[wp-hackers] Security issues with multi user installation
R.J. Kaplan
just.be.happy at gmail.com
Thu Aug 10 18:21:47 GMT 2006
> The themes are a big security risk in WP, considering they are php
> files (and therefore, can execute any command on a unix level as
> the server). As a precaution (though offers very little protection)
> is to setup the multiple blogs to use separate databases (with
> different db_users and capabilities). This would prevent some blogs
> from messing around with other people's blogs.
>
> Also, I would recommend changing all .php files to read only by the
> server, except wp-content is extremely vulnerable. You could remove
> write access to wp-content, but users will never be able to upload
> their own themes.
>
What user capabilities would be the minimum for wordpress to be
functional?
More information about the wp-hackers
mailing list