September 9, 2010
Nerdsonsite

The Danger of World-Write Permissions

Hackers AheadIt seems that nearly every week our Hosting Team runs in another outside developer that insists on assigning full write permissions to “everyone” for their client’s website. While sometimes this happens for custom built websites that are so poorly built the developer needs world-write permissions to make it run, more often these issues happen for major, mainstream Content Management Systems such as Joomla, Drupal and WordPress.
Modern CMS websites are dynamic and are designed to be updated by clients with little or no web skills. Some activities clients will undertake with these new websites are the uploading of images or videos, and many web developers don’t understand how to configure these Content Management Systems in order to allow for these activities without the dangerous and dreaded ‘777’ permissions. Most developers have no concept of how dangerous these permissions are, and the vast majority have never run into a web host that resists allowing these permissions.
Nerds On Site understands the dangers of giving “everyone” full write permissions, and thus we caution our clients against it, and our security monitoring system reduces these permissions in cases where the developer refuses to take charge of the situation. Drupal says: “The most dangerous and least secure option is to assign write access to ‘everyone.’ This option should be avoided at all costs.” Hackers love ‘777’ permissions, because it gives them a wide-open door into the website, free to upload their spam generators, spam bots, pornography and other malware.
Client’s shouldn’t need to understand these complex issues, nor should they have to lie away at night wondering if their website is quietly running ‘777’ permissions, just waiting for a happy hacker to come along. The vast majority of hosting companies do not check for world-write permissions, and certainly do not enforce them. If you host your website with a hosting provider other than Nerds On Site, please consider switching to a provider that will actively monitor for this situation, and all free of charge. Contact us today!