WordPress auto-updates stupidity

Out of laziness, like many, I use WordPress for this blog. I did try others, but was disappointed (after my blog got hacked a few times), so I just use that.

WordPress has a long history of security issues. So upstream decided to preform automatic updates. This would have been a good thing if … automatic update didn’t completely mess my blog each and every single time.

On my hosting system, PHP scripts have to be chmod +x to be executed. Otherwise, there’s a error, and Apache wont execute the PHP script. The same way, an error will happen if a directory is world writable (eg: chmod 777). This is in order to prevent some of the most common hacks: a hacker finds a way to upload a PHP script (often via a “feature” of the hosted software), and then uses the uploaded script to do nasty things (like installing phishing sites, send spam, you name it…). Checking on these basic unix rights prevents uploaded scripts to be executed, and it’s normally a way harder for hackers to find a way to chmod the PHP scripts than it is to just upload it.

Unfortunately, WordPress, on each upgrade, is resetting these unix rights. Someone got to explain to me the reason why it absolutely needs to chmod 777 the hosted folders, and why it wouldn’t keep the chmod +x on the php scripts. Direct result? My blog often gets completely broken by these automated updates. And I didn’t find a way to disable them (if someone knows, please send me a quick email).

I have reported the bug upstream: https://core.trac.wordpress.org/ticket/27568