[wp-hackers] Disabling Tools->Export
Harry Metcalfe
harry at dxw.com
Wed Jun 27 13:24:46 UTC 2012
It's not so much that I'm concerned that it would happen maliciously -
clearly, if they can install plugins, we're already screwed. It's more
that a plugin we want to install might re-add the capability without us
knowing.
It is certainly not a major risk, but it is also not much work to
mitigate it completely -- 3 lines of code and a paragraph on the codex.
It just seems a bit fragile to use a plugin to enforce something that
any other plugin could simply remove.
On 27/06/12 14:19, Mike Little wrote:
> Also Harry, if someone has the ability to load and activate plugins, they
> have the ability to extract the DB credentials from wp-config.php and write
> their own DB dump code. So no flag in the core of WordPress would prevent
> that.
>
> Put your code to disable the functionality (and hide the menu if it helps)
> in a must use plugin (wp-content/mu-plugins), and make it non-writable by
> any users of the system (apache or any ftp users) -- I usually make the
> file owned by root and read only.
>
> And don't allow any no-trusted users the ability to install plugins, by any
> means.
>
>
> Mike
More information about the wp-hackers
mailing list