[wp-hackers] Disabling Tools->Export
zamoose at gmail.com
Wed Jun 27 13:30:50 UTC 2012
Get more trustworthy users?
On Wed, Jun 27, 2012 at 9:24 AM, Harry Metcalfe <harry at dxw.com> wrote:
> It's not so much that I'm concerned that it would happen maliciously -
> clearly, if they can install plugins, we're already screwed. It's more that
> a plugin we want to install might re-add the capability without us knowing.
> It is certainly not a major risk, but it is also not much work to mitigate
> it completely -- 3 lines of code and a paragraph on the codex.
> It just seems a bit fragile to use a plugin to enforce something that any
> other plugin could simply remove.
> On 27/06/12 14:19, Mike Little wrote:
>> Also Harry, if someone has the ability to load and activate plugins, they
>> have the ability to extract the DB credentials from wp-config.php and
>> their own DB dump code. So no flag in the core of WordPress would prevent
>> Put your code to disable the functionality (and hide the menu if it helps)
>> in a must use plugin (wp-content/mu-plugins), and make it non-writable by
>> any users of the system (apache or any ftp users) -- I usually make the
>> file owned by root and read only.
>> And don't allow any no-trusted users the ability to install plugins, by
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers