Your site is vulnerable to hackers who could do a lot of damage to the site. Please make your config file read only! If you are not the site admin, please contact a systems administrator and warn them about this message.
I get this message after installing ModX through the Script Installer. Since we can no longer change file permissions, any scripts installed on here that should have read only access make your website more susceptible to getting hacked.
All files should be read-only be default. Also, please share your domain, so that some people smarter than me can analyze and use dev tools.
This should not be true. If I recall correctly, all files except root .htaccess and a few others should be set to 644.
Please provide the URL of your site to help us out.
It’s not possible make your config file read only on our hosting.
My advice? Just ignore the message, it’s nowhere near as big a problem as they claim it is.
PHP code on our hosting is executed under the user of your account. This means that it has access to read and write to any file that you have access to (*). The alternative is to run PHP code under a shared system account, which is much less secure, and requires lot more tinkering with file permissions and whatnot to make your website work.
The only way to block PHP from writing but not reading the file is to block YOU from writing to that file. And that means that you’ll never be able to modify that file ever again, without us having to manually reset it for you. And that’s not something want to do for you.
Also, the security warning vastly overstates the severity of the issue. Hackers cannot just read and write arbitrary files on your account. They would need to get access to your website files in the first place, which requires a very severe security problem in your website code or them getting their hands on your account credentials. Regardless, if that happens, them modifying your configuration file is the least of your problems.
I agree that making website code and configuration immutable is good security practice, but it’s not really practical on shared hosting. If that level of security is of legitimately concern to you, you may want to ask yourself first if shared hosting (with websites from other people on the same server) is a good fit for your use case.
* We use open_basedir to ensure that code running on one domain of your account cannot access files from other domains on the same account.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.