[wp-hackers] Is disabling remote client access a good idea?
emmensetech at gmail.com
Tue Jun 24 19:57:48 GMT 2008
I tend to agree. I discovered this yesterday and posted it to FriendFeed
where there were also several negative reactions. Suggest that if it stays
turned off by default (I'm actually okay with this, Expression Engine does
the same thing) that there be some sort of notice in wp-admin (admin_notices
hook?) to alert recent upgraders of this setting. I will certainly cover it
in my 10 Things post too but not everyone reads that and a lot of people are
going to be, like, "WTF?!?!"
Communicate this change effectively.
On Tue, Jun 24, 2008 at 3:49 PM, Dan Coulter <dan at dancoulter.com> wrote:
> On Tue, Jun 24, 2008 at 2:30 PM, Daniel Jalkut <jalkut at red-sweater.com>
> > fraserspeirs: @danielpunkass Implies a lack of confidence in their own
> > code. Windows-esque.
> They aren't implying, he's inferring.
> It's common to disable services that you don't use. If you have a Linux
> server, you will only open up the services to the outside world that you
> actually need. Don't need FTP? Disable it. Don't need SSH? Disable it. I
> think that is the thinking here. Reduce the possible vectors of attack.
> I don't know what kind of stats there are about how many people use these
> interfaces. Anecdotally, I mentioned this change in an IRC chat and one of
> my friends said "huzzah!" This is a friend who has been simply deleting
> those interfaces every time he upgrades WordPress, because he has had
> security problems in the past (the distant past, in WP terms).
> Dan Coulter
> Hey, I got nothing to do today but smile
> -Simon and Garfunkel
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers