[wp-hackers] protecting wp-content/plugins ?
Rob Miller
r at robm.me.uk
Mon Aug 20 16:16:13 GMT 2007
jacobsantos at branson.com wrote:
> Yes, the PLUGIN_DIR would work, expect for that pesky function that
> looks for wp-content/plugins to test for plugin filename. I'm not
> exactly sure what would happen then. I'm sure this has been tested and
> known to work. In fact, I was contemplating trying it myself, since I
> have access outside of web root.
>
> I'll get back with my results. I think it might also be possible to
> move wp-includes, but I'm not sure what impact it would have on the js
> folders which must remain in www root.
>
> In this sense, it is completely up to the administrator to take proper
> action to avoid hackers. With as much as someone can do on their own,
> it can't be blamed on WordPress (but actually it can), it is just
> easier to just download and go. Not every host allows for folder
> access outside of www root, Dreamhost does, GoDaddy does not.
>
> Jacob Santos
There's also the potential to break lots of plugins, both ones that
hardcode `wp-content/plugins` and ones that reference web-accessible
stuff from their directories (images, form actions, etc.).
The former is perhaps bad practice, but I don't see how you can avoid
the latter.
--
Rob Miller
http://robm.me.uk/
More information about the wp-hackers
mailing list