[wp-trac] [WordPress Trac] #56141: Enhance installer security
WordPress Trac
noreply at wordpress.org
Sat Sep 9 22:37:15 UTC 2023
#56141: Enhance installer security
--------------------------+-----------------------------
Reporter: smitka | Owner: (none)
Type: enhancement | Status: new
Priority: high | Milestone: Future Release
Component: Security | Version:
Severity: major | Resolution:
Keywords: dev-feedback | Focuses:
--------------------------+-----------------------------
Comment (by Michi91):
I would like to offer a different solution:
The hackers are running their db servers with public ip addresses.
My patch checks if the dbhost, that is defined during setup, is running in
private network address space. It supports IPs and hostnames and also
allows ENV defined network. The check is running AFTER a successful db
connection was established, but before wp-config.php is saved.
If the db host not inside the private adress space, the wp-config.php
needs to be created manually. Just like you have to do when the filesystem
is not writable.
Advantages:
- Doesnt require filesystem write permissions like your install key.
- Less complex
What do you think about this @smitka ? And ofcourse what do the others
think?
From my experience db-servers are usually localhost or in a private
network. If someone is sceptical and thinks this solution could bother to
many users, maybe we could collect telematic data and see how much % is
not in a private address space?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56141#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list