Am I missing something here, I just realized, seemed the whole deal with setting the htaccess file to 777 was so Wordpress could write the new htaccess file for you? It's always been like that.

Then again, when you set up permalinks, WP gives you the htaccess code, you just copy and paste it into your htaccess file and upload it.

Not much need to have a security hole so that WP can write the file instead of just doing it yourself.

Just like when I see people changing the file permissions on their theme files, so they can edit them in WP, when it's just as easy to do it with a web page editor.

Perfect example, some one hacked one of my blogs this am (partly my fault, left less then secure WP pass as it was), if all my files where editable (777), they could have done much more. They could have done little things that I might not even notice.

This was no 2.5 bug or error.:)

Or I missed something?

My copy of 2.5 did not give me any code to put in htaccess (and did not come with a htaccess file). I remember 1.5 did. |huh

WP hasn't come with a htaccess file for awhile now. I can't remember a 2.x file that did.

I haven't upgraded to 2.5 yet but to my knowledge all WP versions will give you the htaccess code in permalinks when you try to set it if it can not write to the file.

I agree with ronnie why set anything writable if you don't absolutely have to

The copy of 2.5 that I installed gave me a warning without any code to put in htaccess. It said something about making my htaccess writeable.

I haven't installed wordpress in almost 2 years so this was all new to me.

Since a lot of people seem to be upgrading older (sometimes very old) WordPress installations, here are a couple of links that will help with securing your sites.

Three Tips to Protect Your WordPress Installation - Matt Cutts

Hardening WordPress - codex

And yes, make sure you change your htaccess permissions back to 644 as soon as possible if you ever need to make it world-writable by setting them to 777 temporarily. And really, if you leave any of your theme files writable by WordPress, or leave the standard 'admin' user with full admin rights, you can count on getting hacked at some point.

Also it's a good idea not to run more than one WP installation from one MySQL database. Sure, you can change prefixes for each install and run several from one database, but if you do get hacked at some point you're making it easy to take down all your blogs with one click.

Lots of good tips in the comments to Matt's article too, don't miss reading those.

HTH

Excellent info Simon. Thanks for passing that along. |thumb

Ya, that is true, they don't come with a htaccess file, i was thinking it still gives you the code to write to your htaccess file. My bad.

It still does...at least 2.5. When you hit save changes, on the top of your screen it says you should update your htaccess file now but if you scroll to the very bottom it shows the code to update your file with.

Not very obvious|huh