[wp-trac] [WordPress Trac] #60718: Awareness of permission after updating cores, themes and plugins
WordPress Trac
noreply at wordpress.org
Thu Mar 7 05:46:42 UTC 2024
#60718: Awareness of permission after updating cores, themes and plugins
-----------------------------+------------------------------
Reporter: Girishpanchal | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version: trunk
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
-----------------------------+------------------------------
Changes (by dd32):
* focuses: accessibility, performance, privacy =>
* component: Security => Upgrade/Install
Comment:
> This is the major security concern now a day when people install/update
plugins or themes on DEV/STAG/PROD after changing respective directory
permission from 755 (7=rwx 5=r-x 5=r-x) to 777 (7=rwx 7=rwx 7=rwx)
If someone is changing permissions to allow installation of
plugins/themes, and then changing back afterwards, I'd say they're
managing the infrastructure improperly, that's not something that
WordPress expects an end-user to do.
To further complicate it, it's incredibly common for some hosting
environments which are secured through ACLs or suphp to have files
writable permanently by the running code, even though it might only have
600 style permissions.
IMHO; this is outside the scope of WordPess. Anyone having to change
permissions to install plugins, should probably either a) configure PHP to
have writable access b) not use WordPress to manage the plugins/themes
(I'd suggest they should be looking at `wp-cli`) or c) use the FTP/SSH
access methods instead.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60718#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list