: Is making my PHP files read-only a useful security measure? Up until now I've been "protecting" my website's PHP files by making them read-only with chmod. Is this a useful security tactic?
Up until now I've been "protecting" my website's PHP files by making them read-only with chmod.
Is this a useful security tactic? Or is it some "old wive's tale" and I'm wasting my time?
I'm inclined to think that anyone who is in a position to modify my PHP files could also chmod them (thus barely slowing down any would-be attacker). Or they could just create a new file somewhere (like a cache or upload directory). Thoughts?
The downside of implementing this technique is that I have to shell in and make the files writable every time I want to automatically update WordPress (or, really, make any changes to my site). So I update less often than I probably should. So, even if it's marginally useful, is it worth it?
More posts by @Fox8124981
2 Comments
Sorted by latest first Latest Oldest Best
If you also make the PHP files owned by some user other than the one that Apache runs as, then yes, you have blocked off one potential attack scenario. If you leave them owned by the Apache user then an attacker with Apache-level privileges (an example of this would be code injection or a remote file inclusion) would be able to chmod the files and edit them anyway.
This doesn't block off any other attack scenarios such as an attacker guessing your SSH password or finding a flaw that gives him root access.
If an attacker managed to get Apache-level privileges to your server but couldn't edit PHP files due to the ownership and permissions, it's likely that they would either do what they can to achieve their goals (say, upload a new script to the uploads directory or plant a .htaccess file somewhere) or use what access they have to escalate their privileges until they can edit the files.
If it's causing you to not update Wordpress as often as you should, then it's probably decreasing overall security. Out of date Wordpress is far worse than writable PHP files owned by the Apache user.
Linux has the notion of security groups, so you can set a file read-only to one group, but not another. It is going to be easier for an attacker to pretend to be any user, rather than users with more privilege, like root. If they manage to pretend to be a user with lesser privileges then they are not going to be able to chmod the files, whereas if you've left them writable to all users, then they can modify them.
So it's a good thing to do, but certainly not the only thing you can do.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.