[wp-hackers] Wordpress database encryption.

Dion Hulse (dd32) wordpress at dd32.id.au
Sun Nov 27 05:05:51 UTC 2011


On 27 November 2011 15:58, jackie sparks <jackie.craig.sparks at live.com> wrote:
>> 2nd, why are you hacking core instead of using the 'query' hook? The 'query' hook should allow you to transform the data in an a manner which is exactly as it appears you would like.
>  Thank you for that suggestion. The query hook only works when making a plugin. I "think" these changes should be in the core. It would make it harder for someone to find the code instead of just browsing thru directory in the wp-content/plugins dir.

If someone has access to the code, They have access to the keys, and
therefore, can reproduce the query, resulting in any core vs plugin
question being moot.
The only advantage AES would be giving is preventing someone listening
in on the communication between WordPress and MySQL, or those who gain
access to MySQL (but not WordPress/PHP).
I believe MySQL has a SSL mode to prevent on-the-wire data being sniffed.

I would *not* be focusing on making a core patch for this, it's
something that's much better aimed at being a plugin (or a
wp-content/db.php Dropin file if it can't be done otherways).
Security by obscurity of where the code is is pretty stupid too if you ask me..

> 3rd, you should consider renaming your function dbuserquerychk() with a prefix, maybe like jcs_dbuserquerychk() or acs3_dbuserquerychk() or similar.
>  Thank you. Why those function name prefixes. What purpose do they have?

Prefixing function names and/or namespacing them via classes is "best
practices" in order to prevent clashes between plugins (can't have
multiple plugins with the same function name, etc)


More information about the wp-hackers mailing list