[wp-hackers] protecting wp-content/plugins ?
Stephen Rider
wp-hackers at striderweb.com
Fri Aug 24 14:28:01 GMT 2007
So... if I'm a hacker, can't I just write a PHP script that defines
that constant and then includes or calls the exploitable plugin? (Or
would I have to somehow get my script onto your server?)
Stephen
On Aug 20, 2007, at 10:37 AM, Sam Bauers wrote:
>> The best way to protect against this is to test for some known
>> WordPress constant at the start of each plugin file, then if it is
>> not there you can return a 404 HTTP Response. E.g.:
>
> <?php
> ... plugin header ...
>
> if ( !defined('ABSPATH') ) {
> $protocol = $_SERVER["SERVER_PROTOCOL"];
> if ( ('HTTP/1.1' != $protocol) && ('HTTP/1.0' != $protocol) )
> $protocol = 'HTTP/1.0';
>
> if ( version_compare( phpversion(), '4.3.0', '>=' ) ) {
> return @header( $protocol . ' 404 Not Found', true, 404 );
> } else {
> return @header( $protocol . ' 404 Not Found' );
> }
>
> exit();
> }
>
> ... rest of plugin ...
> ?>
>
>
> This means direct requests for the file will fail, but when
> included as a plugin, it will continue as normal.
>
More information about the wp-hackers
mailing list