[wp-hackers] xmlrpc.php's location
Owen Winkler
ringmaster at midnightcircus.com
Fri Sep 17 20:39:30 UTC 2004
> >>I think .inc.php is a little safer (and seems to be convention in
> >>other
> >>packages) so they aren't sent as raw text in case something
> unexpected
> >>happens with your server.
> >>
> >
> >Either way, as long as .htaccess can nab 'em before they get spewed.
> >
> But doesn't that require that folks have their .htacess files
> configured? It's another strain on the end user.
Yes, but if included files ended in .inc.php then they will execute
safely showing nothing, and can also be excluded entirely using a
mod_rewrite rule. So advanced users can prevent include files from
being executed at all.
Also, it might be handy to know at a glance which WP files are ok to
execute stand-alone and which are not. Using a .inc.php extension would
do this.
I have no preference.
Owen
More information about the hackers
mailing list