XF 2.0 Remove write protection to prevent hacking

[rag_gupta]

Today my xenforo forum got hacked. Hacker landed a php file: public/styles/default/xenforo/smilies/emojione/service.php

My simple tactis is to disable write protection to those directories where writing is not required at all.

So I want list of directories where Linux write permission is required. So that I can disable in those where it is not needed.

 

[Lukas W.]

data and internal_data must be writable, the rest can be executable only.

 

[Chris D]

Theoretically you can have your entire installation world writable and it wouldn't matter. Indeed you would already have at least two directories that are - data and internal_data. The former, specifically, is designed to be publicly accessible. If that was some sort of a risk, we wouldn't ask you to make it writable would we? And if it was writable, and you prevented it from being so, no longer would your users be able to upload avatars or attachments.

So, what I'm trying to say is, you're approaching this with the wrong priorities.

The key question is, how was your server hacked? Answering that question and putting methods in place to prevent that from happening is where you should be focusing your efforts.

 

[djbaxter]

Theoretically you can have your entire installation world writable and it wouldn't matter.

However, that may depend on your server configuration and policies. Making everything writable can lead to server 500 errors.