[wp-hackers] Where Should Plugins Store Files?

Jeremy Clarke jer at simianuprising.com
Thu Sep 16 17:11:55 UTC 2010

On Tue, Sep 14, 2010 at 3:09 AM, Ryan Bilesky <rbilesky at gmail.com> wrote:

> I don't thing another directory for plugin data is necessary.  I personally
> use a sub-dir of uploads.  I see no reason why anyone whould have to use
> anythign diffrent.


Properly securing even one directory can involve many lines of
Apache/.htaccess config. Also when moving installations around within a
server the permissions can easily get lost and need to be reset. Having as
few deviations as possible from a standard (unwritable) is the best bet for
keeping things simple.

ALSO: On top of Jacob's strategy of having nothing writable except uploads,
it is also a good idea to disable execution of PHP files in that writable
dir. Otherwise if a hacker can manage to upload a php file (maybe disguised
as a .jpg or something) they can use it to exploit other parts of your

The upshot of this is that I hope no one is using their plugins to output
.php files into the writable directories they create, as they wouldn't work
on my site. I don't see any reason why doing so would make sense, but people
will try anything sometimes.

Jeremy Clarke | http://jeremyclarke.org
Code and Design | http://globalvoicesonline.org

More information about the wp-hackers mailing list