WP Toolkit, Problem with file permissions

[kojot]

Hello,

I just wanted to follow this cool Advisor feature, and fix all suggestions one by one.
Untill now I thought that all my WordPress instances are secured, because status on all instances was "secured".
But after security scanning, I got "Danger" status, reported only file permissions problems.
I fixed again one by one, and again after security scanning, half of instances are with "danger" status.
Again after new scan, few instances got the same status again.

Why this happening?
I guess it is maybe about some caching plugin, but it is not, because on some of these sites there is no any caching plugin.

 

[webagentur-meerbusch]

Hello

I have the same problem. On some Wordpress installations, the security status is displayed as "compromised".
I've already done a manual exam. Strangely, all folders (755) and files (644) are just right.

Would be nice if that could be fixed.

 

[Brujo]

I have the same behavior on one of my testserver with a single wordpress instance after every secure scan the status is danger, so if fix it, start again the secure scan and again status danger
CentOS Linux 7.5.1804 (Core)‬
Product Plesk Onyx Version 17.8.11 Update #11
WordPress Toolkit - version 3.2.2-946

Well this issue seems to be related to Wordpress toolkit with plesk onyx 17.8.x, I do not have this behavior on other servers with Onyx 17.5.x

 

[Aleksey Filatev]

I have the same behavior on one of my testserver with a single wordpress instance after every secure scan the status is danger, so if fix it, start again the secure scan and again status danger
CentOS Linux 7.5.1804 (Core)‬
Product Plesk Onyx Version 17.8.11 Update #11
WordPress Toolkit - version 3.2.2-946

Well this issue seems to be related to Wordpress toolkit with plesk onyx 17.8.x, I do not have this behavior on other servers with Onyx 17.5.x

View attachment 14517

Could please check real permissions on files and directories of your WordPress instance? Is there are anything differ than 644 for files and 755 for directories?

 

[Brujo]

@Aleksey Filatev sure, I should have done this before

# find /var/www/vhosts/test.de/httpdocs/ -type d ! -perm 755 -o -type f ! -perm 644

/var/www/vhosts/test.de/httpdocs/wp-content/wflogs/ips.php
/var/www/vhosts/test.de/httpdocs/wp-content/wflogs/rules.php
/var/www/vhosts/test.de/httpdocs/wp-content/wflogs/config.php
/var/www/vhosts/test.de/httpdocs/wp-content/wflogs/attack-data.php
/var/www/vhosts/test.de/httpdocs/wp-config.php

-rw-r--r-- 1 test psacln 133 Sep 5 2017 .htaccess
-rw-r--r-- 1 test psacln 45130 Sep 5 2017 .listing
-rw-rw---- 1 test psacln 40083 Jun 15 05:35 attack-data.php
-rw-rw---- 1 test psacln 1016848 Jun 15 15:17 config.php
-rw-rw---- 1 test psacln 51 Jun 15 14:04 ips.php
-rw-rw-r-- 1 test psacln 128128 Jun 8 19:07 rules.php
-rw-r--r-- 1 test psacln 58247 Jun 8 19:07 wafRules.rules

so it looks like wordfence is in this case the problem, because wp-config.php has 600 as it should be

 

[TomBoB]

Please see also this thread [Also started by KoyoteKG] and this one from the Wordfence forum.
Lets hope for a collaboration between the Plesk devs and the Wordfence people.

Cheers,
Tom

 

[kojot]

Yes, I also did not checked from shell right file permissions.
I have on all sites Wordfence installed, and I believe that file permissions hardening from Wordfence need to be synced with Toolkit.
For example, why not have 600 on wp-config.php...