move that file anywhere else, and if they can access that, they can remove the block, you could put what you would put in there into the directives bit in the website options, but do you really want to be doing that yourself on every wordpress site?
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    site specific php/apache directives wouldn't work for that, as wp-config.php is php code (not php.ini config).
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ah, i meant the allow/deny rules to the wp-config.php file or the wp-admin folder that would normally be in the .htaccess file could be moved to the directives area, not any of the settings in wp-config.php
    Jesse Norell likes this.
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Ah, sorry, I misread/misunderstood that.
  13. itstudio7777

    itstudio7777 Member

    So, I can’t lock file changing and adding new files from console…

    what is the solution of this problem ?
    I changed passwords, tried the option to stop editing files from wp dashboard, change permission of files to be 600 but nothing work… everyday code is added to my wp-config and wp-settings
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It can be done. It was described in this thread, and anyway owner and permission changes with the usual commands and/or chattr can do it.
    But that may prevent the CMS from working properly when the lock is active.
  15. itstudio7777

    itstudio7777 Member

    How to do it ?
    With chown -R or with other command ?
  16. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    as already stated, chattr +i can make files/folders immutable, (unchangeable) but you're likely to find doing that indiscriminately is just going to break wordpress, and won't necessarily make the site safe anyway

    if the files / database already contain hacks, there's little point setting file permissions now.

    copy the entire site, as it is, into the private folder, and change all file/folder permissions on that copy, so only you can make changes.
    export the database to the private directory as well.
    drop the database and create a new blank database (same name) directly in mysql cli. change the username and password for the db user in ispconfig.
    wipe out all the wordpress stuff in /web, get it back to a clean slate, as if you've just created the site in ispconfig.
    re-download wordpress, all the plugins, and the theme from new, direct from wordpress.org, or the developers own sites.
    put the new database access details in the new wp-config.php file, along with new wordpress salts.
    remove any cron jobs for the site that seem dodgy, disable any that you're not sure about.

    check everything in the uploads folder. make sure image files really are images, not just name eg banner.png, but containing php scripts.
    once you sure everything in the uploads folder is clean, copy the uploads folder from the private copy, back into /web/wp-contents/
    make sure you correctly reset all the file/folder permissions. put a .htaccess file in the uploads folder, blocking the upload, or execution of php, js etc files.
    check everything in the database export. make sure there's nothing dodgy in there.
    once you're sure the database file is clean, re-import it into mysql.

    you should now have a clean, working wordpress site, check it thoroughly, and install something like wordfence, configure it to secure the site, then have it scan the whole site, make sure the results are clean.

    there are other things you can do, eg .htaccess, limit access to files, wp-admin folder, wp-includes folder etc. search google for something like 'hardening wordpress' and read through the results.

    once someone's got into a site, it's not just a case of cleaning up a few defaced pages, and locking down file permissions.
    ensuring a site really is clean, and no more backdoors have been added, and then securing everything properly, is a long and tedious process. i've just gone through a site that was hacked prior to them switching their hosting to us, and even getting new clean copies of the plugins and theme that i could get access to, it still involved two days of work checking everything and still having to manually clean out 230+ php and js files.
  17. itstudio7777

    itstudio7777 Member

    @nhybgtvfr thank you for detailed explanation.
    I will do it now, please give me example for htaccess for uploads and includes, for admin I know it.
    Also when I type crontab username -e : there is no active cronjobs, how to check it properly ?
  18. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    that should be enough for cron, you might want to check for root as well, and in /etc/cron.* make sure no-one with more rights than the site owner has added anything.

    for the .htaccess files, as i said, searching for hardening wordpress should give you plenty of examples, but the following links should help.


    you'll have to choose yourself which ones you want to use, there's some repetition, and differing examples for doing the same thing...
    you should apply and check each one individually as well, some of them could block/break required functionality
    itstudio7777 likes this.
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Wordfence has a lot of good information on their site including a guide for cleaning hacked sites. (Heck, paying them to clean the site isn't all that expensive and I think they guarantee it wont get reinfected for a year or something like that.)

    In all your cleanup, you really should try to identify and fix the vulnerability(ies) used to compromise the site in the first place, or it will likely just recur. Or maybe your general security measures will block the attack even though the vulnerability is still there, but do try to identify what the root cause is.

Share This Page