[wp-hackers] Security issues with multi user installation

[Francis Reyes]

The themes are a big security risk in WP, considering they are php files 
(and therefore, can execute any command on a unix level as the server). 
As a precaution (though offers very little protection) is to setup the 
multiple blogs to use separate databases (with different db_users and 
capabilities). This would prevent some blogs from messing around with 
other people's blogs.

Also, I would recommend changing all .php files to read only by the 
server, except wp-content is extremely vulnerable. You could remove 
write access to wp-content, but users will never be able to upload their 
own themes.



FR


R.J. Kaplan wrote:
> Hi,
> I'm setting up a blog hosting site, and I really want the users to be 
> able to use their own themes, what are the different security risks 
> and implications to this?
> I am NOT using mu, rather a customized WP config file that gets the 
> right tables from the database based on the subdomain. currently it's 
> set up that the different blogs use different tables in the same 
> databse (with no shared tables) but I can seperate them to different 
> databases if that helps, though the db user will still be the same.
> ~Joe
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers