[wp-hackers] Security in wordpress

Jeremy Clarke jer at simianuprising.com
Sun May 9 14:42:30 UTC 2010

For the record: The only truly safe wordpress install is one where the only
directories that apache can write to (regardless of whether its through
chmoding loose enough or giving apache direct access via chown) are the ones
that ABSOLUTELY MUST be writeable, i.e. */wp-content/uploads/, *and those
directories can't run any scripts. Any folder that is writeable by the
server should be *unable to process any scripts especially php.* You can
achieve this in your apache config using come arcane definitions about php.
Here's how I do it on a site to get you started, I don't fully understand it
all any more:

    <Directory /path/to/site/wp-content/uploads>
        AllowOverride None
        php_admin_flag engine off
        php_admin_value open_basedir none

You may not require absolute security but without these setups then there is
always a chance that someone could upload a exploit file using a hacked user
account then access it in the wp-config/uploads/ directory using their
browser. You need to make those directories inert for scripts, which
shouldn't be a problem as I don't think anyone expects PHP to be uploaded to
posts for any reason.

Jeremy Clarke
Code and Design | globalvoicesonline.org

More information about the wp-hackers mailing list