Support

Admin Tools

#28696 Reccommended file permissions for htaccess

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 07 December 2017 17:17 CST

wynchcote
I have read recently in a couple f blog posts that Joomlers should set File Permissions for htaccess to 444.

What is your recommendation for:

htaccess file in Joomla! when someone is not using Admin Tools,

htaccess file created using htaccess make included with Admin Tools?

Example blog post:

https://www.itoctopus.com/10-reasons-why-your-joomla-website-got-hacked

Many thanks :)

nicholas
Akeeba Staff
Manager
The same as all other files: 0644. Anything else doesn't make sense: it won't stop a hacker with write access to your filesystem but it will frustrate you.

The notion of using 04xx is misguided. 0644 means that only the owner user, i.e. the same user you use for FTP/SFTP, can write to the file. I would argue that if an attacker has full, unfettered access to the one user account that has write access to your entire site your problems are far greater than your site being redirected to a different location because of a rogue and simple to detect .htaccess.

Like, if I was that hacker I'd probably add an innocuously named user plugin on your site which emails me the username, email and password of anyone logging into your site. Then I could try these credentials on other sites such as Amazon, eBay etc for profit. Or I could do the simple, lame and profitable thing of using your site as a spam hub, botnet node etc. I would certainly NOT modify your .htaccess to do something patently obvious to even the laziest site admin. But maybe that's just me :)

Moreover, if that hacker has full and unfettered access to that user account which owns the file they can, of course, override the 0400 permissions. It just requires two steps: step one, change permissions to 0644 (since the user owns the file they can change the permissions); step two, write to the file.

Whatever you read on the Internet, exercise critical thinking. Think about what are the effects of the suggestion you read. Think about what kind of possible attack would that effect mitigate. Think about the unintended consequences of the suggestion. For example, changing the permissions of .htaccess doesn't protect against any class of attack since it requires an attacker with write access to arbitrary files. Meanwhile, you'll have to use FTP or your site's control panel whenever you want to make a change to the site. This opens you to a whole different class of man in the middle attacks and also increases the risk that a wrong copy-paste will bring your site down. Weight the pros and cons and decide for yourself which risk is more acceptable, the one of action or the one of inaction. It's your decision, I can only help you to make it an informed one :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

wynchcote
Hi Nicholas,

Thank you for your time giving a really useful and informative answer to my question.

Great product + Great Support = Why I recommend AKEEBA ahead of any other security extension provider!

Thanks,

Ken :)

nicholas
Akeeba Staff
Manager
You're welcome! I am glad I could help :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!