Hello,

Last week, my several websites attacked and hacked (hacker overwrites his file over original index.php file of xoops) easily :(

I opened a case to my hosting provider, and they said your all files have wrong file permission: 755 file permission (rwxr-xr-x) and they should be 644 (rwxr--r--) except directories of course. But nearly all XOOPS files comes from tar packages have 755 permissions.

Do you think do we need to remove executable permissions from ordinary files and does this make our websites safer?

My websites hacked by overwriting index.php file. If I change index.php's permission to 444 (r--r--r--), does this mean my website is safer?

Thanks

644 which is -rw-r--r-- is the correct permissions for files. Only the owner of the files have write permissions, and the owner should be the user that the server runs as (usually apache). If the server itself runs suphp then the owner should be the owner of the home directory the files reside.

755 is definately not right for file level permissions (however still does not allow write for group or others). I think I reported this at one time as another forum post.

mainfile.php should be 444.

So is it better to publish installation packages with 644 permissions instead of 755?

Yes.