Patching wp-cache for more security

April 4, 2008 by Michael

I use wp-cache on all my blogs all the time. No need waiting for being slashdotted or heised.

But wp-cache comes with a security flaw. It requires the webserver to have write access on $WP_HOME/wp-content/cache and $WP_HOME/wp-content. The first part is perfectly reasonable, the second not.

wp-cache creates it’s wp-cache-config.php in that place and edits this file consequently while being configured.

wp-cache comes with a sample config you can put in place. After that, chmod this file to 660 or something else that allows your webserver to edit it. Please don’t give your webserver write access to $WP_HOME/wp-content, especially not facing the current attacks on wordpress bloggers as described here.

I assume you know what your doing in the next step. All recommendations are tested and working with wp-cache 2.1.2. Open the file file wp-cache.php in your favorite editor, navigate to line 471 in function wp_cache_verify_config_file and change the following code

if ( !is_writable($dir)) {
    echo "<b>Error:</b> wp-content directory (<b>$dir</b>) is not writable by the Web server.<br />Check its permissions.";
    return false;
}

to

/*
if ( !is_writable($dir)) {
    echo "<b>Error:</b> wp-content directory (<b>$dir</b>) is not writable by the Web server.<br />Check its permissions.";
    return false;
}
*/

Alternatively, you can use the file i prepared: wp-cache.php. Rename it from *.php.txt to *.php and replace the old file with it.

Read more about the attack on wp blogs here. It’s shown that the attackers create a subfolder in your wp-contents. So it’s essential to chmod this folder to 0755 or even better to 0555 if you’re paranoid and only change it if you upload updates.

No comments yet

Post a Comment

Your email is never published. We need your name and email address only for verifying a legitimate comment. For more information, a copy of your saved data or a request to delete any data under this address, please send a short notice to michael@simons.ac from the address you used to comment on this entry.
By entering and submitting a comment, wether with or without name or email address, you'll agree that all data you have entered including your IP address will be checked and stored for a limited time by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110-4929, USA. only for the purpose of avoiding spam. You can deny further storage of your data by sending an email to support@wordpress.com, with subject “Deletion of Data stored by Akismet”.
Required fields are marked *