[wp-hackers] Where Should Plugins Store Files?
wordpress at santosj.name
Mon Sep 13 20:14:56 UTC 2010
This would break on my system. I specifically set the uploads directory with
"full" permissions meaning write / read by apache. No other directory has
these read / write permissions. The only reason that directory even has
permissions is because there are use cases (by users) where they will want
to upload files.
Actually, technically, it is impossible to even update plugins and themes
from the admin, the pages are there, but they fail because of permissions.
Not that this is completely secure, but it is enough that it will make it a
bit harder for exploits to take hold from writing to the file system.
Do note also that the only time I will enable permission for upload
directory is when a plugin notes, "Hey, I can't write to this directory. How
about helping me out here? Pretty please." If the pretty please isn't there
then I immediately disable the plugin and rewrite it to not suck.
On Mon, Sep 13, 2010 at 6:12 AM, Ryan McCue <lists at rotorised.com> wrote:
> Andrew Nacin wrote:
> > That's a bad idea. Then you lose that file on an upgrade.
> > You can use wp_mkdir_p($path) to create a folder. (The _p means it
> > to set permissions.) If fails, it will return a WP_Error object.
> What's the opinion on creating new subdirectories of wp-content, as
> opposed to being in existing directories (i.e.
> wp-content/plugin/file.html vs. wp-content/uploads/plugin/file.html)?
> I'm currently using the former for a couple of configuration options
> (overriding a template that the plugin uses, but optional), but the user
> creates the directory and file themselves.
> Are there any forseen problems to this sort of setup?
> Ryan McCue
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers